-
Notifications
You must be signed in to change notification settings - Fork 540
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-buffer-overflow Perl_fbm_instr (util.c:974) #15534
Comments
From @geeknikThe attached test case triggers a heap-buffer-overflow in Perl_fbm_instr ==21934==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000e05b is located 0 bytes to the right of 11-byte region SUMMARY: AddressSanitizer: heap-buffer-overflow /root/perl/util.c:974 |
From @geeknik |
From @tonycozOn Sat Aug 20 00:24:38 2016, brian.carpenter@gmail.com wrote:
valgrind finds errors as far back as 5.12.0 (which is as far I cared to look.) From valgrind this looks like: ==19661== Invalid read of size 1 Unfortunately vgdb misbehaves and in gdb produces a backtrace: 0x000000000054161c in Perl_save_re_context () at regcomp.c:19828 It looks like the second time fbm_instr() is called an out of range value for bigend is supplied. Otherwise I haven't worked out what's going on. Tony |
The RT System itself - Status changed from 'new' to 'open' |
From @iabynOn Mon, Aug 22, 2016 at 11:08:00PM -0700, Tony Cook via RT wrote:
This is an area of code that I've worked on before, so I'll have a look. -- |
From @iabynOn Tue, Aug 23, 2016 at 08:57:40AM +0100, Dave Mitchell wrote:
Now fixed with the following. Turns out its not a security concern. commit 71a9d10 re_untuit_start() avoid overshoot with utf8 -- |
From @demerphqShouldnt that be "intuit" and not "untuit" ? On 24 August 2016 at 15:10, Dave Mitchell <davem@iabyn.com> wrote:
-- |
From @iabynOn Wed, Aug 24, 2016 at 03:31:11PM +0200, demerphq wrote:
Yes. A bit late now though :-) -- |
From @tonycozOn Wed Aug 24 06:11:00 2016, davem wrote:
I'm wondering where the boundaries are on what we consider a security issue. In this case if bigend is beyond the end of the allocated block, and that Tony |
From @iabynOn Tue, Sep 06, 2016 at 06:03:20PM -0700, Tony Cook via RT wrote:
Well until fairly recently (v5.17.4-76-g7016d6e) the regex engine wouldn't Also, if you're passing mmapped strings to the regex engine, then you're Yes, there *could* in theory be circumstances where this would allow a DoS In principle *all* perl bugs are security issues, but it's a subjective -- |
From @tonycozOn Thu, 08 Sep 2016 01:44:09 -0700, davem wrote:
In glibc, malloc() will allocate memory with mmap() instead of from a heap for large blocks so normal PVs can be memory mapped. There's no need for strange magic from an application.
I agree, I was just wondering where we place the boundary between "this is a security issue" and "this is not a security issue". In any case, the fix is public, so I've made this ticket public. The issue is fixed, so closing it too. Tony |
@tonycoz - Status changed from 'open' to 'pending release' |
From @khwilliamsonThank you for filing this report. You have helped make Perl better. With the release today of Perl 5.26.0, this and 210 other issues have been Perl 5.26.0 may be downloaded via: If you find that the problem persists, feel free to reopen this ticket. |
@khwilliamson - Status changed from 'pending release' to 'resolved' |
Migrated from rt.perl.org#129012 (status was 'resolved')
Searchable as RT129012$
The text was updated successfully, but these errors were encountered: