heap-use-after-free Perl_utf8n_to_uvchr (utf8.c:918) #15530
Comments
From @geeknikThe attached test case triggers a heap-use-after-free ==10391==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000009c68 is located 232 bytes inside of 1024-byte region previously allocated by thread T0 here: SUMMARY: AddressSanitizer: heap-use-after-free /root/perl/utf8.c:918 Perl 5.20.2 returns this set of errors: Passing malformed UTF-8 to "" is deprecated at test17 line 1. |
From @tonycozOn Fri Aug 19 12:09:59 2016, brian.carpenter@gmail.com wrote:
Simplifies to the attached. 00000000 42 45 47 49 4e 7b 24 5e 48 3d 30 78 38 30 30 30 |BEGIN{$^H=0x8000| Again, while it's a bug, I don't think it's a security issue. Tony |
|
The RT System itself - Status changed from 'new' to 'open' |
From @tonycozOn Sun Aug 21 21:11:36 2016, tonyc wrote:
Attached, gzipped to prevent any mailers mangling it. Tony |
From @tonycoz |
From @iabynOn Sun, Aug 21, 2016 at 09:11:36PM -0700, Tony Cook via RT wrote:
I can't reproduce, but again, agreed. -- |
From @geeknikTriggered in Perl v5.25.6 (v5.25.5-104-gaff2be5) with AFL+ASAN. Integer overflow in hexadecimal number at test002 line 1.==24232==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000009c28 is located 168 bytes inside of 1024-byte region previously allocated by thread T0 here: SUMMARY: AddressSanitizer: heap-use-after-free /root/perl/utf8.c:1570 Running under Valgrind with a non-ASAN build: Integer overflow in hexadecimal number at test002 line 1. |
From @geeknik |
From @tonycozOn Fri Oct 14 13:35:03 2016, brian.carpenter@gmail.com wrote:
Simplified to the attached. The attached patch fixes it. I don't think this is a security issue, it requires feeding code to the parser. Tony |
From @tonycoz0001-perl-129879-prevent-PL_op-pointing-to-freed-ops.patchFrom 9b5695063334b507444dd0b833d2eb838b29440a Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Mon, 17 Oct 2016 11:42:20 +1100
Subject: (perl #129879) prevent PL_op pointing to freed ops
When yylex() attempts to report a UTF-8 encoding error, it
indirectly accesses PL_op, this would cause an access to freed
memory if the CV containing that op (and the op itself) had been
freed.
---
op.c | 2 --
t/op/lex.t | 9 ++++++++-
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/op.c b/op.c
index 697faa7..1866632 100644
--- a/op.c
+++ b/op.c
@@ -853,10 +853,8 @@ Perl_op_free(pTHX_ OP *o)
op_clear(o);
FreeOp(o);
-#ifdef DEBUG_LEAKING_SCALARS
if (PL_op == o)
PL_op = NULL;
-#endif
} while ( (o = POP_DEFERRED_OP()) );
Safefree(defer_stack);
diff --git a/t/op/lex.t b/t/op/lex.t
index 9696669..6766e90 100644
--- a/t/op/lex.t
+++ b/t/op/lex.t
@@ -7,7 +7,7 @@ use warnings;
BEGIN { chdir 't' if -d 't'; require './test.pl'; }
-plan(tests => 31);
+plan(tests => 32);
{
no warnings 'deprecated';
@@ -248,3 +248,10 @@ fresh_perl_like(
{},
'[perl #129336] - #!perl -i argument handling'
);
+fresh_perl_is(
+ "BEGIN{\$^H=hex ~0}\xF3",
+ "Integer overflow in hexadecimal number at - line 1.\n" .
+ "Malformed UTF-8 character: \\xf3 (too short; got 1 byte, need 4) at - line 1.",
+ {},
+ '[perl #129879] - use of PL_op after op is freed'
+);
--
2.1.4
|
From @tonycoz |
|
The RT System itself - Status changed from 'new' to 'open' |
From @tonycozOn Sun Oct 16 17:50:48 2016, tonyc wrote:
Actually, this seems to be a duplicate of 128996, my patch also fixes that. Tony |
|
@tonycoz - Status changed from 'open' to 'pending release' |
From @khwilliamsonOn 10/16/2016 06:50 PM, Tony Cook via RT wrote:
The test is not going to work on EBCDIC. After I see the reports, I'll |
From @khwilliamsonThank you for filing this report. You have helped make Perl better. With the release today of Perl 5.26.0, this and 210 other issues have been Perl 5.26.0 may be downloaded via: If you find that the problem persists, feel free to reopen this ticket. |
|
@khwilliamson - Status changed from 'pending release' to 'resolved' |
Migrated from rt.perl.org#128996 (status was 'resolved')
Searchable as RT128996$
The text was updated successfully, but these errors were encountered: