develooper Front page | perl.perl5.porters | Postings from August 2019

[perl #134326] Use After Free in regcomp.c:21226

Thread Previous
From:
Manh-Dung Nguyen via RT
Date:
August 2, 2019 04:21
Subject:
[perl #134326] Use After Free in regcomp.c:21226
Message ID:
rt-4.0.24-13293-1564687055-1500.134326-15-0@perl.org
On Thu, 01 Aug 2019 02:25:16 -0700, nguyenmanhdung1710@gmail.com wrote:
> Hi All,
> I found a Use-After-Free bug in the commit *a3c7756* on branch
> *blead*.
> This bug causes Perl to crash. I use gcc v5.5.0 to compile Perl on
> Ubuntu
> 16.04 (64 bit) as follows:
>    ./Configure -des -Dusedevel -Dprefix=`pwd` -Dccflags="-g"
> -Dloclibpth='
> '; make
> 
> Thanks,
> Manh Dung
> 
> ======================================
> *perl -v*
> This is perl 5, version 31, subversion 3 (v5.31.3 (v5.31.2-37-
> ga3c7756))
> built for x86_64-linux
> 
> - Crafted PoC:
> https://github.com/strongcourage/PoCs/blob/master/perl_82007f7/PoC_uaf_regcomp.c:21226
> - Command: perl $PoC
> 
> ASAN says:
> ==4224==ERROR: AddressSanitizer: heap-use-after-free on address
> 0x7fd452ab983d at pc 0x00000053ebf4 bp 0x7ffc694c0050 sp
> 0x7ffc694c0040
> READ of size 1 at 0x7fd452ab983d thread T0
>     #0 0x53ebf3 in Perl_regnext
> /home/dungnguyen/gueb-testing/perl-head/regcomp.c:21226
>     #1 0x53ec5d in S_regtail
> /home/dungnguyen/gueb-testing/perl-head/regcomp.c:19848
>     #2 0x57e0fc in S_regbranch
> /home/dungnguyen/gueb-testing/perl-head/regcomp.c:12409
>     #3 0x57ea40 in S_reg
> /home/dungnguyen/gueb-testing/perl-head/regcomp.c:12104
>     #4 0x58bd22 in Perl_re_op_compile
> /home/dungnguyen/gueb-testing/perl-head/regcomp.c:7721
>     #5 0x6b1a24 in Perl_pp_regcomp
> /home/dungnguyen/gueb-testing/perl-head/pp_ctl.c:108
>     #6 0x5fa20a in Perl_runops_standard
> /home/dungnguyen/gueb-testing/perl-head/run.c:41
>     #7 0x48f0b7 in S_run_body
> /home/dungnguyen/gueb-testing/perl-head/perl.c:2696
>     #8 0x48f0b7 in perl_run
> /home/dungnguyen/gueb-testing/perl-head/perl.c:2624
>     #9 0x425674 in main
> /home/dungnguyen/gueb-testing/perl-head/perlmain.c:127
>     #10 0x7fd45a10582f in __libc_start_main
> (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
>     #11 0x425be8 in _start
> (/home/dungnguyen/PoCs/perl_82007f7/perl-asan+0x425be8)
> 
> 0x7fd452ab983d is located 249917 bytes inside of 262672-byte region
> [0x7fd452a7c800,0x7fd452abca10)
> freed by thread T0 here:
>     #0 0x7fd45aea99c1 in realloc
> (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989c1)
>     #1 0x5aa2b1 in Perl_safesysrealloc
> /home/dungnguyen/gueb-testing/perl-head/util.c:279
> 
> previously allocated by thread T0 here:
>     #0 0x7fd45aea99c1 in realloc
> (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989c1)
>     #1 0x5aa2b1 in Perl_safesysrealloc
> /home/dungnguyen/gueb-testing/perl-head/util.c:279
> ======================================


As requested by James E Keenan, I add the binaries of Perl (commit 45f8e7b on the branch blead):
- Perl: https://github.com/strongcourage/PoCs/blob/master/perl_45f8e7b/perl
- Perl with ASAN: https://github.com/strongcourage/PoCs/blob/master/perl_45f8e7b/perl-asan

---
via perlbug:  queue: perl5 status: new
https://rt.perl.org/Ticket/Display.html?id=134326

Thread Previous


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About