Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEGV using a regex with an invalid repeat range #16503

Closed
p5pRT opened this issue Apr 11, 2018 · 8 comments
Closed

SEGV using a regex with an invalid repeat range #16503

p5pRT opened this issue Apr 11, 2018 · 8 comments

Comments

@p5pRT
Copy link

@p5pRT p5pRT commented Apr 11, 2018

Migrated from rt.perl.org#133100 (status was 'resolved')

Searchable as RT133100$

@p5pRT
Copy link
Author

@p5pRT p5pRT commented Apr 11, 2018

From Nick_Russell@McAfee.com

This is a bug report for perl from Nick Rrussell,
generated with the help of perlbug 1.39 running under perl 5.26.1.


The following command​:

# echo 'b' | perl -ne 'print if /ba{11,2}/;'

when executed under perl v5.16.3 produces the error below​:

Can't do {n,m} with n > m in regex; marked by <-- HERE in m/ba{11,2} <-- HERE / at -e line 1.

which is expected. However when run under perl v5.26.1 the regex is considered valid and crashes perl when the range is evaluated​:

Core was generated by `perl -ne print if /ba{11,2}/;'.
Program terminated with signal 11, Segmentation fault.
(gdb) bt
#0 0x00007efe26ddba24 in ?? () from /usr/lib/perl5/core_perl/CORE/libperl.so
#1 0x00007efe26de15f8 in Perl_regexec_flags () from /usr/lib/perl5/core_perl/CORE/libperl.so
#2 0x00007efe26d85a46 in Perl_pp_match () from /usr/lib/perl5/core_perl/CORE/libperl.so
#3 0x00007efe26d8219b in Perl_runops_standard () from /usr/lib/perl5/core_perl/CORE/libperl.so
#4 0x00007efe26d1d035 in perl_run () from /usr/lib/perl5/core_perl/CORE/libperl.so
#5 0x0000557ea61a6c42 in main ()

Note that I was using a chroot that did not have perlbug installed so I used the version available under the host OS so the ' Locally applied patches' section is bogus.



Flags​:
  category=core
  severity=high


This perlbug was built using Perl 5.16.3 - Wed Aug 2 17​:44​:15 UTC 2017
It is being executed now by Perl 5.26.1 - Tue Oct 31 13​:26​:34 GMT 2017.

Site configuration information for perl 5.26.1​:

Configured by Alpine at Tue Oct 31 13​:26​:34 GMT 2017.

Summary of my perl5 (revision 5 version 26 subversion 1) configuration​:

  Platform​:
  osname=linux
  osvers=4.4.45-0-grsec
  archname=x86_64-linux-thread-multi
  uname='linux build-3-7-x86_64 4.4.45-0-grsec #1-alpine smp thu jan 26 14​:21​:00 gmt 2017 x86_64 linux '
  config_args='-des -Dcccdlflags=-fPIC -Dcccdlflags=-fPIC -Dccdlflags=-rdynamic -Dprefix=/usr -Dprivlib=/usr/share/perl5/core_perl -Darchlib=/usr/lib/perl5/core_perl -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5/vendor_perl -Dvendor
arch=/usr/lib/perl5/vendor_perl -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl5/site_perl -Dsitearch=/usr/local/lib/perl5/site_perl -Dlocincpth= -Doptimize=-Os -fomit-frame-pointer -Duselargefiles -Dusethreads -Duseshrplib -Dd_
semctl_semun -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dinstallman1dir=/usr/share/man/man1 -Dinstallman3dir=/usr/share/man/man3 -Dman1ext=1 -Dman3ext=3pm -Dcf_by=Alpine -Ud_csh -Dusenm'
  hint=recommended
  useposix=true
  d_sigaction=define
  useithreads=define
  usemultiplicity=define
  use64bitint=define
  use64bitall=define
  uselongdouble=undef
  usemymalloc=n
  default_inc_excludes_dot=define
  bincompat5005=undef
  Compiler​:
  cc='cc'
  ccflags ='-D_REENTRANT -D_GNU_SOURCE -fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64'
  optimize='-Os -fomit-frame-pointer'
  cppflags='-D_REENTRANT -D_GNU_SOURCE -fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong'
  ccversion=''
  gccversion='6.4.0'
  gccosandvers=''
  intsize=4
  longsize=8
  ptrsize=8
  doublesize=8
  byteorder=12345678
  doublekind=3
  d_longlong=define
  longlongsize=8
  d_longdbl=define
  longdblsize=16
  longdblkind=3
  ivtype='long'
  ivsize=8
  nvtype='double'
  nvsize=8
  Off_t='off_t'
  lseeksize=8
  alignbytes=8
  prototype=define
  Linker and Libraries​:
  ld='cc'
  ldflags =' -fstack-protector-strong -L/usr/local/lib'
  libpth=/usr/include/fortify /usr/lib /usr/local/lib /lib/../lib /usr/lib/../lib /lib
  libs=-lpthread -ldl -lm -lcrypt -lutil -lc
  perllibs=-lpthread -ldl -lm -lcrypt -lutil -lc
  libc=/usr/lib/libc.a
  so=so
  useshrplib=true
  libperl=libperl.so
  gnulibc_version=''
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs
  dlext=so
  d_dlsymun=undef
  ccdlflags='-rdynamic -Wl,-rpath,/usr/lib/perl5/core_perl/CORE'
  cccdlflags='-fPIC'
  lddlflags='-shared -Os -fomit-frame-pointer -L/usr/local/lib -fstack-protector-strong'

