heap-buffer-overflow in match_uniprop #17384
Comments
khwilliamson
added a commit
that referenced
this issue
Dec 27, 2019
This turned out to be because there are two versions of the property name being parsed: 1) the original input; and 2) a canonicalized one with characters squeeezed out that are usually optional, such as spaces, dashes and, here, underscores. The code was conflating the two names, and moving along the squeezed name based on counts from the unsqueezed one, hence going too far in the buffer.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is a bug report for perl from sergey.aleynikov@gmail.com,
generated with the help of perlbug 1.41 running under perl 5.31.7.
[Please describe your issue here]
While fuzzing perl v5.31.6-158-gdca9f615c2 built with afl and run
under libdislocator, I found the following program
to trigger heap-buffer-overflow ASAN diagnostic:
==9652==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001457 at pc 0x00000081aca6 bp 0x7fff2e97d890 sp 0x7fff2e97d888
READ of size 1 at 0x602000001457 thread T0
#0 0x81aca5 in match_uniprop /home/afl/afl-runner/./uni_keywords.h:7219:14
#1 0x81aca5 in Perl_parse_uniprop_string /home/afl/afl-runner/regcomp.c:24024
#2 0x80a994 in Perl_handle_user_defined_property /home/afl/afl-runner/regcomp.c:22935:27
#3 0x807f98 in Perl__get_regclass_nonbitmap_data /home/afl/afl-runner/regcomp.c:19744:44
#4 0xcf0d40 in S_reginclass /home/afl/afl-runner/regexec.c:10247:30
#5 0xd0913e in S_regmatch /home/afl/afl-runner/regexec.c
#6 0xcecefa in S_regtry /home/afl/afl-runner/regexec.c:4029:14
#7 0xcad3f0 in Perl_regexec_flags /home/afl/afl-runner/regexec.c:3892:7
#8 0x9d47a8 in Perl_pp_match /home/afl/afl-runner/pp_hot.c:3014:10
#9 0x8e34da in Perl_runops_debug /home/afl/afl-runner/dump.c:2571:23
#10 0x61e34c in S_run_body /home/afl/afl-runner/perl.c
#11 0x61d7b8 in perl_run /home/afl/afl-runner/perl.c:2709:2
#12 0x5352f3 in main /home/afl/afl-runner/perlmain.c:134:9
#13 0x7fac353f309a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
#14 0x43ccb9 in _start (/home/afl/afl-runner/perl+0x43ccb9)
This is a regression in blead, bisect points to
commit 1c2f3d7
Author: Karl Williamson khw@cpan.org
Date: Sun Dec 8 12:16:29 2019 -0700
[Please do not change anything below this line]
Flags:
category=core
severity=medium
Site configuration information for perl 5.31.7:
Configured by root at Tue Dec 17 21:38:32 MSK 2019.
Summary of my perl5 (revision 5 version 31 subversion 7) configuration:
Derived from: dca9f61
Platform:
osname=linux
osvers=4.19.0-6-amd64
archname=x86_64-linux
uname='linux dorothy 4.19.0-6-amd64 #1 smp debian 4.19.67-2+deb10u2 (2019-11-11) x86_64 gnulinux '
config_args='-des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast -Doptimize=-std=c99 -O3 -funroll-loops -g'
hint=previous
useposix=true
d_sigaction=undef
useithreads=undef
usemultiplicity=undef
use64bitint=define
use64bitall=define
uselongdouble=undef
usemymalloc=n
default_inc_excludes_dot=define
bincompat5005=undef
Compiler:
cc='afl-clang-fast'
ccflags ='-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2'
optimize='-std=c99 -O3 -funroll-loops -g'
cppflags='-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
ccversion=''
gccversion='4.2.1 Compatible Clang 6.0.1 (tags/RELEASE_601/final)'
gccosandvers=''
intsize=4
longsize=8
ptrsize=8
doublesize=8
byteorder=12345678
doublekind=3
d_longlong=define
longlongsize=8
d_longdbl=define
longdblsize=16
longdblkind=3
ivtype='long'
ivsize=8
nvtype='double'
nvsize=8
Off_t='off_t'
lseeksize=8
alignbytes=8
prototype=define
Linker and Libraries:
ld='afl-clang-fast'
ldflags =' -fstack-protector-strong -L/usr/local/lib'
libpth=/usr/local/lib /usr/lib/llvm-6.0/lib/clang/6.0.1/lib /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib /usr/local/lib /usr/lib/llvm-6.0/lib/clang/6.0.1/lib /usr/include/x86_64-linux-gnu /usr/lib
libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
libc=libc-2.28.so
so=so
useshrplib=false
libperl=libperl.a
gnulibc_version='2.28'
Dynamic Linking:
dlsrc=dl_dlopen.xs
dlext=so
d_dlsymun=undef
ccdlflags='-Wl,-E'
cccdlflags='-fPIC'
lddlflags='-shared -std=c99 -O3 -funroll-loops -g -L/usr/local/lib -fstack-protector-strong'
Locally applied patches:
uncommitted-changes
@inc for perl 5.31.7:
lib
/usr/local/lib/perl5/site_perl/5.31.7/x86_64-linux
/usr/local/lib/perl5/site_perl/5.31.7
/usr/local/lib/perl5/5.31.7/x86_64-linux
/usr/local/lib/perl5/5.31.7
Environment for perl 5.31.7:
HOME=/home/afl
LANG=en_US.UTF-8
LANGUAGE=en_US:en
LC_CTYPE=en_US.UTF-8
LC_TIME=C
LD_LIBRARY_PATH (unset)
LOGDIR (unset)
PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.20.2/bin:/opt/local/bin:/usr/texbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PERLBREW_BASHRC_VERSION=0.78
PERLBREW_HOME=/home/afl/.perlbrew
PERLBREW_MANPATH=/home/afl/perlbrew/perls/perl-5.20.2/man
PERLBREW_PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.20.2/bin
PERLBREW_PERL=perl-5.20.2
PERLBREW_ROOT=/home/afl/perlbrew
PERLBREW_VERSION=0.78
PERL_BADLANG (unset)
SHELL=/usr/bin/zsh
The text was updated successfully, but these errors were encountered: