develooper Front page | perl.perl5.porters | Postings from August 2019

[perl #134327] Invalid read of size 8 in regexec.c:7725

Thread Previous
From:
Manh-Dung Nguyen
Date:
August 2, 2019 04:21
Subject:
[perl #134327] Invalid read of size 8 in regexec.c:7725
Message ID:
rt-4.0.24-25720-1564666500-969.134327-75-0@perl.org
# New Ticket Created by  Manh-Dung Nguyen 
# Please include the string:  [perl #134327]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/Ticket/Display.html?id=134327 >


Hi All,
I found an invalid read bug in the commit *a3c7756* on branch *blead*. This
bug causes Perl to crash. I use gcc v5.5.0 to compile Perl on Ubuntu 16.04
(64 bit) as follows:
   ./Configure -des -Dusedevel -Dprefix=`pwd` -Dccflags="-g" -Dloclibpth='
'; make

Thanks,
Manh Dung

======================================
*perl -v*
This is perl 5, version 31, subversion 3 (v5.31.3 (v5.31.2-37-ga3c7756))
built for x86_64-linux

- Crafted PoC:
https://github.com/strongcourage/PoCs/blob/master/perl_82007f7/PoC_segv_regexec.c:7725
- Command: perl $PoC

ASAN says:
==22039==ERROR: AddressSanitizer: SEGV on unknown address 0x61200bb8b4c8
(pc 0x000000736366 bp 0x000000000000 sp 0x7fff387dc580 T0)
    #0 0x736365 in S_regmatch
/home/dungnguyen/gueb-testing/perl-head/regexec.c:7725
    #1 0x736365 in S_regtry
/home/dungnguyen/gueb-testing/perl-head/regexec.c:3987
    #2 0x75cb68 in Perl_regexec_flags
/home/dungnguyen/gueb-testing/perl-head/regexec.c:3850
    #3 0x60a4f1 in Perl_pp_match
/home/dungnguyen/gueb-testing/perl-head/pp_hot.c:3014
    #4 0x5fa20a in Perl_runops_standard
/home/dungnguyen/gueb-testing/perl-head/run.c:41
    #5 0x48f0b7 in S_run_body
/home/dungnguyen/gueb-testing/perl-head/perl.c:2696
    #6 0x48f0b7 in perl_run
/home/dungnguyen/gueb-testing/perl-head/perl.c:2624
    #7 0x425674 in main
/home/dungnguyen/gueb-testing/perl-head/perlmain.c:127
    #8 0x7f35ea82c82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x425be8 in _start
(/home/dungnguyen/PoCs/perl_82007f7/perl-asan+0x425be8)

Valgrind says:
==23196== Invalid read of size 8
==23196==    at 0x52CAB8: S_regmatch (regexec.c:7725)
==23196==    by 0x52CAB8: S_regtry (regexec.c:3987)
==23196==    by 0x539FE3: Perl_regexec_flags (regexec.c:3850)
==23196==    by 0x4C76DE: Perl_pp_match (pp_hot.c:3014)
==23196==    by 0x4C1C72: Perl_runops_standard (run.c:41)
==23196==    by 0x446595: S_run_body (perl.c:2701)
==23196==    by 0x446595: perl_run (perl.c:2624)
==23196==    by 0x421814: main (perlmain.c:127)
==23196==  Address 0x11921468 is not stack'd, malloc'd or (recently) free'd
======================================


Thread Previous


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About