Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow (READ of size 2) in Perl_fbm_instr #16294

Closed
p5pRT opened this issue Dec 8, 2017 · 6 comments
Closed

heap-buffer-overflow (READ of size 2) in Perl_fbm_instr #16294

p5pRT opened this issue Dec 8, 2017 · 6 comments
Labels
Closable?

Comments

@p5pRT
Copy link

@p5pRT p5pRT commented Dec 8, 2017

Migrated from rt.perl.org#132552 (status was 'open')

Searchable as RT132552$

@p5pRT
Copy link
Author

@p5pRT p5pRT commented Dec 8, 2017

From @geeknik

Triggered with v5.27.6-156-g5d4548b73b, compiled with clang 6.0.0-trunk and
-fsanitize=address. This bug looks similar to 129012 and 132187.

./perl -e '$_="0000000\x{600000}";/^000.\000000?\00000/'

==29563==ERROR​: AddressSanitizer​: heap-buffer-overflow on address
0x602000000ebe at pc 0x000000451a60 bp 0x7ffe25406c50 sp 0x7ffe254063f8
READ of size 2 at 0x602000000ebe thread T0
  #0 0x451a5f in __interceptor_memchr
/b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc​:823​:3
  #1 0x7bd1a6 in Perl_fbm_instr /root/perl/util.c​:985​:42
  #2 0xaabce3 in Perl_re_intuit_start /root/perl/regexec.c​:935​:13
  #3 0xaa07af in Perl_regexec_flags /root/perl/regexec.c​:3015​:6
  #4 0x8777c7 in Perl_pp_match /root/perl/pp_hot.c​:3050​:10
  #5 0x7b4868 in Perl_runops_debug /root/perl/dump.c​:2495​:23
  #6 0x5a68b1 in S_run_body /root/perl/perl.c
  #7 0x5a5efb in perl_run /root/perl/perl.c​:2517​:2
  #8 0x5035b7 in main /root/perl/perlmain.c​:123​:9
  #9 0x7effdabb23f0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x203f0)
  #10 0x436109 in _start (/root/perl/perl+0x436109)

0x602000000ebe is located 0 bytes to the right of 14-byte region
[0x602000000eb0,0x602000000ebe)
allocated by thread T0 here​:
  #0 0x4d6e43 in malloc
/b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc​:88​:3
  #1 0x7b9538 in Perl_safesysmalloc /root/perl/util.c​:153​:21
  #2 0x8a184b in Perl_sv_grow /root/perl/sv.c​:1603​:17
  #3 0x8b71d9 in Perl_sv_setpvn /root/perl/sv.c​:5004​:12
  #4 0x8b6d45 in Perl_sv_copypv_flags /root/perl/sv.c​:3249​:5
  #5 0x84fdb4 in Perl_pp_stringify /root/perl/pp_hot.c​:89​:5
  #6 0x7b4868 in Perl_runops_debug /root/perl/dump.c​:2495​:23
  #7 0x529657 in S_fold_constants /root/perl/op.c​:5571​:2
  #8 0x6aad26 in Perl_yyparse /root/perl/perly.y
  #9 0x5a3c21 in S_parse_body /root/perl/perl.c​:2447​:9
  #10 0x59ea23 in perl_parse /root/perl/perl.c​:1750​:2
  #11 0x503485 in main /root/perl/perlmain.c​:121​:18
  #12 0x7effdabb23f0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x203f0)

SUMMARY​: AddressSanitizer​: heap-buffer-overflow
/b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc​:823​:3
in __interceptor_memchr

@p5pRT
Copy link
Author

@p5pRT p5pRT commented Dec 13, 2017

From @iabyn

On Fri, Dec 08, 2017 at 11​:37​:54AM -0800, Brian Carpenter wrote​:

Triggered with v5.27.6-156-g5d4548b73b, compiled with clang 6.0.0-trunk and
-fsanitize=address. This bug looks similar to 129012 and 132187.

./perl -e '$_="0000000\x{600000}";/^000.\000000?\00000/'

==29563==ERROR​: AddressSanitizer​: heap-buffer-overflow on address
0x602000000ebe at pc 0x000000451a60 bp 0x7ffe25406c50 sp 0x7ffe254063f8
READ of size 2 at 0x602000000ebe thread T0
#0 0x451a5f in __interceptor_memchr
/b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc​:823​:3
#1 0x7bd1a6 in Perl_fbm_instr /root/perl/util.c​:985​:42
#2 0xaabce3 in Perl_re_intuit_start /root/perl/regexec.c​:935​:13

Fixed with v5.27.6-216-g37e6bbd.

Not exploitable; I'll move to the public queue in a few days time.

--
All wight. I will give you one more chance. This time, I want to hear
no Wubens. No Weginalds. No Wudolf the wed-nosed weindeers.
  -- Life of Brian

@p5pRT
Copy link
Author

@p5pRT p5pRT commented Dec 13, 2017

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

@p5pRT p5pRT commented Jan 23, 2018

From @tonycoz

On Wed, 13 Dec 2017 08​:12​:00 -0800, davem wrote​:

On Fri, Dec 08, 2017 at 11​:37​:54AM -0800, Brian Carpenter wrote​:

Triggered with v5.27.6-156-g5d4548b73b, compiled with clang 6.0.0-
trunk and
-fsanitize=address. This bug looks similar to 129012 and 132187.

./perl -e '$_="0000000\x{600000}";/^000.\000000?\00000/'

==29563==ERROR​: AddressSanitizer​: heap-buffer-overflow on address
0x602000000ebe at pc 0x000000451a60 bp 0x7ffe25406c50 sp
0x7ffe254063f8
READ of size 2 at 0x602000000ebe thread T0
#0 0x451a5f in __interceptor_memchr
/b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-
rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc​:823​:3
#1 0x7bd1a6 in Perl_fbm_instr /root/perl/util.c​:985​:42
#2 0xaabce3 in Perl_re_intuit_start /root/perl/regexec.c​:935​:13

Fixed with v5.27.6-216-g37e6bbd.

Not exploitable; I'll move to the public queue in a few days time.

Done.

Tony

@khwilliamson
Copy link
Contributor

@khwilliamson khwilliamson commented Apr 19, 2022

Is this closable? It says it got fixed

@khwilliamson khwilliamson added the Closable? label Apr 19, 2022
@hvds
Copy link
Contributor

@hvds hvds commented Apr 19, 2022

Is this closable? It says it got fixed

Yes, it was fixed with test in 37e6bbd, closing.

@hvds hvds closed this as completed Apr 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Closable?
Projects
None yet
Development

No branches or pull requests

3 participants