[pcre-dev] [Bug 2453] New: Use-after-free on PCRE2_ERROR_NOM…

https://bugs.exim.org/show_bug.cgi?id=2453

            Bug ID: 2453
           Summary: Use-after-free on PCRE2_ERROR_NOMEMORY
           Product: PCRE
           Version: 10.33 (PCRE2)
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: Code
          Assignee: ph10@???
          Reporter: nikita.ppv@???
                CC: pcre-dev@???

After patching alloc_chunk() in the sljitExecAllocator to always return NULL, I
get the following asan violation:

==21493==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000000a38
at pc 0x5639b4f191aa bp 0x7ffe65a8fe50 sp 0x7ffe65a8fe40
READ of size 8 at 0x60d000000a38 thread T0
    #0 0x5639b4f191a9 in jit_compile
/home/nikic/php-7.4/ext/pcre/pcre2lib/pcre2_jit_compile.c:14040
    #1 0x5639b4f197ad in php_pcre2_jit_compile
/home/nikic/php-7.4/ext/pcre/pcre2lib/pcre2_jit_compile.c:14126
    #2 0x5639b4fa85bd in pcre_get_compiled_regex_cache
/home/nikic/php-7.4/ext/pcre/php_pcre.c:798
    #3 0x5639b4fab2f9 in php_do_pcre_match
/home/nikic/php-7.4/ext/pcre/php_pcre.c:1106
    #4 0x5639b4face76 in zif_preg_match
/home/nikic/php-7.4/ext/pcre/php_pcre.c:1436
    #5 0x5639b5d86686 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER
/home/nikic/php-7.4/Zend/zend_vm_execute.h:1313
    #6 0x5639b5eb0e1a in execute_ex
/home/nikic/php-7.4/Zend/zend_vm_execute.h:53537
    #7 0x5639b5ebcfb3 in zend_execute
/home/nikic/php-7.4/Zend/zend_vm_execute.h:57637
    #8 0x5639b5c718f4 in zend_execute_scripts
/home/nikic/php-7.4/Zend/zend.c:1663
    #9 0x5639b5b1b8df in php_execute_script
/home/nikic/php-7.4/main/main.c:2619
    #10 0x5639b5ec34ef in do_cli /home/nikic/php-7.4/sapi/cli/php_cli.c:961
    #11 0x5639b5ec55d9 in main /home/nikic/php-7.4/sapi/cli/php_cli.c:1352
    #12 0x7f07e2afdb96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #13 0x5639b4d61509 in _start (/home/nikic/php-7.4/sapi/cli/php+0x546509)

0x60d000000a38 is located 56 bytes inside of 136-byte region
[0x60d000000a00,0x60d000000a88)
freed by thread T0 here:
    #0 0x7f07e805fb40 in free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedb40)
    #1 0x5639b4fa5cba in php_pcre_free
/home/nikic/php-7.4/ext/pcre/php_pcre.c:167
    #2 0x5639b4eb180a in pcre2_jit_free
/home/nikic/php-7.4/ext/pcre/pcre2lib/pcre2_jit_compile.c:75
    #3 0x5639b4eb2eaa in sljit_free_compiler
/home/nikic/php-7.4/ext/pcre/pcre2lib/sljit/sljitLir.c:477
    #4 0x5639b4f19177 in jit_compile
/home/nikic/php-7.4/ext/pcre/pcre2lib/pcre2_jit_compile.c:14037
    #5 0x5639b4f197ad in php_pcre2_jit_compile
/home/nikic/php-7.4/ext/pcre/pcre2lib/pcre2_jit_compile.c:14126
    #6 0x5639b4fa85bd in pcre_get_compiled_regex_cache
/home/nikic/php-7.4/ext/pcre/php_pcre.c:798
    #7 0x5639b4fab2f9 in php_do_pcre_match
/home/nikic/php-7.4/ext/pcre/php_pcre.c:1106
    #8 0x5639b4face76 in zif_preg_match
/home/nikic/php-7.4/ext/pcre/php_pcre.c:1436
    #9 0x5639b5d86686 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER
/home/nikic/php-7.4/Zend/zend_vm_execute.h:1313
    #10 0x5639b5eb0e1a in execute_ex
/home/nikic/php-7.4/Zend/zend_vm_execute.h:53537
    #11 0x5639b5ebcfb3 in zend_execute
/home/nikic/php-7.4/Zend/zend_vm_execute.h:57637
    #12 0x5639b5c718f4 in zend_execute_scripts
/home/nikic/php-7.4/Zend/zend.c:1663
    #13 0x5639b5b1b8df in php_execute_script
/home/nikic/php-7.4/main/main.c:2619
    #14 0x5639b5ec34ef in do_cli /home/nikic/php-7.4/sapi/cli/php_cli.c:961
    #15 0x5639b5ec55d9 in main /home/nikic/php-7.4/sapi/cli/php_cli.c:1352
    #16 0x7f07e2afdb96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

