double-free in Perl v5.29.4-36-gb4f5c5b5f6

[p5pRT]

Migrated from rt.perl.org#133642 (status was 'resolved')

Searchable as RT133642$

[p5pRT]

From [email protected]

This crafted bit of code triggers a double-free in Perl v5.29.4-36-gb4f5c5b5f6​:

./perl -e '/((?<=(0?)))/'

Variable length lookbehind not implemented in regex m/((?<=(0?)))/ at -e line 1.

==24593==ERROR​: AddressSanitizer​: attempting double-free on 0x6030000017b0 in thread T0​:
  #0 0x4e7812 in __interceptor_free /b/swarming/w/ir/kitchen-workdir/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc​:124​:3
  #1 0x9d4956 in Perl_leave_scope /root/perl/scope.c​:1132​:6
  #2 0x5bebe7 in S_my_exit_jump /root/perl/perl.c​:5237​:5
  #3 0x5c9ace in Perl_my_failure_exit /root/perl/perl.c​:5221​:5
  #4 0x9ff76f in Perl_die_unwind /root/perl/pp_ctl.c​:1796​:5
  #5 0x7eb8d1 in Perl_vcroak /root/perl/util.c​:1715​:5
  #6 0x7e40eb in Perl_croak /root/perl/util.c​:1760​:5
  #7 0x72355b in S_study_chunk /root/perl/regcomp.c
  #8 0x6e8700 in Perl_re_op_compile /root/perl/regcomp.c​:7788​:11
  #9 0x5344e8 in Perl_pmruntime /root/perl/op.c​:7029​:6
  #10 0x6beffd in Perl_yyparse /root/perl/perly.y​:1228​:23
  #11 0x5b6ea2 in S_parse_body /root/perl/perl.c​:2503​:9
  #12 0x5b1a90 in perl_parse /root/perl/perl.c​:1797​:2
  #13 0x516c19 in main /root/perl/perlmain.c​:121​:10
  #14 0x7fc0aee842e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
  #15 0x43f409 in _start (/root/perl/perl+0x43f409)

0x6030000017b0 is located 0 bytes inside of 24-byte region [0x6030000017b0,0x6030000017c8)
freed by thread T0 here​:
  #0 0x4e7812 in __interceptor_free /b/swarming/w/ir/kitchen-workdir/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc​:124​:3
  #1 0x9d4956 in Perl_leave_scope /root/perl/scope.c​:1132​:6
  #2 0x5bebe7 in S_my_exit_jump /root/perl/perl.c​:5237​:5
  #3 0x5c9ace in Perl_my_failure_exit /root/perl/perl.c​:5221​:5
  #4 0x9ff76f in Perl_die_unwind /root/perl/pp_ctl.c​:1796​:5
  #5 0x7eb8d1 in Perl_vcroak /root/perl/util.c​:1715​:5
  #6 0x7e40eb in Perl_croak /root/perl/util.c​:1760​:5
  #7 0x72355b in S_study_chunk /root/perl/regcomp.c
  #8 0x6e8700 in Perl_re_op_compile /root/perl/regcomp.c​:7788​:11
  #9 0x5344e8 in Perl_pmruntime /root/perl/op.c​:7029​:6
  #10 0x6beffd in Perl_yyparse /root/perl/perly.y​:1228​:23
  #11 0x5b6ea2 in S_parse_body /root/perl/perl.c​:2503​:9
  #12 0x5b1a90 in perl_parse /root/perl/perl.c​:1797​:2
  #13 0x516c19 in main /root/perl/perlmain.c​:121​:10
  #14 0x7fc0aee842e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

previously allocated by thread T0 here​:
  #0 0x4e7fb2 in realloc /b/swarming/w/ir/kitchen-workdir/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc​:165​:3
  #1 0x7e4734 in Perl_safesysrealloc /root/perl/util.c​:271​:18
  #2 0x7023d3 in S_reg /root/perl/regcomp.c​:11822​:21
  #3 0x789f4f in S_regatom /root/perl/regcomp.c​:13162​:15
  #4 0x785027 in S_regpiece /root/perl/regcomp.c​:12214​:11
  #5 0x773ec2 in S_regbranch /root/perl/regcomp.c​:12134​:18
  #6 0x6fd235 in S_reg /root/perl/regcomp.c​:11855​:10
  #7 0x789f4f in S_regatom /root/perl/regcomp.c​:13162​:15
  #8 0x785027 in S_regpiece /root/perl/regcomp.c​:12214​:11
  #9 0x773ec2 in S_regbranch /root/perl/regcomp.c​:12134​:18
  #10 0x6fd235 in S_reg /root/perl/regcomp.c​:11855​:10
  #11 0x789f4f in S_regatom /root/perl/regcomp.c​:13162​:15
  #12 0x785027 in S_regpiece /root/perl/regcomp.c​:12214​:11
  #13 0x773ec2 in S_regbranch /root/perl/regcomp.c​:12134​:18
  #14 0x6fd235 in S_reg /root/perl/regcomp.c​:11855​:10
  #15 0x6e5786 in Perl_re_op_compile /root/perl/regcomp.c​:7455​:9
  #16 0x5344e8 in Perl_pmruntime /root/perl/op.c​:7029​:6
  #17 0x6beffd in Perl_yyparse /root/perl/perly.y​:1228​:23
  #18 0x5b6ea2 in S_parse_body /root/perl/perl.c​:2503​:9
  #19 0x5b1a90 in perl_parse /root/perl/perl.c​:1797​:2
  #20 0x516c19 in main /root/perl/perlmain.c​:121​:10
  #21 0x7fc0aee842e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

SUMMARY​: AddressSanitizer​: double-free /b/swarming/w/ir/kitchen-workdir/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc​:124​:3 in __interceptor_free
==24593==ABORTING

[p5pRT]

From @iabyn

On Mon, Nov 05, 2018 at 07​:39​:13PM -0800, geeknik@​protonmail.ch wrote​:

# New Ticket Created by geeknik@​protonmail.ch
# Please include the string​: [perl #133642]
# in the subject line of all future correspondence about this issue.
# <URL​: https://rt-archive.perl.org/perl5/Ticket/Display.html?id=133642 >

This crafted bit of code triggers a double-free in Perl v5.29.4-36-gb4f5c5b5f6​:

./perl -e '/((?<=(0?)))/'

It bisects to

commit 7c932d0
Author​: Karl Williamson <khw@​cpan.org>
Date​: Fri Oct 19 09​:48​:34 2018 -0600

  Remove sizing pass from regular expression compiler

--
The Enterprise is involved in a bizarre time-warp experience which is in
some way unconnected with the Late 20th Century.
  -- Things That Never Happen in "Star Trek" #14

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From @khwilliamson

I'm moving this ticket to the public queue since the bug doesn't exist in a stable release
--
Karl Williamson

[p5pRT]

From @khwilliamson

Thanks for finding and reporting this

Now fixed in blead by commit
d0d8d0c
--
Karl Williamson

[p5pRT]

@khwilliamson - Status changed from 'open' to 'resolved'