develooper Front page | perl.perl5.porters | Postings from August 2019

[perl #134326] Use After Free in regcomp.c:21226

From:
Tony Cook via RT
Date:
August 26, 2019 05:33
Subject:
[perl #134326] Use After Free in regcomp.c:21226
Message ID:
rt-4.0.24-5845-1566797612-1392.134326-15-0@perl.org
On Thu, 01 Aug 2019 02:25:16 -0700, nguyenmanhdung1710@gmail.com wrote:
> Hi All,
> I found a Use-After-Free bug in the commit *a3c7756* on branch
> *blead*.
> This bug causes Perl to crash. I use gcc v5.5.0 to compile Perl on
> Ubuntu
> 16.04 (64 bit) as follows:
>    ./Configure -des -Dusedevel -Dprefix=`pwd` -Dccflags="-g"
> -Dloclibpth='
> '; make
> 
> Thanks,
> Manh Dung
> 
> ======================================
> *perl -v*
> This is perl 5, version 31, subversion 3 (v5.31.3 (v5.31.2-37-
> ga3c7756))
> built for x86_64-linux
> 
> - Crafted PoC:
> https://github.com/strongcourage/PoCs/blob/master/perl_82007f7/PoC_uaf_regcomp.c:21226
> - Command: perl $PoC

Attached the PoC.

Also fixed by khw-134329.

blead:

~ tying lastbr BRANCH (65473) to ender CLOSE7 (65480) offset 7
~ tying lastbr BRANCH (65504) to ender CLOSE8 (65511) offset 7
~ tying lastbr BRANCH (65532) to ender CLOSE1 (65535) offset 3
~ tying lastbr BRANCH (65588) to ender CLOSE9 (65602) offset 14
~ tying lastbr BRANCH (65644) to ender CLOSE10 (65647) offset 3
Segmentation fault

khw-134329:

~ tying lastbr BRANCHJ (162406) to ender CLOSE1 (162410) offset 4
~ tying lastbr BRANCHJ (162490) to ender CLOSE9 (162505) offset 15
~ tying lastbr BRANCHJ (162571) to ender CLOSE10 (162575) offset 4
~ tying lastbr CURLYX[0]{0,INFTY} (1) to ender END (162590) offset 162589
Unmatched ) in regex; marked by <-- HERE in m/((8|||ո^P׸||(G|||,^@d^@^P^Z)*(8|||ccccc<9C><9C><9C><B8>GW2G2=@^@GG|G<D4><C0>ո<FF><D7>^A||G<F2>^Z<AB>^V!^@G)*׸||
<83><D3>W2G<D4>i+<D6><D5>@׸a׸|!^@G)*(G<83><83><83><D3>?2G<D4>i+<D6><D5>@<D7>|,W
<FA>^@^@<FA>@^@GG|<CC>|<FF>|,^@h@^?^@^@GG|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
...
 at ../134326.pl line 1.
Freeing REx: "((8|||%x{d5}%x{b8}%20%x{d7}%x{b8}||(G|||,%0d%0%20^Z)*(8|||cc"...

(some of the funny characters were probably mangled here)

Tony

---
via perlbug:  queue: perl5 status: new
https://rt.perl.org/Ticket/Display.html?id=134326

nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About