heap-buffer-overflow S_pack_Rec pp_pack.c:3108

[p5pRT]

Migrated from rt.perl.org#129149 (status was 'resolved')

Searchable as RT129149$

[p5pRT]

From @geeknik

This one crashes v5.25.5 (v5.25.4-25-g109ac34*) with ASAN, however a
non-ASAN instrumented build doesn't crash. Testcase attached​:

hexdump -C over307
00000000 70 61 63 6b 00 75 63 57 3d 3e 27 30 30 30 30 27
|pack.ucW=>'0000'|
00000010 3d 3e 27 27 3d 3e 71 72 27 27 |=>''=>qr''|
0000001a

==18296==ERROR​: AddressSanitizer​: heap-buffer-overflow on address
0x60300000e8d8 at pc 0x000000c7aeb5 bp 0x7ffc3e19e7f0 sp 0x7ffc3e19e7e8
WRITE of size 1 at 0x60300000e8d8 thread T0
  #0 0xc7aeb4 in S_pack_rec /root/perl/pp_pack.c​:3108​:2
  #1 0xc627b4 in Perl_packlist /root/perl/pp_pack.c​:1971​:11
  #2 0xc7fd16 in Perl_pp_pack /root/perl/pp_pack.c​:3131​:5
  #3 0x7f26a3 in Perl_runops_debug /root/perl/dump.c​:2234​:23
  #4 0x5a10c6 in S_run_body /root/perl/perl.c​:2525​:2
  #5 0x5a10c6 in perl_run /root/perl/perl.c​:2448
  #6 0x4de6cd in main /root/perl/perlmain.c​:123​:9
  #7 0x7f37a8fd6b44 in __libc_start_main /build/glibc-uPj9cH/glibc-2.
19/csu/libc-start.c​:287
  #8 0x4de33c in _start (/root/perl/perl+0x4de33c)

0x60300000e8d8 is located 0 bytes to the right of 24-byte region
[0x60300000e8c0,0x60300000e8d8)
allocated by thread T0 here​:
  #0 0x4c0fae in realloc (/root/perl/perl+0x4c0fae)
  #1 0x7f6bd6 in Perl_safesysrealloc /root/perl/util.c​:274​:18

SUMMARY​: AddressSanitizer​: heap-buffer-overflow /root/perl/pp_pack.c​:3108
S_pack_rec
Shadow bytes around the buggy address​:
  0x0c067fff9cc0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9cd0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9ce0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9cf0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9d00​: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
=>0x0c067fff9d10​: fa fa 00 00 00 00 fa fa 00 00 00[fa]fa fa 00 00
  0x0c067fff9d20​: 00 fa fa fa 00 00 00 fa fa fa fd fd fd fd fa fa
  0x0c067fff9d30​: 00 00 04 fa fa fa 00 00 00 02 fa fa fd fd fd fd
  0x0c067fff9d40​: fa fa 00 00 00 04 fa fa 00 00 00 fa fa fa 00 00
  0x0c067fff9d50​: 05 fa fa fa 00 00 00 06 fa fa 00 00 00 00 fa fa
  0x0c067fff9d60​: 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes)​:
  Addressable​: 00
  Partially addressable​: 01 02 03 04 05 06 07
  Heap left redzone​: fa
  Heap right redzone​: fb
  Freed heap region​: fd
  Stack left redzone​: f1
  Stack mid redzone​: f2
  Stack right redzone​: f3
  Stack partial redzone​: f4
  Stack after return​: f5
  Stack use after scope​: f8
  Global redzone​: f9
  Global init order​: f6
  Poisoned by user​: f7
  Container overflow​: fc
  ASan internal​: fe
==18296==ABORTING

[p5pRT]

From @geeknik

over307.gz

[p5pRT]

From @dcollinsn

Apologies if this is a dupe. This appears to be a legitimate bug in pack,
which may be security-related. It doesn't use the 'p' or 'P' types - it's
stuffing 0xFFFFFFFFFFFFFFFF into a char type, and in the process, it gets a
libc panic.

perl -e 'pack SWFW, 0,0,0,-1'

(gdb) run
Starting program​: /usr/local/perl-afl/bin/perl -e pack\ SWFW,\ 0,\ 0,\ 0,\
-1
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Use of code point 0xFFFFFFFFFFFFFFFF is deprecated; the permissible max is
0x7FFFFFFFFFFFFFFF at -e line 1.
*** Error in `/usr/local/perl-afl/bin/perl'​: free()​: invalid next size
(fast)​: 0x0000000000a45630 ***
======= Backtrace​: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x6ef45)[0x7ffff6d2ef45]
/lib/x86_64-linux-gnu/libc.so.6(+0x746b6)[0x7ffff6d346b6]
/lib/x86_64-linux-gnu/libc.so.6(+0x74e9e)[0x7ffff6d34e9e]
/usr/local/perl-afl/bin/perl(Perl_safesysfree+0x5a)[0x57777a]
/usr/local/perl-afl/bin/perl(Perl_sv_clear+0x118d)[0x6031bd]
/usr/local/perl-afl/bin/perl(Perl_sv_free2+0x113)[0x6046a3]
/usr/local/perl-afl/bin/perl(Perl_cv_undef_flags+0xbca)[0x4fed7a]
/usr/local/perl-afl/bin/perl(Perl_cv_undef+0x38)[0x4fe198]
/usr/local/perl-afl/bin/perl(Perl_sv_clear+0x368)[0x602398]
/usr/local/perl-afl/bin/perl(Perl_sv_free2+0x113)[0x6046a3]
/usr/local/perl-afl/bin/perl(perl_destruct+0x351e)[0x4740ae]
/usr/local/perl-afl/bin/perl(main+0x281)[0x41fe01]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7ffff6ce0730]
/usr/local/perl-afl/bin/perl(_start+0x29)[0x41faa9]
======= Memory map​: ========
00400000-00818000 r-xp 00000000 08​:01 1177112
/usr/local/perl-afl/bin/perl
00a17000-00a1a000 rw-p 00417000 08​:01 1177112
/usr/local/perl-afl/bin/perl
00a1a000-00a6c000 rw-p 00000000 00​:00 0
[heap]
7ffff0000000-7ffff0021000 rw-p 00000000 00​:00 0
7ffff0021000-7ffff4000000 ---p 00000000 00​:00 0
7ffff6aaa000-7ffff6ac0000 r-xp 00000000 08​:01 784822
/lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff6ac0000-7ffff6cbf000 ---p 00016000 08​:01 784822
/lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff6cbf000-7ffff6cc0000 rw-p 00015000 08​:01 784822
/lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff6cc0000-7ffff6e57000 r-xp 00000000 08​:01 788202
/lib/x86_64-linux-gnu/libc-2.23.so
7ffff6e57000-7ffff7057000 ---p 00197000 08​:01 788202
/lib/x86_64-linux-gnu/libc-2.23.so
7ffff7057000-7ffff705b000 r--p 00197000 08​:01 788202
/lib/x86_64-linux-gnu/libc-2.23.so
7ffff705b000-7ffff705d000 rw-p 0019b000 08​:01 788202
/lib/x86_64-linux-gnu/libc-2.23.so
7ffff705d000-7ffff7061000 rw-p 00000000 00​:00 0
7ffff7061000-7ffff7063000 r-xp 00000000 08​:01 789876
/lib/x86_64-linux-gnu/libutil-2.23.so
7ffff7063000-7ffff7262000 ---p 00002000 08​:01 789876
/lib/x86_64-linux-gnu/libutil-2.23.so
7ffff7262000-7ffff7263000 r--p 00001000 08​:01 789876
/lib/x86_64-linux-gnu/libutil-2.23.so
7ffff7263000-7ffff7264000 rw-p 00002000 08​:01 789876
/lib/x86_64-linux-gnu/libutil-2.23.so
7ffff7264000-7ffff726c000 r-xp 00000000 08​:01 788212
/lib/x86_64-linux-gnu/libcrypt-2.23.so
7ffff726c000-7ffff746b000 ---p 00008000 08​:01 788212
/lib/x86_64-linux-gnu/libcrypt-2.23.so
7ffff746b000-7ffff746c000 r--p 00007000 08​:01 788212
/lib/x86_64-linux-gnu/libcrypt-2.23.so
7ffff746c000-7ffff746d000 rw-p 00008000 08​:01 788212
/lib/x86_64-linux-gnu/libcrypt-2.23.so
7ffff746d000-7ffff749b000 rw-p 00000000 00​:00 0
7ffff749b000-7ffff759f000 r-xp 00000000 08​:01 788218
/lib/x86_64-linux-gnu/libm-2.23.so
7ffff759f000-7ffff779e000 ---p 00104000 08​:01 788218
/lib/x86_64-linux-gnu/libm-2.23.so
7ffff779e000-7ffff779f000 r--p 00103000 08​:01 788218
/lib/x86_64-linux-gnu/libm-2.23.so
7ffff779f000-7ffff77a0000 rw-p 00104000 08​:01 788218
/lib/x86_64-linux-gnu/libm-2.23.so
7ffff77a0000-7ffff77a2000 r-xp 00000000 08​:01 788216
/lib/x86_64-linux-gnu/libdl-2.23.so
7ffff77a2000-7ffff79a2000 ---p 00002000 08​:01 788216
/lib/x86_64-linux-gnu/libdl-2.23.so
7ffff79a2000-7ffff79a3000 r--p 00002000 08​:01 788216
/lib/x86_64-linux-gnu/libdl-2.23.so
7ffff79a3000-7ffff79a4000 rw-p 00003000 08​:01 788216
/lib/x86_64-linux-gnu/libdl-2.23.so
7ffff79a4000-7ffff79b9000 r-xp 00000000 08​:01 788345
/lib/x86_64-linux-gnu/libnsl-2.23.so
7ffff79b9000-7ffff7bb8000 ---p 00015000 08​:01 788345
/lib/x86_64-linux-gnu/libnsl-2.23.so
7ffff7bb8000-7ffff7bb9000 r--p 00014000 08​:01 788345
/lib/x86_64-linux-gnu/libnsl-2.23.so
7ffff7bb9000-7ffff7bba000 rw-p 00015000 08​:01 788345
/lib/x86_64-linux-gnu/libnsl-2.23.so
7ffff7bba000-7ffff7bbc000 rw-p 00000000 00​:00 0
7ffff7bbc000-7ffff7bd4000 r-xp 00000000 08​:01 789872
/lib/x86_64-linux-gnu/libpthread-2.23.so
7ffff7bd4000-7ffff7dd3000 ---p 00018000 08​:01 789872
/lib/x86_64-linux-gnu/libpthread-2.23.so
7ffff7dd3000-7ffff7dd4000 r--p 00017000 08​:01 789872
/lib/x86_64-linux-gnu/libpthread-2.23.so
7ffff7dd4000-7ffff7dd5000 rw-p 00018000 08​:01 789872
/lib/x86_64-linux-gnu/libpthread-2.23.so
7ffff7dd5000-7ffff7dd9000 rw-p 00000000 00​:00 0
7ffff7dd9000-7ffff7dfd000 r-xp 00000000 08​:01 788194
/lib/x86_64-linux-gnu/ld-2.23.so
7ffff7e37000-7ffff7fcf000 r--p 00000000 08​:01 663582
/usr/lib/locale/locale-archive
7ffff7fcf000-7ffff7fd4000 rw-p 00000000 00​:00 0
7ffff7ff4000-7ffff7ff7000 rw-p 00000000 00​:00 0
7ffff7ff7000-7ffff7ffa000 r--p 00000000 00​:00 0
[vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00​:00 0
[vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00023000 08​:01 788194
/lib/x86_64-linux-gnu/ld-2.23.so
7ffff7ffd000-7ffff7ffe000 rw-p 00024000 08​:01 788194
/lib/x86_64-linux-gnu/ld-2.23.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00​:00 0
7ffffffde000-7ffffffff000 rw-p 00000000 00​:00 0
[stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00​:00 0
[vsyscall]

Program received signal SIGABRT, Aborted.
0x00007ffff6cf31c8 in __GI_raise (sig=sig@​entry=6)
  at ../sysdeps/unix/sysv/linux/raise.c​:54
54 ../sysdeps/unix/sysv/linux/raise.c​: No such file or directory.
(gdb) bt
#0 0x00007ffff6cf31c8 in __GI_raise (sig=sig@​entry=6)
  at ../sysdeps/unix/sysv/linux/raise.c​:54
#1 0x00007ffff6cf464a in __GI_abort () at abort.c​:89
#2 0x00007ffff6d2ef4a in __libc_message (do_abort=do_abort@​entry=2,
  fmt=fmt@​entry=0x7ffff6e27b30 "*** Error in `%s'​: %s​: 0x%s ***\n")
  at ../sysdeps/posix/libc_fatal.c​:175
#3 0x00007ffff6d346b6 in malloc_printerr (action=3,
  str=0x7ffff6e27c40 "free()​: invalid next size (fast)",
  ptr=<optimized out>, ar_ptr=<optimized out>) at malloc.c​:5004
#4 0x00007ffff6d34e9e in _int_free (av=0x7ffff705bb20 <main_arena>,
  p=<optimized out>, have_lock=0) at malloc.c​:3865
#5 0x000000000057777a in Perl_safesysfree (where=0x4d9e) at util.c​:388
#6 0x00000000006031bd in Perl_sv_clear (my_perl=<optimized out>,
  orig_sv=<optimized out>) at sv.c​:6648
#7 0x00000000006046a3 in Perl_sv_free2 (my_perl=0xa2a010, sv=0xa2d100,
rc=6)
  at sv.c​:6950
#8 0x00000000004fed7a in S_SvREFCNT_dec_NN (my_perl=0xa2a010, sv=0x4d9e)
  at ./inline.h​:200
#9 Perl_cv_undef_flags (my_perl=<optimized out>, cv=<optimized out>,
  flags=<optimized out>) at pad.c​:451
#10 0x00000000004fe198 in Perl_cv_undef (my_perl=0x4d9e, cv=0x4d9e)
  at pad.c​:302
#11 0x0000000000602398 in Perl_sv_clear (my_perl=<optimized out>,
---Type <return> to continue, or q <return> to quit---
  orig_sv=<optimized out>) at sv.c​:6500
#12 0x00000000006046a3 in Perl_sv_free2 (my_perl=0xa2a010, sv=0xa2d0e8,
rc=6)
  at sv.c​:6950
#13 0x00000000004740ae in S_SvREFCNT_dec (my_perl=0xa2a010, sv=0x4d9e)
  at ./inline.h​:189
#14 perl_destruct (my_perl=0xa2a010) at perl.c​:839
#15 0x000000000041fe01 in main (argc=<optimized out>, argv=<optimized out>,
  env=<optimized out>) at perlmain.c​:134

However, I also decided to valgrind this, and got an invalid write even
sooner​:

Use of code point 0xFFFFFFFFFFFFFFFF is deprecated; the permissible max is
0x7FFFFFFFFFFFFFFF at -e line 1.
==20524== Invalid write of size 1
==20524== at 0x786A1E​: S_pack_rec (pp_pack.c​:3108)
==20524== by 0x7871EE​: Perl_packlist (pp_pack.c​:1971)
==20524== by 0x7871EE​: Perl_pp_pack (pp_pack.c​:3131)
==20524== by 0x5C9E42​: Perl_runops_standard (run.c​:41)
==20524== by 0x47BFFE​: S_run_body (perl.c​:2525)
==20524== by 0x47BFFE​: perl_run (perl.c​:2448)
==20524== by 0x41FCDE​: main (perlmain.c​:123)
==20524== Address 0x5f843b8 is 0 bytes after a block of size 24 alloc'd
==20524== at 0x4C2CB5C​: realloc (vg_replace_malloc.c​:785)
==20524== by 0x5775C1​: Perl_safesysrealloc (util.c​:274)
==20524== by 0x5E92A0​: Perl_sv_grow (sv.c​:1602)
==20524== by 0x773EDE​: S_sv_exp_grow (pp_pack.c​:2053)
==20524== by 0x773EDE​: S_pack_rec (pp_pack.c​:2129)
==20524== by 0x7871EE​: Perl_packlist (pp_pack.c​:1971)
==20524== by 0x7871EE​: Perl_pp_pack (pp_pack.c​:3131)
==20524== by 0x5C9E42​: Perl_runops_standard (run.c​:41)
==20524== by 0x43AD9E​: S_fold_constants (op.c​:4513)
==20524== by 0x43A36A​: Perl_op_convert_list (op.c​:4784)
==20524== by 0x4FB0D6​: Perl_yyparse (perly.y​:881)
==20524== by 0x479F38​: S_parse_body (perl.c​:2373)
==20524== by 0x479F38​: perl_parse (perl.c​:1689)
==20524== by 0x41FCB2​: main (perlmain.c​:121)

I popped in libdislocator to turn that into a segfault, and ran GDB again​:

$
LD_PRELOAD=/home/dcollins/toolchain/afl-2.32b/libdislocator/libdislocator.so
gdb --args ../bin/perl -e 'pack SWFW, 0, 0, 0, -1'
GNU gdb (Debian 7.11.1-2) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+​: GNU GPL version 3 or later <http​://gnu.org/licenses/gpl.html

This is free software​: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see​:
<http​://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at​:
<http​://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ../bin/perl...done.
(gdb) r
Starting program​: /usr/local/perl-afl/bin/perl -e pack\ SWFW,\ 0,\ 0,\ 0,\
-1
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Use of code point 0xFFFFFFFFFFFFFFFF is deprecated; the permissible max is
0x7FFFFFFFFFFFFFFF at -e line 1.

Program received signal SIGSEGV, Segmentation fault.
0x0000000000786a1e in S_pack_rec (my_perl=<optimized out>,
  cat=<optimized out>, symptr=<optimized out>, beglist=<optimized out>,
  endlist=<optimized out>) at pp_pack.c​:3108
3108 *cur = '\0';
(gdb) bt
#0 0x0000000000786a1e in S_pack_rec (my_perl=<optimized out>,
  cat=<optimized out>, symptr=<optimized out>, beglist=<optimized out>,
  endlist=<optimized out>) at pp_pack.c​:3108
#1 0x00000000007871ef in Perl_packlist (my_perl=<optimized out>,
  cat=0x7ffff681cdd8, patend=0x7ffff65b1ffa "", beglist=0x7ffff7fe3c18,
  endlist=0x0, pat=<optimized out>) at pp_pack.c​:1971
#2 Perl_pp_pack (my_perl=0x7ffff7ff3258) at pp_pack.c​:3131
#3 0x00000000005c9e43 in Perl_runops_standard (my_perl=<optimized out>)
  at run.c​:41
#4 0x000000000047bfff in S_run_body (my_perl=0x7ffff7ff3258,
  oldscope=<optimized out>) at perl.c​:2525
#5 perl_run (my_perl=<optimized out>) at perl.c​:2448
#6 0x000000000041fcdf in main (argc=<optimized out>, argv=<optimized out>,
  env=<optimized out>) at perlmain.c​:123
(gdb) l
3103 fromlen -= todo;
3104 }
3105 break;
3106 }
3107 }
3108 *cur = '\0';
3109 SvCUR_set(cat, cur - start);
3110 no_change​:
3111 *symptr = lookahead;
3112 }
(gdb) info locals
len = <optimized out>
fromstr = <optimized out>
datumtype = <optimized out>
fromlen = <optimized out>
cur = <optimized out>
howlen = <optimized out>
start = <optimized out>
lengthcode = <optimized out>
utf8 = <optimized out>
items = <optimized out>
from = <optimized out>
(gdb) info registers
rax 0x1fc3 8131
rbx 0x7ffff659ffe8 140737326481384
rcx 0xa19fe0 10592224
rdx 0xf659ff01 4133093121
rsi 0xa19fe0 10592224
rdi 0x2ea7 11943
rbp 0x0 0x0
rsp 0x7fffffffdfb0 0x7fffffffdfb0
r8 0x0 0
r9 0x0 0
r10 0x22 34
r11 0x246 582
r12 0x7ffff65a0000 140737326481408
r13 0xfffffffffffffffc -4
r14 0x0 0
r15 0x7ffff681cdd8 140737329090008
rip 0x786a1e 0x786a1e <S_pack_rec+80334>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0

This /seems/ to just be an off-by-one error - AFL crash explorer hasn't
been able to write any more than one byte past the end of the buffer.

[p5pRT]

From @geeknik

perl -e 'pack~~W9,\0,\0,0,\0' triggers this as well in v5.25.4-90-g5b549d1.

==23676==ERROR​: AddressSanitizer​: heap-buffer-overflow on address
0x604000009a78 at pc 0x000000c882d7 bp 0x7ffce20060d0 sp 0x7ffce20060c8
WRITE of size 1 at 0x604000009a78 thread T0
  #0 0xc882d6 in S_pack_rec /home/geeknik/perl/pp_pack.c​:2585​:4
  #1 0xc6bda4 in Perl_packlist /home/geeknik/perl/pp_pack.c​:1971​:11
  #2 0xc89306 in Perl_pp_pack /home/geeknik/perl/pp_pack.c​:3131​:5
  #3 0x7f4a13 in Perl_runops_debug /home/geeknik/perl/dump.c​:2239​:23
  #4 0x5a1246 in S_run_body /home/geeknik/perl/perl.c​:2525​:2
  #5 0x5a1246 in perl_run /home/geeknik/perl/perl.c​:2448
  #6 0x4de5fd in main /home/geeknik/perl/perlmain.c​:123​:9
  #7 0x7f2f69208b44 in __libc_start_main
/build/glibc-uPj9cH/glibc-2.19/csu/libc-start.c​:287
  #8 0x4de26c in _start (/home/geeknik/perl/perl+0x4de26c)

0x604000009a78 is located 0 bytes to the right of 40-byte region
[0x604000009a50,0x604000009a78)
allocated by thread T0 here​:
  #0 0x4c0ede in realloc (/home/geeknik/perl/perl+0x4c0ede)
  #1 0x7f8f46 in Perl_safesysrealloc /home/geeknik/perl/util.c​:274​:18

SUMMARY​: AddressSanitizer​: heap-buffer-overflow
/home/geeknik/perl/pp_pack.c​:2585 S_pack_rec
Shadow bytes around the buggy address​:
  0x0c087fff92f0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9300​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9310​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9320​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9330​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c087fff9340​: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00[fa]
  0x0c087fff9350​: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
  0x0c087fff9360​: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 06 fa
  0x0c087fff9370​: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 04
  0x0c087fff9380​: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 03
  0x0c087fff9390​: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes)​:
  Addressable​: 00
  Partially addressable​: 01 02 03 04 05 06 07
  Heap left redzone​: fa
  Heap right redzone​: fb
  Freed heap region​: fd
  Stack left redzone​: f1
  Stack mid redzone​: f2
  Stack right redzone​: f3
  Stack partial redzone​: f4
  Stack after return​: f5
  Stack use after scope​: f8
  Global redzone​: f9
  Global init order​: f6
  Poisoned by user​: f7
  Container overflow​: fc
  ASan internal​: fe
==23676==ABORTING

[p5pRT]

From @tonycoz

On Wed Aug 31 01​:40​:20 2016, brian.carpenter@​gmail.com wrote​:

This one crashes v5.25.5 (v5.25.4-25-g109ac34*) with ASAN, however a
non-ASAN instrumented build doesn't crash. Testcase attached​:

hexdump -C over307
00000000 70 61 63 6b 00 75 63 57 3d 3e 27 30 30 30 30 27
|pack.ucW=>'0000'|
00000010 3d 3e 27 27 3d 3e 71 72 27 27 |=>''=>qr''|
0000001a

The attached fixes this for me.

This will only ever overflow by one byte, so I could see it causing a
crash (by overwriting the malloc header for the following allocation)
but I don't think it could be used to take control of anything.

Tony

[p5pRT]

From @tonycoz

0001-perl-129149-avoid-a-heap-buffer-overflow-with-pack-W.patch

From ab19876f2d2aea3a1829dee139b4a1b816f09681 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Wed, 7 Sep 2016 16:51:39 +1000
Subject: (perl #129149) avoid a heap buffer overflow with pack "W"...

---
 pp_pack.c   |  2 +-
 t/op/pack.t | 13 ++++++++++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/pp_pack.c b/pp_pack.c
index 40c3100..09d91a5 100644
--- a/pp_pack.c
+++ b/pp_pack.c
@@ -2581,7 +2581,7 @@ S_pack_rec(pTHX_ SV *cat, tempsym_t* symptr, SV **beglist, SV **endlist )
 		if (in_bytes) auv = auv % 0x100;
 		if (utf8) {
 		  W_utf8:
-		    if (cur > end) {
+		    if (cur >= end) {
 			*cur = '\0';
 			SvCUR_set(cat, cur - start);
 
diff --git a/t/op/pack.t b/t/op/pack.t
index df16464..7ec09ae 100644
--- a/t/op/pack.t
+++ b/t/op/pack.t
@@ -12,7 +12,7 @@ my $no_endianness = $] > 5.009 ? '' :
 my $no_signedness = $] > 5.009 ? '' :
   "Signed/unsigned pack modifiers not available on this perl";
 
-plan tests => 14712;
+plan tests => 14713;
 
 use strict;
 use warnings qw(FATAL all);
@@ -2049,3 +2049,14 @@ ok(1, "argument underflow did not crash");
     is(pack("H40", $up_nul), $twenty_nuls,
        "check pack H zero fills (utf8 source)");
 }
+
+{
+    # [perl #129149] the code below would write one past the end of the output
+    # buffer, only detected by ASAN, not by valgrind
+    $Config{ivsize} >= 8
+      or skip "[perl #129149] need 64-bit for this test", 1;
+    fresh_perl_is(<<'EOS', "ok\n", { stderr => 1 }, "pack W overflow");
+print pack("ucW", "0000", 0, 140737488355327) eq "\$,#`P,```\n\0\x{7fffffffffff}"
+ ? "ok\n" : "not ok\n";
+EOS
+}
-- 
2.1.4

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From @tonycoz

On Sat Sep 03 07​:47​:23 2016, dcollinsn@​gmail.com wrote​:

Apologies if this is a dupe. This appears to be a legitimate bug in pack,
which may be security-related. It doesn't use the 'p' or 'P' types - it's
stuffing 0xFFFFFFFFFFFFFFFF into a char type, and in the process, it gets a
libc panic.

perl -e 'pack SWFW, 0,0,0,-1'
...
==20524== Invalid write of size 1
==20524== at 0x786A1E​: S_pack_rec (pp_pack.c​:3108)
==20524== by 0x7871EE​: Perl_packlist (pp_pack.c​:1971)
==20524== by 0x7871EE​: Perl_pp_pack (pp_pack.c​:3131)
==20524== by 0x5C9E42​: Perl_runops_standard (run.c​:41)
==20524== by 0x47BFFE​: S_run_body (perl.c​:2525)
==20524== by 0x47BFFE​: perl_run (perl.c​:2448)
==20524== by 0x41FCDE​: main (perlmain.c​:123)

This looks like the same bug as security ticket 129149, which I posted
the attached patch for.

Tony

[p5pRT]

From @tonycoz

0001-perl-129149-avoid-a-heap-buffer-overflow-with-pack-W.patch

From ab19876f2d2aea3a1829dee139b4a1b816f09681 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Wed, 7 Sep 2016 16:51:39 +1000
Subject: (perl #129149) avoid a heap buffer overflow with pack "W"...

---
 pp_pack.c   |  2 +-
 t/op/pack.t | 13 ++++++++++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/pp_pack.c b/pp_pack.c
index 40c3100..09d91a5 100644
--- a/pp_pack.c
+++ b/pp_pack.c
@@ -2581,7 +2581,7 @@ S_pack_rec(pTHX_ SV *cat, tempsym_t* symptr, SV **beglist, SV **endlist )
 		if (in_bytes) auv = auv % 0x100;
 		if (utf8) {
 		  W_utf8:
-		    if (cur > end) {
+		    if (cur >= end) {
 			*cur = '\0';
 			SvCUR_set(cat, cur - start);
 
diff --git a/t/op/pack.t b/t/op/pack.t
index df16464..7ec09ae 100644
--- a/t/op/pack.t
+++ b/t/op/pack.t
@@ -12,7 +12,7 @@ my $no_endianness = $] > 5.009 ? '' :
 my $no_signedness = $] > 5.009 ? '' :
   "Signed/unsigned pack modifiers not available on this perl";
 
-plan tests => 14712;
+plan tests => 14713;
 
 use strict;
 use warnings qw(FATAL all);
@@ -2049,3 +2049,14 @@ ok(1, "argument underflow did not crash");
     is(pack("H40", $up_nul), $twenty_nuls,
        "check pack H zero fills (utf8 source)");
 }
+
+{
+    # [perl #129149] the code below would write one past the end of the output
+    # buffer, only detected by ASAN, not by valgrind
+    $Config{ivsize} >= 8
+      or skip "[perl #129149] need 64-bit for this test", 1;
+    fresh_perl_is(<<'EOS', "ok\n", { stderr => 1 }, "pack W overflow");
+print pack("ucW", "0000", 0, 140737488355327) eq "\$,#`P,```\n\0\x{7fffffffffff}"
+ ? "ok\n" : "not ok\n";
+EOS
+}
-- 
2.1.4

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From @iabyn

On Tue, Sep 06, 2016 at 11​:54​:34PM -0700, Tony Cook via RT wrote​:

On Wed Aug 31 01​:40​:20 2016, brian.carpenter@​gmail.com wrote​:

This one crashes v5.25.5 (v5.25.4-25-g109ac34*) with ASAN, however a
non-ASAN instrumented build doesn't crash. Testcase attached​:

hexdump -C over307
00000000 70 61 63 6b 00 75 63 57 3d 3e 27 30 30 30 30 27
|pack.ucW=>'0000'|
00000010 3d 3e 27 27 3d 3e 71 72 27 27 |=>''=>qr''|
0000001a

The attached fixes this for me.

This will only ever overflow by one byte, so I could see it causing a
crash (by overwriting the malloc header for the following allocation)
but I don't think it could be used to take control of anything.

This fix looks good to me. An attacker would have to be in a position
where pack('W') can be called with a very large arg, which is probably
fairly unlikely. (But stranger things have been known).

I think the fix should be pushed to blead.

--
Never do today what you can put off till tomorrow.

[p5pRT]

From @dur-randir

Created by @dur-randir

While fuzzing perl v5.25.8-207-gcbe2fc5001 built with afl and run
under libdislocator, I found the following program

pack"Z*WWW",1.01E50,0,0,1E20

to perform an access outside of an allocated memory slot. ASAN diagnostics are​:

% ./perl /tmp/0001
Use of code point 0xFFFFFFFFFFFFFFFF is deprecated; the permissible
max is 0x7FFFFFFFFFFFFFFF at /tmp/0001 line 1.

==4814==ERROR​: AddressSanitizer​: heap-buffer-overflow on address
0x60300000e6f8 at pc 0x000000d43b9e bp 0x7ffe105ea450 sp
0x7ffe105ea448
WRITE of size 1 at 0x60300000e6f8 thread T0
  #0 0xd43b9d in S_pack_rec /home/afl/perl-git/pp_pack.c​:3114​:7
  #1 0xd17c1d in Perl_packlist /home/afl/perl-git/pp_pack.c​:1977​:11
  #2 0xd44a2a in Perl_pp_pack /home/afl/perl-git/pp_pack.c​:3137​:5
  #3 0x847e31 in Perl_runops_debug /home/afl/perl-git/dump.c​:2260​:23
  #4 0x5f02c5 in S_run_body /home/afl/perl-git/perl.c​:2528​:2
  #5 0x5f02c5 in perl_run /home/afl/perl-git/perl.c​:2451
  #6 0x522402 in main /home/afl/perl-git/perlmain.c​:123​:9
  #7 0x7fefe22922b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
  #8 0x43ace9 in _start (/home/afl/perl-git/perl+0x43ace9)

0x60300000e6f8 is located 0 bytes to the right of 24-byte region
[0x60300000e6e0,0x60300000e6f8)
allocated by thread T0 here​:
  #0 0x4eaa10 in realloc (/home/afl/perl-git/perl+0x4eaa10)
  #1 0x84ca66 in Perl_safesysrealloc /home/afl/perl-git/util.c​:274​:18

SUMMARY​: AddressSanitizer​: heap-buffer-overflow
/home/afl/perl-git/pp_pack.c​:3114​:7 in S_pack_rec

GDB reports the following program state​:

(gdb) bt
#0 0x00007f05a15d52b9 in S_pack_rec (cat=0x7f059fc9be68,
symptr=0x7ffc8cd8bfd0, beglist=0x7f05a18a6c38, endlist=0x7f05a18a6c38)
at pp_pack.c​:3114
#1 0x00007f05a15caf6f in Perl_packlist (cat=0x7f059fc9be68,
pat=0x7f059f9eeff6 "Z*WWW", patend=0x7f059f9eeffb "",
beglist=0x7f05a18a6c18,
  endlist=0x7f05a18a6c38) at pp_pack.c​:1977
#2 0x00007f05a15d5691 in Perl_pp_pack () at pp_pack.c​:3137
#3 0x00007f05a13dbb57 in Perl_runops_debug () at dump.c​:2260
#4 0x00007f05a12d60fd in S_run_body (oldscope=1) at perl.c​:2528
#5 0x00007f05a12d567b in perl_run (my_perl=0x7f05a18bcfff) at perl.c​:2451
#6 0x00007f05a1290d3e in main (argc=2, argv=0x7ffc8cd8c3b8,
env=0x7ffc8cd8c3d0) at perlmain.c​:123
(gdb) f 0
#0 0x00007f05a15d52b9 in S_pack_rec (cat=0x7f059fc9be68,
symptr=0x7ffc8cd8bfd0, beglist=0x7f05a18a6c38, endlist=0x7f05a18a6c38)
at pp_pack.c​:3114
3114 *cur = '\0';
(gdb) info locals
fromstr = 0x7f059fc9be50
fromlen = 8
len = -1
datumtype = 87
lengthcode = 0x0
howlen = e_no_len
start = 0x7f059f9e4fe8 "1.01e+50"
cur = 0x7f059f9e5000 ""
needs_swap = false
lookahead = {patptr = 0x7f059f9eeffb "", patend = 0x7f059f9eeffb "",
grpbeg = 0x0, grpend = 0x0, code = 87, length = 1, howlen = e_no_len,
level = 0,
  flags = 9, strbeg = 0, previous = 0x0}
items = 0
found = false
utf8 = true
warn_utf8 = false
from = 0x7f05a18a6c00 "`\226\214\241\005\177"
__PRETTY_FUNCTION__ = "S_pack_rec"

Perl Info

Flags:
    category=core
    severity=medium

Site configuration information for perl 5.25.9:

Configured by root at Sat Jan 14 02:25:05 MSK 2017.

Summary of my perl5 (revision 5 version 25 subversion 9) configuration:
  Commit id: cbe2fc5001aa59cdc73e04cc35e097a2ecfbeec0
  Platform:
    osname=linux
    osvers=3.16.0-4-amd64
    archname=x86_64-linux
    uname='linux dorothy 3.16.0-4-amd64 #1 smp debian 3.16.36-1+deb8u2
(2016-10-19) x86_64 gnulinux '
    config_args='-des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast
-Doptimize=-O0 -g -ggdb3'
    hint=recommended
    useposix=true
    d_sigaction=define
    useithreads=undef
    usemultiplicity=undef
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    bincompat5005=undef
  Compiler:
    cc='afl-clang-fast'
    ccflags ='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2'
    optimize='-O0 -g -ggdb3'
    cppflags='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include'
    ccversion=''
    gccversion='4.2.1 Compatible Clang 3.9.1 (tags/RELEASE_391/rc2)'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='afl-clang-fast'
    ldflags =' -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/lib/llvm-3.9/bin/../lib/clang/3.9.1/lib
/usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu
/lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
    libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    libc=libc-2.24.so
    so=so
    useshrplib=false
    libperl=libperl.a
    gnulibc_version='2.24'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=so
    d_dlsymun=undef
    ccdlflags='-Wl,-E'
    cccdlflags='-fPIC'
    lddlflags='-shared -O0 -g -ggdb3 -L/usr/local/lib -fstack-protector-strong'



@INC for perl 5.25.9:
    lib
    /usr/local/lib/perl5/site_perl/5.25.9/x86_64-linux
    /usr/local/lib/perl5/site_perl/5.25.9
    /usr/local/lib/perl5/5.25.9/x86_64-linux
    /usr/local/lib/perl5/5.25.9


Environment for perl 5.25.9:
    HOME=/home/afl
    LANG=en_US.UTF-8
    LANGUAGE=en_US:en
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
    PERLBREW_BASHRC_VERSION=0.78
    PERLBREW_HOME=/home/afl/.perlbrew
    PERLBREW_MANPATH=/home/afl/perlbrew/perls/perl-5.22.1/man
    PERLBREW_PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin
    PERLBREW_PERL=perl-5.22.1
    PERLBREW_ROOT=/home/afl/perlbrew
    PERLBREW_VERSION=0.78
    PERL_BADLANG (unset)
    SHELL=/usr/bin/zsh

[p5pRT]

From @tonycoz

On Tue, 06 Dec 2016 09​:18​:27 -0800, davem wrote​:

This fix looks good to me. An attacker would have to be in a position
where pack('W') can be called with a very large arg, which is probably
fairly unlikely. (But stranger things have been known).

I think the fix should be pushed to blead.

I've made the ticket public and pushed the patch as bf4a926.

Tony

[p5pRT]

@tonycoz - Status changed from 'open' to 'pending release'

[p5pRT]

From @tonycoz

On Sat, 14 Jan 2017 10​:29​:27 -0800, randir wrote​:

While fuzzing perl v5.25.8-207-gcbe2fc5001 built with afl and run
under libdislocator, I found the following program

pack"Z*WWW",1.01E50,0,0,1E20

to perform an access outside of an allocated memory slot. ASAN
diagnostics are​:

% ./perl /tmp/0001
Use of code point 0xFFFFFFFFFFFFFFFF is deprecated; the permissible
max is 0x7FFFFFFFFFFFFFFF at /tmp/0001 line 1.

==4814==ERROR​: AddressSanitizer​: heap-buffer-overflow on address
0x60300000e6f8 at pc 0x000000d43b9e bp 0x7ffe105ea450 sp
0x7ffe105ea448
WRITE of size 1 at 0x60300000e6f8 thread T0
#0 0xd43b9d in S_pack_rec /home/afl/perl-git/pp_pack.c​:3114​:7
#1 0xd17c1d in Perl_packlist /home/afl/perl-git/pp_pack.c​:1977​:11
#2 0xd44a2a in Perl_pp_pack /home/afl/perl-git/pp_pack.c​:3137​:5
#3 0x847e31 in Perl_runops_debug /home/afl/perl-git/dump.c​:2260​:23
#4 0x5f02c5 in S_run_body /home/afl/perl-git/perl.c​:2528​:2
#5 0x5f02c5 in perl_run /home/afl/perl-git/perl.c​:2451
#6 0x522402 in main /home/afl/perl-git/perlmain.c​:123​:9
#7 0x7fefe22922b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#8 0x43ace9 in _start (/home/afl/perl-git/perl+0x43ace9)

0x60300000e6f8 is located 0 bytes to the right of 24-byte region
[0x60300000e6e0,0x60300000e6f8)
allocated by thread T0 here​:
#0 0x4eaa10 in realloc (/home/afl/perl-git/perl+0x4eaa10)
#1 0x84ca66 in Perl_safesysrealloc /home/afl/perl-
git/util.c​:274​:18

This looks like a duplicate of #129149 and my patch for that prevents the crash.

Tony