Null byte on command line on Debian

[daxim]

Security researchers have found crash bugs in perl5i as shipped in Debian Wheezy using Mayhem, an automated bug finding tool. http://lists.debian.org/debian-devel/2013/06/msg00720.html I have started communication with the Mayhem team in order to "short-circuit" the middle-men maintainers and get the details (the buggy command-line input, backtrace after crash, etc.) ASAP.

Is there any need to keep the details confidential until the underlying bugs are fixed? If not, I'll publish them just here.

[daxim]

Details are available at http://www.forallsecure.com/bug-reports/79c31f70848a65002493a88828e05970c3e75c1a/. The input there is a bit more complicated than actually needed to trigger the crash. It boils down to a null byte on the command-line:

perl5i \000 -e

---

Program received signal SIGSEGV, Segmentation fault.
__strlen_sse2 () at ../sysdeps/x86_64/strlen.S:31
(gdb) bt full
#0  __strlen_sse2 () at ../sysdeps/x86_64/strlen.S:31
No locals.
#1  0x00007ffff7a99e9e in __GI__IO_fputs (str=str@entry=0x0, fp=fp@entry=0x603070) at iofputs.c:36
        len = <optimized out>
        result = <optimized out>
#2  0x0000000000400a17 in main (argc=3, argv=0x7fffffffd8c8) at bin/perl5i.c:76
        tempfile = "/tmp/perl5i.xBStkm"
        fd = <optimized out>
        fh = 0x603070
        i = 4
        j = 3
        perl_cmd = 0x400c88 "/home/daxim/local/share/perlbrew/perls/perl-5.16.3/bin/perl"
        perl_args = {0x400c88 "/home/daxim/local/share/perlbrew/perls/perl-5.16.3/bin/perl", 
        0x603010 "-Mperl5i::cmd=/home/daxim/local/share/perlbrew/perls/perl-5.16.3/bin/perl5i", 0x7fffffffde1e "000", 0x0}
        dash_m = <optimized out>
        program = 0x0
        saw_dash_e = 1

---

perl5i.c line 76 is fprintf( fh, "%s", program );, program is 0x0.

[schwern]

I wrote bin/perl5i.c and I can tell you my C is horrible. Any help and
patching or rewrite of that code would be appreciated.

On Thu, Jun 27, 2013 at 2:13 PM, Lars Dɪᴇᴄᴋᴏᴡ 迪拉斯
notifications@github.comwrote:

Details are available at
http://www.forallsecure.com/bug-reports/79c31f70848a65002493a88828e05970c3e75c1a/.
The input there is a bit more complicated than actually needed to trigger
the crash. It boils down to a null byte on the command-line:

perl5i \000 -e

---

Program received signal SIGSEGV, Segmentation fault.
__strlen_sse2 () at ../sysdeps/x86_64/strlen.S:31
(gdb) bt full
#0 __strlen_sse2 () at ../sysdeps/x86_64/strlen.S:31
No locals.
#1 0x00007ffff7a99e9e in __GI__IO_fputs (str=str@entry=0x0, fp=fp@entry=0x603070) at iofputs.c:36
len =
result =
#2 0x0000000000400a17 in main (argc=3, argv=0x7fffffffd8c8) at bin/perl5i.c:76
tempfile = "/tmp/perl5i.xBStkm"
fd =
fh = 0x603070
i = 4
j = 3
perl_cmd = 0x400c88 "/home/daxim/local/share/perlbrew/perls/perl-5.16.3/bin/perl"
perl_args = {0x400c88 "/home/daxim/local/share/perlbrew/perls/perl-5.16.3/bin/perl",
0x603010 "-Mperl5i::cmd=/home/daxim/local/share/perlbrew/perls/perl-5.16.3/bin/perl5i", 0x7fffffffde1e "000", 0x0}
dash_m =
program = 0x0
saw_dash_e = 1

---

perl5i.c line 76 is fprintf( fh, "%s", program );, program is 0x0.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/269#issuecomment-20155376
.

[schwern]

Fixed by #273

[rurban]

thanks. yes, only mayhem brought me to this :)

[carnil]

Hi!

On Wed, Jul 23, 2014 at 12:38:56PM -0700, Reini Urban wrote:

thanks. yes, only mayhem brought me to this :)

Is this really fixed with new upstream version 2.13.0?

With the reproducer

$ perl5i \000 -e

still get a Segemntation fault.

(this is on Debian unstable, built 2.13.0, but had no further time to
investigate).

Regards,
Salvatore

[schwern]

I cannot reproduce this on OS X, fwiw, with either 2.12.0 or 2.13.0. perl -e 'system "perl5i \x{00} -e"' acts equivalent to perl5i (it waits for code on stdin).

[xtaran]

perl -e 'system "perl5i \x{00} -e"' seems not the correct way to reproduce it. I cannot reproduce it in Debian Testing (currently having 2.13.0) with that commandline, but I can reproduce it with perl5i \000 -e and inside Perl's system() with perl -e 'system("perl5i \\000 -e");'

[schwern]

I can reproduce it on Wheezy/Sid with Perl 5.20.1.

[schwern]

I have it. It was just perl5i -e. It wouldn't check there was an argument after the -e, would read one too far on argv, and then try to printf that.