heap-buffer-overflow (READ of size 1) in Perl_my_atof2()

[p5pRT]

Migrated from rt.perl.org#131526 (status was 'resolved')

Searchable as RT131526$

[p5pRT]

From @geeknik

Triggered with v5.27.0-97-gd555ed0, compiled with afl-clang-fast on Debian
8 x64.

==11137==ERROR​: AddressSanitizer​: heap-buffer-overflow on address
0x60300000e87a at pc 0x10cfcad bp 0x7ffff61acd30 sp 0x7ffff61acd28
READ of size 1 at 0x60300000e87a thread T0
  #0 0x10cfcac in Perl_my_atof2 /root/perl/numeric.c​:1490
  #1 0x10d08e1 in Perl_my_atof /root/perl/numeric.c​:1244
  #2 0xb01bf4 in S_sv_setnv /root/perl/sv.c​:2111
  #3 0xbc07a9 in S_sv_2iuv_common /root/perl/sv.c​:2313
  #4 0xbc7b77 in Perl_sv_2iv_flags /root/perl/sv.c​:2506
  #5 0xc98ec0 in Perl_pp_subtract /root/perl/pp.c​:1950
  #6 0x926e76 in Perl_runops_debug /root/perl/dump.c​:2451
  #7 0x59f02a in S_run_body /root/perl/perl.c​:2543
  #8 0x59f02a in perl_run /root/perl/perl.c​:2471
  #9 0x43506d in main /root/perl/perlmain.c​:123
  #10 0x7f5015730b44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
  #11 0x436015 (/root/perl/perl+0x436015)

0x60300000e87a is located 0 bytes to the right of 26-byte region
[0x60300000e860,0x60300000e87a)
allocated by thread T0 here​:
  #0 0x7f50168829f6 in __interceptor_realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x549f6)
  #1 0x96d481 in Perl_safesysrealloc /root/perl/util.c​:274

SUMMARY​: AddressSanitizer​: heap-buffer-overflow /root/perl/numeric.c​:1490
Perl_my_atof2

[p5pRT]

From @geeknik

test39.pl

[p5pRT]

From @tonycoz

On Wed, 07 Jun 2017 00​:59​:50 -0700, brian.carpenter@​gmail.com wrote​:

Triggered with v5.27.0-97-gd555ed0, compiled with afl-clang-fast on Debian
8 x64.

==11137==ERROR​: AddressSanitizer​: heap-buffer-overflow on address
0x60300000e87a at pc 0x10cfcad bp 0x7ffff61acd30 sp 0x7ffff61acd28
READ of size 1 at 0x60300000e87a thread T0
#0 0x10cfcac in Perl_my_atof2 /root/perl/numeric.c​:1490
#1 0x10d08e1 in Perl_my_atof /root/perl/numeric.c​:1244
#2 0xb01bf4 in S_sv_setnv /root/perl/sv.c​:2111
#3 0xbc07a9 in S_sv_2iuv_common /root/perl/sv.c​:2313
#4 0xbc7b77 in Perl_sv_2iv_flags /root/perl/sv.c​:2506
#5 0xc98ec0 in Perl_pp_subtract /root/perl/pp.c​:1950
#6 0x926e76 in Perl_runops_debug /root/perl/dump.c​:2451
#7 0x59f02a in S_run_body /root/perl/perl.c​:2543
#8 0x59f02a in perl_run /root/perl/perl.c​:2471
#9 0x43506d in main /root/perl/perlmain.c​:123
#10 0x7f5015730b44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#11 0x436015 (/root/perl/perl+0x436015)

0x60300000e87a is located 0 bytes to the right of 26-byte region
[0x60300000e860,0x60300000e87a)
allocated by thread T0 here​:
#0 0x7f50168829f6 in __interceptor_realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x549f6)
#1 0x96d481 in Perl_safesysrealloc /root/perl/util.c​:274

SUMMARY​: AddressSanitizer​: heap-buffer-overflow /root/perl/numeric.c​:1490
Perl_my_atof2

This tries to read from a file, using the script as its own input worked for me.

This is caused by this code​:

  else if (!seen_dp && GROK_NUMERIC_RADIX(&s, send)) {
  seen_dp = 1;
  if (sig_digits > MAX_SIG_DIGITS) {
  do {
  ++s;
  } while (isDIGIT(*s));
  break;
  }
  }

GROK_NUMERIC_RADIX() increments s past the decimal point, which is at the end of string in this case, so the following ++s steps past the NUL.

I have a fix testing now.

Tony

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From @tonycoz

On Mon, 12 Jun 2017 23​:30​:52 -0700, tonyc wrote​:

On Wed, 07 Jun 2017 00​:59​:50 -0700, brian.carpenter@​gmail.com wrote​:

Triggered with v5.27.0-97-gd555ed0, compiled with afl-clang-fast on
Debian
8 x64.

==11137==ERROR​: AddressSanitizer​: heap-buffer-overflow on address
0x60300000e87a at pc 0x10cfcad bp 0x7ffff61acd30 sp 0x7ffff61acd28
READ of size 1 at 0x60300000e87a thread T0
#0 0x10cfcac in Perl_my_atof2 /root/perl/numeric.c​:1490
#1 0x10d08e1 in Perl_my_atof /root/perl/numeric.c​:1244
#2 0xb01bf4 in S_sv_setnv /root/perl/sv.c​:2111
#3 0xbc07a9 in S_sv_2iuv_common /root/perl/sv.c​:2313
#4 0xbc7b77 in Perl_sv_2iv_flags /root/perl/sv.c​:2506
#5 0xc98ec0 in Perl_pp_subtract /root/perl/pp.c​:1950
#6 0x926e76 in Perl_runops_debug /root/perl/dump.c​:2451
#7 0x59f02a in S_run_body /root/perl/perl.c​:2543
#8 0x59f02a in perl_run /root/perl/perl.c​:2471
#9 0x43506d in main /root/perl/perlmain.c​:123
#10 0x7f5015730b44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#11 0x436015 (/root/perl/perl+0x436015)

0x60300000e87a is located 0 bytes to the right of 26-byte region
[0x60300000e860,0x60300000e87a)
allocated by thread T0 here​:
#0 0x7f50168829f6 in __interceptor_realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x549f6)
#1 0x96d481 in Perl_safesysrealloc /root/perl/util.c​:274

SUMMARY​: AddressSanitizer​: heap-buffer-overflow
/root/perl/numeric.c​:1490
Perl_my_atof2

This tries to read from a file, using the script as its own input
worked for me.

This is caused by this code​:

else if (!seen_dp && GROK_NUMERIC_RADIX(&s, send)) {
seen_dp = 1;
if (sig_digits > MAX_SIG_DIGITS) {
do {
++s;
} while (isDIGIT(*s));
break;
}
}

GROK_NUMERIC_RADIX() increments s past the decimal point, which is at
the end of string in this case, so the following ++s steps past the
NUL.

I have a fix testing now.

Fixed in 9604fbf.

Tony

[p5pRT]

@tonycoz - Status changed from 'open' to 'pending release'

[p5pRT]

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release yesterday of Perl 5.28.0, this and 185 other issues have been
resolved.

Perl 5.28.0 may be downloaded via​:
https://metacpan.org/release/XSAWYERX/perl-5.28.0

If you find that the problem persists, feel free to reopen this ticket.

[p5pRT]

@khwilliamson - Status changed from 'pending release' to 'resolved'