Locally applied patches​:
  Fedora Patch1​: Removes date check, Fedora/RHEL specific
  Fedora Patch3​: support for libdir64
  Fedora Patch4​: use libresolv instead of libbind
  Fedora Patch5​: USE_MM_LD_RUN_PATH
  Fedora Patch6​: Skip hostname tests, due to builders not being network capable
  Fedora Patch7​: Dont run one io test due to random builder failures
  Fedora Patch9​: Fix find2perl to translate ? glob properly (RT#113054)
  Fedora Patch10​: Fix broken atof (RT#109318)
  Fedora Patch13​: Clear $@​ before \"do\" I/O error (RT#113730)
  Fedora Patch14​: Do not truncate syscall() return value to 32 bits (RT#113980)
  Fedora Patch15​: Override the Pod​::Simple​::parse_file (CPANRT#77530)
  Fedora Patch16​: Do not leak with attribute on my variable (RT#114764)
  Fedora Patch17​: Allow operator after numeric keyword argument (RT#105924)
  Fedora Patch18​: Extend stack in File​::Glob​::glob, (RT#114984)
  Fedora Patch19​: Do not crash when vivifying $|
  Fedora Patch20​: Fix misparsing of maketext strings (CVE-2012-6329)
  Fedora Patch21​: Add NAME headings to CPAN modules (CPANRT#73396)
  Fedora Patch22​: Fix leaking tied hashes (RT#107000) [1]
  Fedora Patch23​: Fix leaking tied hashes (RT#107000) [2]
  Fedora Patch24​: Fix leaking tied hashes (RT#107000) [3]
  Fedora Patch25​: Fix dead lock in PerlIO after fork from thread (RT#106212)
  Fedora Patch26​: Make regexp safe in a signal handler (RT#114878)
  Fedora Patch27​: Update h2ph(1) documentation (RT#117647)
  Fedora Patch28​: Update pod2html(1) documentation (RT#117623)
  Fedora Patch29​: Document Math​::BigInt​::CalcEmu requires Math​::BigInt (CPAN RT#85015)
  RHEL Patch30​: Use stronger algorithm needed for FIPS in t/op/crypt.t (RT#121591)
  RHEL Patch31​: Make *DBM_File desctructors thread-safe (RT#61912)
  RHEL Patch32​: Use stronger algorithm needed for FIPS in t/op/taint.t (RT#123338)
  RHEL Patch33​: Remove CPU-speed-sensitive test in Benchmark test
  RHEL Patch34​: Make File​::Glob work with threads again
  RHEL Patch35​: Fix CRLF conversion in ASCII FTP upload (CPAN RT#41642)
  RHEL Patch36​: Do not leak the temp utf8 copy of namepv (CPAN RT#123786)
  RHEL Patch37​: Fix duplicating PerlIO​::encoding when spawning threads (RT#31923)


