[perl #134324] Use-After-Free in regcomp.c:12238

On Thu, 01 Aug 2019 22:31:26 -0700, nguyenmanhdung1710@gmail.com wrote:
> On Thu, 01 Aug 2019 21:21:28 -0700, nguyenmanhdung1710@gmail.com
> wrote:
> > Hi James,
> > I get the source code of Perl 5 on
> > https://perl5.git.perl.org/perl.git. I
> > compiled Perl (the latest commit *45f8e7b* on the branch *blead*)
> > using gcc
> > (Ubuntu 5.5.0-12ubuntu1~16.04) 5.5.0 20171010 on Ubuntu 16.04 64-bit
> > as
> > follows:
> >
> > git clone git://perl5.git.perl.org/perl.git perl-head
> > ==========
> > *git log -n 1 HEAD*
> > commit 45f8e7b102987a417bf55438e858cedced8aedbe
> > Author: Karl Williamson <khw@cpan.org>
> > Date:   Wed Jul 31 13:35:55 2019 -0600
> >
> > autodoc.pl: Forget heuristics, we have a flag
> >
> > We know if something is a macro because of the 'm' flag.  Don't use
> > the
> > fallible heuristics to try to determine this.
> > ==========
> > cd perl-head;
> > ./Configure -des -Dusedevel -Dprefix=`pwd` -Dccflags="-g"
> > -Dloclibpth=' '
> > # build with ASAN
> > ./Configure -des -Dusedevel -Dprefix=`pwd` -Dccflags="-
> > fsanitize=address
> > -g" -Dldflags="-fsanitize=address" -Dloclibpth=' '
> > make -j4
> > make test # output:
> > https://github.com/strongcourage/PoCs/blob/master/perl_45f8e7b/make_test.log
> >
> > Then, we have binaries as follows:
> > - Binary of perl:
> > https://github.com/strongcourage/PoCs/blob/master/perl_45f8e7b/perl
> > - Binary of perl with ASAN:
> > https://github.com/strongcourage/PoCs/blob/master/perl_45f8e7b/perl-
> > asan
> > *./perl -v*
> > This is perl 5, version 31, subversion 3 (v5.31.3 (v5.31.2-48-
> > g45f8e7b))
> > built for x86_64-linux
> >
> > I tested the latest version of Perl (commit *45f8e7b*) and still
> > triggered
> > all bugs I have reported (#134322; #134324; #134325; #134326;
> > #134327;
> > #134328; #134329).
> > I hope you could reproduce these bugs on your side. Please let me
> > know
> > if
> > you have any further questions.
> >
> > Thanks,
> > Manh Dung
> >
> > Le jeu. 1 août 2019 à 20:25, James E Keenan via RT <
> > perlbug-followup@perl.org> a écrit :
> >
> > > On Thu, 01 Aug 2019 07:15:46 GMT, nguyenmanhdung1710@gmail.com
> > > wrote:
> > > > Hi All,
> > > > I found a Use-After-Free bug in the commit *a3c7756* on branch
> > > > *blead*.
> > > > This bug causes Perl to crash. I use gcc v5.5.0 to compile Perl
> > > > on
> > > > Ubuntu
> > > > 16.04 (64 bit) as follows:
> > > >    ./Configure -des -Dusedevel -Dprefix=`pwd` -Dccflags="-g"
> > > > -Dloclibpth='
> > > > '; make
> > > >
> > > > Thanks,
> > > > Manh Dung
> > > >
> > > > ======================================
> > > > *perl -v*
> > > > This is perl 5, version 31, subversion 3 (v5.31.3 (v5.31.2-37-
> > > > ga3c7756))
> > > > built for x86_64-linux
> > > >
> > > > - Crafted PoC:
> > > >
> > > https://github.com/strongcourage/PoCs/blob/master/perl_82007f7/PoC_uaf_regcomp.c:12238
> > > > - Command: perl $PoC
> > > >
> > > > ASAN says:
> > > > ==25228==ERROR: AddressSanitizer: heap-use-after-free on address
> > > > 0x7fdd62cd4e35 at pc 0x00000058a4eb bp 0x7ffdd5a06710 sp
> > > > 0x7ffdd5a06700
> > > > READ of size 1 at 0x7fdd62cd4e35 thread T0
> > > >     #0 0x58a4ea in S_reg
> > > > /home/dungnguyen/gueb-testing/perl-head/regcomp.c:12238
> > > >     #1 0x58bd22 in Perl_re_op_compile
> > > > /home/dungnguyen/gueb-testing/perl-head/regcomp.c:7721
> > > >     #2 0x6b1a24 in Perl_pp_regcomp
> > > > /home/dungnguyen/gueb-testing/perl-head/pp_ctl.c:108
> > > >     #3 0x5fa20a in Perl_runops_standard
> > > > /home/dungnguyen/gueb-testing/perl-head/run.c:41
> > > >     #4 0x48f0b7 in S_run_body
> > > > /home/dungnguyen/gueb-testing/perl-head/perl.c:2696
> > > >     #5 0x48f0b7 in perl_run
> > > > /home/dungnguyen/gueb-testing/perl-head/perl.c:2624
> > > >     #6 0x425674 in main
> > > > /home/dungnguyen/gueb-testing/perl-head/perlmain.c:127
> > > >     #7 0x7fdd71f9082f in __libc_start_main
> > > > (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
> > > >     #8 0x425be8 in _start
> > > > (/home/dungnguyen/PoCs/perl_82007f7/perl-asan+0x425be8)
> > > >
> > > > 0x7fdd62cd4e35 is located 13877 bytes inside of 617548-byte
> > > > region
> > > > [0x7fdd62cd1800,0x7fdd62d6844c)
> > > > freed by thread T0 here:
> > > >     #0 0x7fdd72d349c1 in realloc
> > > > (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989c1)
> > > >     #1 0x5aa2b1 in Perl_safesysrealloc
> > > > /home/dungnguyen/gueb-testing/perl-head/util.c:279
> > > >
> > > > previously allocated by thread T0 here:
> > > >     #0 0x7fdd72d349c1 in realloc
> > > > (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989c1)
> > > >     #1 0x5aa2b1 in Perl_safesysrealloc
> > > > /home/dungnguyen/gueb-testing/perl-head/util.c:279
> > > > ======================================
> > >
> > > Thank you for this report.  However, in this report -- as well as
> > > the
> > > five
> > > other reports you filed today -- it's not clear what the perl
> > > program
> > > was
> > > that you used to generated the error or crash.
> > >
> > > Could you please *attach* the program you used to this ticket (or
> > > to
> > > your
> > > email response)?
> > >
> > > And do so likewise for the other five tickets?
> > >
> > > Thank you very much.
> > >
> > > --
> > > James E Keenan (jkeenan@cpan.org)
> > >
> 
> Hi James,
> 
> Sorry, I misunderstood your question. I found these bugs using
> fuzzing, hence the PoC inputs are crafted. I will try to create Perl
> programs triggering these bugs, but it is not easy for me. Also, by
> looking at the stacktrace, I think we can understand the root cause
> and propose patches.
> 
> Thanks,
> Manh Dung

This was fixed by

commit 439a3bfe85749ea9eca31372daec5705acaa3db1
 Author: Karl Williamson <khw@cpan.org>
 Date:   Sat Aug 24 19:17:19 2019 -0600
 
     PATCH: [perl #134325] Heap buffer overflow

so I'm merging this ticket into that ticket
-- 
Karl Williamson

---
via perlbug:  queue: perl5 status: open
https://rt.perl.org/Ticket/Display.html?id=134324

• [perl #134324] Use-After-Free in regcomp.c:12238 by Karl Williamson via RT