https://bugs.exim.org/show_bug.cgi?id=2453
Bug ID: 2453
Summary: Use-after-free on PCRE2_ERROR_NOMEMORY
Product: PCRE
Version: 10.33 (PCRE2)
Hardware: x86
OS: Linux
Status: NEW
Severity: bug
Priority: medium
Component: Code
Assignee: p...@hermes.cam.ac.uk
Reporter: nikita....@gmail.com
CC: pcre-dev@exim.org
After patching alloc_chunk() in the sljitExecAllocator to always return NULL, I
get the following asan violation:
==21493==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000000a38
at pc 0x5639b4f191aa bp 0x7ffe65a8fe50 sp 0x7ffe65a8fe40
READ of size 8 at 0x60d000000a38 thread T0
#0 0x5639b4f191a9 in jit_compile
/home/nikic/php-7.4/ext/pcre/pcre2lib/pcre2_jit_compile.c:14040
#1 0x5639b4f197ad in php_pcre2_jit_compile
/home/nikic/php-7.4/ext/pcre/pcre2lib/pcre2_jit_compile.c:14126
#2 0x5639b4fa85bd in pcre_get_compiled_regex_cache
/home/nikic/php-7.4/ext/pcre/php_pcre.c:798
#3 0x5639b4fab2f9 in php_do_pcre_match
/home/nikic/php-7.4/ext/pcre/php_pcre.c:1106
#4 0x5639b4face76 in zif_preg_match
/home/nikic/php-7.4/ext/pcre/php_pcre.c:1436
#5 0x5639b5d86686 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER
/home/nikic/php-7.4/Zend/zend_vm_execute.h:1313
#6 0x5639b5eb0e1a in execute_ex
/home/nikic/php-7.4/Zend/zend_vm_execute.h:53537
#7 0x5639b5ebcfb3 in zend_execute
/home/nikic/php-7.4/Zend/zend_vm_execute.h:57637
#8 0x5639b5c718f4 in zend_execute_scripts
/home/nikic/php-7.4/Zend/zend.c:1663
#9 0x5639b5b1b8df in php_execute_script
/home/nikic/php-7.4/main/main.c:2619
#10 0x5639b5ec34ef in do_cli /home/nikic/php-7.4/sapi/cli/php_cli.c:961
#11 0x5639b5ec55d9 in main /home/nikic/php-7.4/sapi/cli/php_cli.c:1352
#12 0x7f07e2afdb96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#13 0x5639b4d61509 in _start (/home/nikic/php-7.4/sapi/cli/php+0x546509)
0x60d000000a38 is located 56 bytes inside of 136-byte region
[0x60d000000a00,0x60d000000a88)
freed by thread T0 here:
#0 0x7f07e805fb40 in free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedb40)
#1 0x5639b4fa5cba in php_pcre_free
/home/nikic/php-7.4/ext/pcre/php_pcre.c:167
#2 0x5639b4eb180a in pcre2_jit_free
/home/nikic/php-7.4/ext/pcre/pcre2lib/pcre2_jit_compile.c:75
#3 0x5639b4eb2eaa in sljit_free_compiler
/home/nikic/php-7.4/ext/pcre/pcre2lib/sljit/sljitLir.c:477
#4 0x5639b4f19177 in jit_compile
/home/nikic/php-7.4/ext/pcre/pcre2lib/pcre2_jit_compile.c:14037
#5 0x5639b4f197ad in php_pcre2_jit_compile
/home/nikic/php-7.4/ext/pcre/pcre2lib/pcre2_jit_compile.c:14126
#6 0x5639b4fa85bd in pcre_get_compiled_regex_cache
/home/nikic/php-7.4/ext/pcre/php_pcre.c:798
#7 0x5639b4fab2f9 in php_do_pcre_match
/home/nikic/php-7.4/ext/pcre/php_pcre.c:1106
#8 0x5639b4face76 in zif_preg_match
/home/nikic/php-7.4/ext/pcre/php_pcre.c:1436
#9 0x5639b5d86686 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER
/home/nikic/php-7.4/Zend/zend_vm_execute.h:1313
#10 0x5639b5eb0e1a in execute_ex
/home/nikic/php-7.4/Zend/zend_vm_execute.h:53537
#11 0x5639b5ebcfb3 in zend_execute
/home/nikic/php-7.4/Zend/zend_vm_execute.h:57637
#12 0x5639b5c718f4 in zend_execute_scripts
/home/nikic/php-7.4/Zend/zend.c:1663
#13 0x5639b5b1b8df in php_execute_script
/home/nikic/php-7.4/main/main.c:2619
#14 0x5639b5ec34ef in do_cli /home/nikic/php-7.4/sapi/cli/php_cli.c:961
#15 0x5639b5ec55d9 in main /home/nikic/php-7.4/sapi/cli/php_cli.c:1352
#16 0x7f07e2afdb96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
previously allocated by thread T0 here:
#0 0x7f07e805ff00 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedf00)
#1 0x5639b5be347d in __zend_malloc
/home/nikic/php-7.4/Zend/zend_alloc.c:2975
#2 0x5639b4fa5c94 in php_pcre_malloc
/home/nikic/php-7.4/ext/pcre/php_pcre.c:161
#3 0x5639b4eb178a in pcre2_jit_malloc
/home/nikic/php-7.4/ext/pcre/pcre2lib/pcre2_jit_compile.c:69
#4 0x5639b4eb28dc in sljit_create_compiler
/home/nikic/php-7.4/ext/pcre/pcre2lib/sljit/sljitLir.c:370
#5 0x5639b4f15802 in jit_compile
/home/nikic/php-7.4/ext/pcre/pcre2lib/pcre2_jit_compile.c:13649
#6 0x5639b4f197ad in php_pcre2_jit_compile
/home/nikic/php-7.4/ext/pcre/pcre2lib/pcre2_jit_compile.c:14126
#7 0x5639b4fa85bd in pcre_get_compiled_regex_cache
/home/nikic/php-7.4/ext/pcre/php_pcre.c:798
#8 0x5639b4fab2f9 in php_do_pcre_match
/home/nikic/php-7.4/ext/pcre/php_pcre.c:1106
#9 0x5639b4face76 in zif_preg_match
/home/nikic/php-7.4/ext/pcre/php_pcre.c:1436
#10 0x5639b5d86686 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER
/home/nikic/php-7.4/Zend/zend_vm_execute.h:1313
#11 0x5639b5eb0e1a in execute_ex
/home/nikic/php-7.4/Zend/zend_vm_execute.h:53537
#12 0x5639b5ebcfb3 in zend_execute
/home/nikic/php-7.4/Zend/zend_vm_execute.h:57637
#13 0x5639b5c718f4 in zend_execute_scripts
/home/nikic/php-7.4/Zend/zend.c:1663
#14 0x5639b5b1b8df in php_execute_script
/home/nikic/php-7.4/main/main.c:2619
#15 0x5639b5ec34ef in do_cli /home/nikic/php-7.4/sapi/cli/php_cli.c:961
#16 0x5639b5ec55d9 in main /home/nikic/php-7.4/sapi/cli/php_cli.c:1352
#17 0x7f07e2afdb96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
The issue is code of the form:
sljit_free_compiler(compiler);
SLJIT_FREE(common->optimized_cbracket, allocator_data);
SLJIT_FREE(common->private_data_ptrs, allocator_data);
PRIV(jit_free_rodata)(common->read_only_data_head,
compiler->allocator_data);
return PCRE2_ERROR_NOMEMORY;
where sljit_free_compiler(compiler) frees the compiler structure, but
compiler->allocator_data is later used in the jit_free_rodata call.
--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/pcre-dev
