develooper Front page | perl.perl5.porters | Postings from August 2019

[perl #134325] Heap buffer overflow

Thread Previous
From:
Manh-Dung Nguyen
Date:
August 2, 2019 04:21
Subject:
[perl #134325] Heap buffer overflow
Message ID:
rt-4.0.24-27381-1564643760-707.134325-75-0@perl.org
# New Ticket Created by  Manh-Dung Nguyen 
# Please include the string:  [perl #134325]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/Ticket/Display.html?id=134325 >


Hi All,
I found a Use-After-Free bug in the commit *a3c7756* on branch *blead*.
This bug causes Perl to crash. I use gcc v5.5.0 to compile Perl on Ubuntu
16.04 (64 bit) as follows:
   ./Configure -des -Dusedevel -Dprefix=`pwd` -Dccflags="-g" -Dloclibpth='
'; make

Thanks,
Manh Dung

======================================
*perl -v*
This is perl 5, version 31, subversion 3 (v5.31.3 (v5.31.2-37-ga3c7756))
built for x86_64-linux

- Crafted PoC:
https://github.com/strongcourage/PoCs/blob/master/perl_82007f7/PoC_hbo
- Command: perl $PoC

ASAN says:
==25324==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x7f0d2e16a7e5 at pc 0x00000058a4eb bp 0x7fff7ef03880 sp 0x7fff7ef03870
READ of size 1 at 0x7f0d2e16a7e5 thread T0
    #0 0x58a4ea in S_reg
/home/dungnguyen/gueb-testing/perl-head/regcomp.c:12238
    #1 0x57112d in S_regatom
/home/dungnguyen/gueb-testing/perl-head/regcomp.c:13370
    #2 0x57112d in S_regpiece
/home/dungnguyen/gueb-testing/perl-head/regcomp.c:12473
    #3 0x57df9e in S_regbranch
/home/dungnguyen/gueb-testing/perl-head/regcomp.c:12393
    #4 0x57ef49 in S_reg
/home/dungnguyen/gueb-testing/perl-head/regcomp.c:12148
    #5 0x58bd22 in Perl_re_op_compile
/home/dungnguyen/gueb-testing/perl-head/regcomp.c:7721
    #6 0x6b1a24 in Perl_pp_regcomp
/home/dungnguyen/gueb-testing/perl-head/pp_ctl.c:108
    #7 0x5fa20a in Perl_runops_standard
/home/dungnguyen/gueb-testing/perl-head/run.c:41
    #8 0x48f0b7 in S_run_body
/home/dungnguyen/gueb-testing/perl-head/perl.c:2696
    #9 0x48f0b7 in perl_run
/home/dungnguyen/gueb-testing/perl-head/perl.c:2624
    #10 0x425674 in main
/home/dungnguyen/gueb-testing/perl-head/perlmain.c:127
    #11 0x7f0d34c2b82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #12 0x425be8 in _start
(/home/dungnguyen/PoCs/perl_82007f7/perl-asan+0x425be8)

0x7f0d2e16a7e5 is located 27 bytes to the left of 1197244-byte region
[0x7f0d2e16a800,0x7f0d2e28ecbc)
freed by thread T0 here:
    #0 0x7f0d359cf9c1 in realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989c1)
    #1 0x5aa2b1 in Perl_safesysrealloc
/home/dungnguyen/gueb-testing/perl-head/util.c:279

previously allocated by thread T0 here:
    #0 0x7f0d359cf9c1 in realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989c1)
    #1 0x5aa2b1 in Perl_safesysrealloc
/home/dungnguyen/gueb-testing/perl-head/util.c:279
======================================


Thread Previous


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About