previously allocated by thread T0 here:
    #0 0x7f07e805ff00 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedf00)
    #1 0x5639b5be347d in __zend_malloc
/home/nikic/php-7.4/Zend/zend_alloc.c:2975
    #2 0x5639b4fa5c94 in php_pcre_malloc
/home/nikic/php-7.4/ext/pcre/php_pcre.c:161
    #3 0x5639b4eb178a in pcre2_jit_malloc
/home/nikic/php-7.4/ext/pcre/pcre2lib/pcre2_jit_compile.c:69
    #4 0x5639b4eb28dc in sljit_create_compiler
/home/nikic/php-7.4/ext/pcre/pcre2lib/sljit/sljitLir.c:370
    #5 0x5639b4f15802 in jit_compile
/home/nikic/php-7.4/ext/pcre/pcre2lib/pcre2_jit_compile.c:13649
    #6 0x5639b4f197ad in php_pcre2_jit_compile
/home/nikic/php-7.4/ext/pcre/pcre2lib/pcre2_jit_compile.c:14126
    #7 0x5639b4fa85bd in pcre_get_compiled_regex_cache
/home/nikic/php-7.4/ext/pcre/php_pcre.c:798
    #8 0x5639b4fab2f9 in php_do_pcre_match
/home/nikic/php-7.4/ext/pcre/php_pcre.c:1106
    #9 0x5639b4face76 in zif_preg_match
/home/nikic/php-7.4/ext/pcre/php_pcre.c:1436
    #10 0x5639b5d86686 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER
/home/nikic/php-7.4/Zend/zend_vm_execute.h:1313
    #11 0x5639b5eb0e1a in execute_ex
/home/nikic/php-7.4/Zend/zend_vm_execute.h:53537
    #12 0x5639b5ebcfb3 in zend_execute
/home/nikic/php-7.4/Zend/zend_vm_execute.h:57637
    #13 0x5639b5c718f4 in zend_execute_scripts
/home/nikic/php-7.4/Zend/zend.c:1663
    #14 0x5639b5b1b8df in php_execute_script
/home/nikic/php-7.4/main/main.c:2619
    #15 0x5639b5ec34ef in do_cli /home/nikic/php-7.4/sapi/cli/php_cli.c:961
    #16 0x5639b5ec55d9 in main /home/nikic/php-7.4/sapi/cli/php_cli.c:1352
    #17 0x7f07e2afdb96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

The issue is code of the form:

       sljit_free_compiler(compiler);
       SLJIT_FREE(common->optimized_cbracket, allocator_data);
       SLJIT_FREE(common->private_data_ptrs, allocator_data);
       PRIV(jit_free_rodata)(common->read_only_data_head,
compiler->allocator_data);
       return PCRE2_ERROR_NOMEMORY;

where sljit_free_compiler(compiler) frees the compiler structure, but
compiler->allocator_data is later used in the jit_free_rodata call.

--
You are receiving this mail because:
You are on the CC list for the bug.