@​INC for perl 5.26.1​:
  /usr/local/lib/perl5/site_perl
  /usr/local/share/perl5/site_perl
  /usr/lib/perl5/vendor_perl
  /usr/share/perl5/vendor_perl
  /usr/lib/perl5/core_perl
  /usr/share/perl5/core_perl


Environment for perl 5.26.1​:
  HOME=/root
  LANG=en_GB.UTF-8
  LANGUAGE (unset)
  LD_LIBRARY_PATH (unset)
  LOGDIR (unset)
  PATH=/sbin​:/bin​:/usr/sbin​:/usr/bin
  PERL_BADLANG (unset)
  SHELL=/bin/bash

The information contained in this email message may be privileged, confidential and protected from disclosure. If you are not the intended recipient, any review, dissemination, distribution or copying is strictly prohibited. If you have received this email message in error, please notify the sender by reply email and delete the message and any attachments.

________________________________

McAfee Security UK Limited is registered in England and Wales with its registered address at C/O Skadden, Arps, Slate, Meagher & Flom (UK) LLP, 40 Bank Street, Canary Wharf, London, United Kingdom, E14 5DS, Company No. 10472868

@p5pRT
Copy link
Author

@p5pRT p5pRT commented Apr 11, 2018

From @khwilliamson

Thank you for your report

This is already fixed in blead, and hence for 5.28. It was fixed by this commit
commit 4dc1211
Author​: Yves Orton <demerphq@​gmail.com>
Date​: Sun Sep 10 10​:59​:05 2017 +0200

  fix #132017 - OPFAIL insert needs to set flags to 0
 
  why reginsert doesnt do this stuff I dont know.

I believe tThis would be a candidate for backporting into the 5.26 maintenance release series.

The commit that broke it in 5.26 is

commit 31fc939
Author​: Yves Orton <demerphq@​gmail.com>
Date​: Fri Jan 27 10​:18​:51 2017 +0100

  fix RT #130561 - recursion and optimising away impossible quantifiers are not friends
 
  Instead of optimising away impossible quantifiers like (foo){1,0} treat them
  as unquantified, and guard them with an OPFAIL. Thus /(foo){1,0}/ is treated
  the same as /(*FAIL)(foo)/ this is important in patterns like /(foo){1,0}|(?1)/
  where the (?1) needs to be able to recurse into the (foo) even though the
  (foo){1,0} can never match. It also resolves various issues (SEGVs) with patterns
  like /((?1)){1,0}/.
 
  This patch would have been easier if S_reginsert() documented that it is
  the callers responsibility to properly set up the NEXT_OFF() of the inserted
  node (if the node has a NEXT_OFF())

--
Karl Williamson

@p5pRT
Copy link
Author

@p5pRT p5pRT commented Apr 11, 2018

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

@p5pRT p5pRT commented Apr 11, 2018

From @khwilliamson

And it turns out that this fix is already in 5.26.2, which is scheduled for release in 3 days, unless something delays it.
--
Karl Williamson

@p5pRT
Copy link
Author

@p5pRT p5pRT commented Apr 11, 2018

@khwilliamson - Status changed from 'open' to 'pending release'

@p5pRT
Copy link
Author

@p5pRT p5pRT commented Apr 15, 2018

From @khwilliamson

I meant it would be fixed in 5.26.2, which was released on schedule, and is now available
--
Karl Williamson

@p5pRT
Copy link
Author

@p5pRT p5pRT commented Jun 23, 2018

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release yesterday of Perl 5.28.0, this and 185 other issues have been
resolved.

Perl 5.28.0 may be downloaded via​:
https://metacpan.org/release/XSAWYERX/perl-5.28.0

If you find that the problem persists, feel free to reopen this ticket.

@p5pRT
Copy link
Author

@p5pRT p5pRT commented Jun 23, 2018

@khwilliamson - Status changed from 'pending release' to 'resolved'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant