-
Notifications
You must be signed in to change notification settings - Fork 550
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-buffer-overflow Perl_pp_chdir (pp_sys.c:3685) #15569
Comments
From @geeknikFound with AFL and Perl v5.25.4-20-gc2f7c0b*. I've attached the ==26581==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000009a80 is located 0 bytes to the right of 1024-byte region SUMMARY: AddressSanitizer: heap-buffer-overflow /root/perl/pp_sys.c:3685 |
From @geeknik |
From @tonycozOn Mon Aug 29 13:54:26 2016, brian.carpenter@gmail.com wrote:
chdir() isn't allocating stack for its result when called with no argument. Most other ops default to $_ and are compiled that way, for example: tony@mars:.../git/perl$ ./perl -Ilib -MO=Concise -e sin chdir() doesn't get that faked argument: tony@mars:.../git/perl$ ./perl -Ilib -MO=Concise -e chdir since chdir() with no argument has it's own special behaviour. A simpler reproducer: for $x (map $_+1, 1 .. 100) { Fix attached. I don't think this would be exploitable beyond a denial of service if it Tony |
From @tonycoz0001-perl-129130-make-chdir-allocate-the-stack-it-needs.patchFrom d6151b2a56d80af849778fda3364f392ea9032b1 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Mon, 5 Sep 2016 15:40:11 +1000
Subject: (perl #129130) make chdir allocate the stack it needs
chdir with no argument didn't ensure there was stack space available
for its result.
---
pp_sys.c | 1 +
t/op/chdir.t | 8 +++++++-
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/pp_sys.c b/pp_sys.c
index a198d4e..7d74ea6 100644
--- a/pp_sys.c
+++ b/pp_sys.c
@@ -3639,6 +3639,7 @@ PP(pp_chdir)
HV * const table = GvHVn(PL_envgv);
SV **svp;
+ EXTEND(SP, 1);
if ( (svp = hv_fetchs(table, "HOME", FALSE))
|| (svp = hv_fetchs(table, "LOGDIR", FALSE))
#ifdef VMS
diff --git a/t/op/chdir.t b/t/op/chdir.t
index 9967707..38cbbe9 100644
--- a/t/op/chdir.t
+++ b/t/op/chdir.t
@@ -12,7 +12,7 @@ BEGIN {
set_up_inc(qw(t . lib ../lib));
}
-plan(tests => 47);
+plan(tests => 48);
use Config;
use Errno qw(ENOENT EBADF EINVAL);
@@ -162,6 +162,12 @@ sub check_env {
}
}
+fresh_perl_is(<<'EOP', '', { stderr => 1 }, "check stack handling");
+for $x (map $_+1, 1 .. 100) {
+ map chdir, 1 .. $x;
+}
+EOP
+
my %Saved_Env = ();
sub clean_env {
foreach my $env (@magic_envs) {
--
2.1.4
|
The RT System itself - Status changed from 'new' to 'open' |
From @tonycozOn Sun Sep 04 22:50:16 2016, tonyc wrote:
Applied as 92c843f.
And made this public. Tony |
From zefram@fysh.orgThis bug was fixed by Tony's patch. This ticket should be closed. -zefram |
@cpansprout - Status changed from 'open' to 'resolved' |
Migrated from rt.perl.org#129130 (status was 'resolved')
Searchable as RT129130$
The text was updated successfully, but these errors were encountered: