Fix a use after free in /(?{...})/

2019-08-07 14:10:01 +02:00 · 2019-08-07 14:10:01 +02:00 · 7f888313d5
commit 7f888313d5
parent 4f8c6fbbae
2 changed files with 116 additions and 0 deletions
--- a/perl-5.31.2-avoid-use-after-free-in.patch
+++ b/perl-5.31.2-avoid-use-after-free-in.patch
@ -0,0 +1,110 @@
 From 1d48e83dd8863e78e8422ed502d9b2f3199193f5 Mon Sep 17 00:00:00 2001
 From: David Mitchell <davem@iabyn.com>
 Date: Wed, 19 Jun 2019 13:03:22 +0100
 Subject: [PATCH] avoid use-after free in /(?{...})/
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 RT #134208
 In something like
    eval { sub { " " }->() =~ /(?{ die })/ }
 When the match string gets aliased to $_, the SAVE_DEFSV is done after the
 SAVEDESTRUCTOR_X(S_cleanup_regmatch_info_aux).  So if croaking, the SV
 gets SvREFCNT_dec()ed by the SAVE_DEFSV, then S_cleanup_regmatch_info_aux()
 manipulates the SV's magic.
 This doesn't cause a problem unless the match string is temporary, in
 which case the only other reference keeping it alive will be removed
 by the FREETMPs during the croak.
 The fix is to make sure an extra ref to the sv is held.
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 ---
 regexec.c          |  4 ++++
 regexp.h           |  1 +
 t/re/pat_re_eval.t | 16 +++++++++++++++-
 3 files changed, 20 insertions(+), 1 deletion(-)
 diff --git a/regexec.c b/regexec.c
 index e4ec07e89e..c390bff72e 100644
 --- a/regexec.c
 +++ b/regexec.c
@@ -10233,6 +10233,7 @@ S_setup_eval_state(pTHX_ regmatch_info *const reginfo)
     regmatch_info_aux_eval *eval_state = reginfo->info_aux_eval;
     eval_state->rex = rex;
 +    eval_state->sv  = reginfo->sv;
     if (reginfo->sv) {
         /* Make $_ available to executed code. */
@@ -10240,6 +10241,8 @@ S_setup_eval_state(pTHX_ regmatch_info *const reginfo)
             SAVE_DEFSV;
             DEFSV_set(reginfo->sv);
         }
 +        /* will be dec'd by S_cleanup_regmatch_info_aux */
 +        SvREFCNT_inc_NN(reginfo->sv);
         if (!(mg = mg_find_mglob(reginfo->sv))) {
             /* prepare for quick setting of pos */
@@ -10331,6 +10334,7 @@ S_cleanup_regmatch_info_aux(pTHX_ void *arg)
         }
         PL_curpm = eval_state->curpm;
 +        SvREFCNT_dec(eval_state->sv);
     }
     PL_regmatch_state = aux->old_regmatch_state;
 diff --git a/regexp.h b/regexp.h
 index 0f35205e1a..ccbc64a009 100644
 --- a/regexp.h
 +++ b/regexp.h
@@ -658,6 +658,7 @@ typedef struct {
     STRLEN  sublen;     /* saved sublen     field from rex */
     STRLEN  suboffset;  /* saved suboffset  field from rex */
     STRLEN  subcoffset; /* saved subcoffset field from rex */
 +    SV      *sv;        /* $_  during (?{}) */
     MAGIC   *pos_magic; /* pos() magic attached to $_ */
     SSize_t pos;        /* the original value of pos() in pos_magic */
     U8      pos_flags;  /* flags to be restored; currently only MGf_BYTES*/
 diff --git a/t/re/pat_re_eval.t b/t/re/pat_re_eval.t
 index 8325451377..696b6a3fb5 100644
 --- a/t/re/pat_re_eval.t
 +++ b/t/re/pat_re_eval.t
@@ -23,7 +23,7 @@ BEGIN {
 our @global;
 -plan tests => 504;  # Update this when adding/deleting tests.
 +plan tests => 506;  # Update this when adding/deleting tests.
 run_tests() unless caller;
@@ -1317,6 +1317,20 @@ sub run_tests {
         ok "ABC" =~ /^ $runtime_re (?(?{ 0; })xy|BC) $/x, 'RT #133687 yes|no';
     }
 +    # RT #134208
 +    # when the string being matched was an SvTEMP and the re_eval died,
 +    # the SV's magic was being restored after the SV was freed.
 +    # Give ASan something to play with.
 +
 +    {
 +        my $a;
 +        no warnings 'uninitialized';
 +        eval { "$a $1" =~ /(?{ die })/ };
 +        pass("SvTEMP 1");
 +        eval { sub { " " }->() =~ /(?{ die })/ };
 +        pass("SvTEMP 2");
 +    }
 +
 } # End of sub run_tests
 1;
 -- 
 2.20.1
--- a/perl.spec
+++ b/perl.spec
@ -239,6 +239,9 @@ Patch45:        perl-5.31.2-perl-134291-propagate-non-PVs-in-in-bare-die.patch
 # fixed after 5.31.2
 Patch46:        perl-5.31.2-include-a-trailing-0-in-SVs-holding-trie-info.patch
 # Fix a use after free in /(?{...})/, RT#134208, fixed after 5.31.2
 Patch47:        perl-5.31.2-avoid-use-after-free-in.patch
 # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048
 Patch200:       perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch
@ -2807,6 +2810,7 @@ Perl extension for Version Objects
 %patch44 -p1
 %patch45 -p1
 %patch46 -p1
 %patch47 -p1
 %patch200 -p1
 %patch201 -p1
@ -2860,6 +2864,7 @@ perl -x patchlevel.h \
    'Fedora Patch44: Preserve append mode when opening anonymous files (RT#134221)' \
    'Fedora Patch45: Fix propagating non-string variables in an exception value (RT#134291)' \
    'Fedora Patch46: Include trailing zero in scalars holding trie data (RT#134207)' \
    'Fedora Patch47: Fix a use after free in /(?{...})/ (RT#134208)' \
    'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \
    'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \
    %{nil}
@ -5108,6 +5113,7 @@ popd
 * Wed Aug 07 2019 Petr Pisar <ppisar@redhat.com> - 4:5.30.0-443
 - Fix propagating non-string variables in an exception value (RT#134291)
 - Include trailing zero in scalars holding trie data (RT#134207)
 - Fix a use after free in /(?{...})/ (RT#134208)
 * Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4:5.30.0-442
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild