-
Notifications
You must be signed in to change notification settings - Fork 558
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-buffer-overflow Perl_pad_sv (pad.c:1354) #15657
Comments
From @geeknikAFL+ASAN and Perl v5.25.6 (v5.25.5-104-gaff2be5): ==29437==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000ea5c is located 0 bytes to the right of 28-byte region SUMMARY: AddressSanitizer: heap-buffer-overflow /root/perl/pad.c:1354 Valgrind and non-ASAN Perl v5.25.6 (v5.25.5-104-gaff2be5): ==21722== Invalid read of size 8 afl-tmin minimized the crash into an assertion failure, so I didn't |
From @geeknik |
From @tonycozOn Fri, 14 Oct 2016 14:52:33 -0700, brian.carpenter@gmail.com wrote:
The attached produces the same error for me.
Did you open that as a different issue? Tony |
From @tonycoz |
The RT System itself - Status changed from 'new' to 'open' |
From @geeknikMost likely. |
From @hvdsOn Sun, 06 Nov 2016 21:12:54 -0800, tonyc wrote:
I was able to reduce and simplify it some, as below. When I run this, I get a SEGV in sv_setpvn called from pp_concat for "state = $state\n" with TARG clearly corrupt (I've seen values such as 0x31, 0x01 and 0x60 while reducing). The useless '+' on '(?{ local $d = 1 })' is required. With valgrind, it instead gives the same 'Invalid read of size 8' at pad_sv (pad.c:1354) called from pp_concat (pp_hot.c:258), which is presumably the dATARGET getting the corrupt pointer - the original case had it calling from pp_subtract, which I think was from the '(...)[$q - 6]', and quite plausibly the first reference to a TARG in the subst replacement eval of the original version. Hugo use warnings; $z = qr{ $_ = "A"; |
From @hvdsOn Mon, 07 Nov 2016 02:12:39 -0800, hv wrote:
I don't know much about pads, but running with -DX shows: % ./perl -DX testprog EXECUTING... Pad 0x2706ae0[0x270bad0] sv: 4 sv=0x0 .. which appears to show we're wrongly looking at the pad from the (?{ $d++ }). Hugo |
From @demerphqOn 7 November 2016 at 11:58, Hugo van der Sanden via RT
If I remove the print i get a different assert fail (but i am on Yves -- |
From @iabynOn Mon, Nov 07, 2016 at 12:03:34PM +0100, demerphq wrote:
Fixed by the following commit, which I've just pushed as part of a larger The specific issue with this ticket was that under certain circumstances, I don't think its a realistic security issue. It requires executing a commit 4b9c7ca fix pad/scope issue in re_evals -- |
@iabyn - Status changed from 'open' to 'resolved' |
Migrated from rt.perl.org#129881 (status was 'resolved')
Searchable as RT129881$
The text was updated successfully, but these errors were encountered: