develooper Front page | perl.perl5.porters | Postings from August 2019

[perl #134328] Invalid read of size 1 in regexec.c:8492

Thread Previous
From:
Manh-Dung Nguyen
Date:
August 2, 2019 04:21
Subject:
[perl #134328] Invalid read of size 1 in regexec.c:8492
Message ID:
rt-4.0.24-30560-1564666521-1259.134328-75-0@perl.org
# New Ticket Created by  Manh-Dung Nguyen 
# Please include the string:  [perl #134328]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/Ticket/Display.html?id=134328 >


Hi All,
I found an invalid read bug in the commit *a3c7756* on branch *blead*. This
bug causes Perl to crash. I use gcc v5.5.0 to compile Perl on Ubuntu 16.04
(64 bit) as follows:
   ./Configure -des -Dusedevel -Dprefix=`pwd` -Dccflags="-g" -Dloclibpth='
'; make

Thanks,
Manh Dung

======================================
*perl -v*
This is perl 5, version 31, subversion 3 (v5.31.3 (v5.31.2-37-ga3c7756))
built for x86_64-linux

- Crafted PoC:
https://github.com/strongcourage/PoCs/blob/master/perl_82007f7/PoC_segv_regexec.c:8492
- Command: perl $PoC

ASAN says:
==19686==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001
(pc 0x000000736755 bp 0x000000000000 sp 0x7ffc51d522a0 T0)
    #0 0x736754 in S_regmatch
/home/dungnguyen/gueb-testing/perl-head/regexec.c:8492
    #1 0x736754 in S_regtry
/home/dungnguyen/gueb-testing/perl-head/regexec.c:3987
    #2 0x75cb68 in Perl_regexec_flags
/home/dungnguyen/gueb-testing/perl-head/regexec.c:3850
    #3 0x60a4f1 in Perl_pp_match
/home/dungnguyen/gueb-testing/perl-head/pp_hot.c:3014
    #4 0x5fa20a in Perl_runops_standard
/home/dungnguyen/gueb-testing/perl-head/run.c:41
    #5 0x48f0b7 in S_run_body
/home/dungnguyen/gueb-testing/perl-head/perl.c:2696
    #6 0x48f0b7 in perl_run
/home/dungnguyen/gueb-testing/perl-head/perl.c:2624
    #7 0x425674 in main
/home/dungnguyen/gueb-testing/perl-head/perlmain.c:127
    #8 0x7fd73d8ab82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x425be8 in _start
(/home/dungnguyen/PoCs/perl_82007f7/perl-asan+0x425be8)

Valgrind says:
==26873== Invalid read of size 1
==26873==    at 0x52D52B: S_regmatch (regexec.c:8492)
==26873==    by 0x52D52B: S_regtry (regexec.c:3987)
==26873==    by 0x539FE3: Perl_regexec_flags (regexec.c:3850)
==26873==    by 0x4C76DE: Perl_pp_match (pp_hot.c:3014)
==26873==    by 0x4C1C72: Perl_runops_standard (run.c:41)
==26873==    by 0x446595: S_run_body (perl.c:2701)
==26873==    by 0x446595: perl_run (perl.c:2624)
==26873==    by 0x421814: main (perlmain.c:127)
==26873==  Address 0x1 is not stack'd, malloc'd or (recently) free'd
======================================


Thread Previous


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About