-
Notifications
You must be signed in to change notification settings - Fork 540
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-buffer-overflow S_scan_heredoc (toke.c:9587) #15546
Comments
From @geeknikAFL, ASAN and libdislocator trigger a heap-buffer-overflow in Perl od -tx1 test38 ==4872==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000e29a is located 0 bytes to the right of 10-byte region SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __interceptor_index ==7103== Conditional jump or move depends on uninitialised value(s) |
From @iabynOn Wed, Aug 24, 2016 at 02:30:08AM -0700, Brian Carpenter wrote:
The attached patch (intended to be applied over Tony's pending heredoc It was a bug in Perl_delimcpy(). This function copies a string It's not a security issue. Here are the details of the callers of S_scan_heredoc: This can only be triggered if a source file (but not eval nor perl S_scan_inputsymbol On something like if (s >= end) Perl_magic_setenv: Under taint, in $ENV{PATH} = "ABC:XYZ", it splits the path using About the worst that could happen is in $ENV{PATH} = "/foo\\" where it would check the directory "/foo\\\0" for -- |
From @iabyn0001-Perl_delimcpy-handle-backslash-as-last-char.patchFrom 1d409039e301d0d1d8200252d91cd2ad165995ab Mon Sep 17 00:00:00 2001
From: David Mitchell <davem@iabyn.com>
Date: Thu, 25 Aug 2016 17:48:34 +0100
Subject: [PATCH] Perl_delimcpy(): handle backslash as last char
[perl #129064] heap-buffer-overflow S_scan_heredoc
Perl_delimcpy() is supposed to copy a delimited string to another buffer;
it handles \-<delimiter> escapes, but if the backslash is the last
character in the src buffer, it could overrun the end of the buffer
slightly.
Also document slightly better what this function is supposed to do.
---
t/op/heredoc.t | 12 +++++++++++-
util.c | 9 +++++++--
2 files changed, 18 insertions(+), 3 deletions(-)
diff --git a/t/op/heredoc.t b/t/op/heredoc.t
index f47f7ce..13d1074 100644
--- a/t/op/heredoc.t
+++ b/t/op/heredoc.t
@@ -7,7 +7,7 @@ BEGIN {
}
use strict;
-plan(tests => 42);
+plan(tests => 43);
# heredoc without newline (#65838)
@@ -115,4 +115,14 @@ HEREDOC
{},
"Don't assert parsing a here-doc if we hit EOF early"
);
+
+ # [perl #129064] heap-buffer-overflow S_scan_heredoc
+ fresh_perl_like(
+ qq(<<`\\),
+ # valgrind and asan reports an error between these two lines
+ qr/^Unterminated delimiter for here document/,
+ {},
+ "delimcpy(): handle last char being backslash properly"
+ );
+
}
diff --git a/util.c b/util.c
index 7748c6c..4579d1e 100644
--- a/util.c
+++ b/util.c
@@ -522,7 +522,12 @@ Free_t Perl_mfree (Malloc_t where)
#endif
-/* copy a string up to some (non-backslashed) delimiter, if any */
+/* copy a string up to some (non-backslashed) delimiter, if any.
+ * Converts \<delimiter> to <delimiter>, while leaves \<non-delimiter>
+ * as-is.
+ * Returns the position in the src string of the closing delimiter, if
+ * any, or returns fromend otherwise
+ * */
char *
Perl_delimcpy(char *to, const char *toend, const char *from, const char *fromend, int delim, I32 *retlen)
@@ -532,7 +537,7 @@ Perl_delimcpy(char *to, const char *toend, const char *from, const char *fromend
PERL_ARGS_ASSERT_DELIMCPY;
for (tolen = 0; from < fromend; from++, tolen++) {
- if (*from == '\\') {
+ if (*from == '\\' && from + 1 < fromend) {
if (from[1] != delim) {
if (to < toend)
*to++ = *from;
--
2.4.11
|
The RT System itself - Status changed from 'new' to 'open' |
From @tonycozOn Fri Aug 26 04:19:56 2016, davem wrote:
Which pending fix? Tony |
From @iabynOn Tue, Sep 06, 2016 at 09:28:52PM -0700, Tony Cook via RT wrote:
382450a, which you've now applied. I've now pushed my fix as 19e1655. -- |
@iabyn - Status changed from 'open' to 'pending release' |
From @khwilliamsonThank you for filing this report. You have helped make Perl better. With the release today of Perl 5.26.0, this and 210 other issues have been Perl 5.26.0 may be downloaded via: If you find that the problem persists, feel free to reopen this ticket. |
@khwilliamson - Status changed from 'pending release' to 'resolved' |
Migrated from rt.perl.org#129064 (status was 'resolved')
Searchable as RT129064$
The text was updated successfully, but these errors were encountered: