Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow (READ of size 1) in Perl_my_atof2() #16002

Closed
p5pRT opened this issue Jun 7, 2017 · 8 comments
Closed

heap-buffer-overflow (READ of size 1) in Perl_my_atof2() #16002

p5pRT opened this issue Jun 7, 2017 · 8 comments
Labels

Comments

@p5pRT
Copy link
Collaborator

@p5pRT p5pRT commented Jun 7, 2017

Migrated from rt.perl.org#131526 (status was 'resolved')

Searchable as RT131526$

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Jun 7, 2017

From @geeknik

Triggered with v5.27.0-97-gd555ed0, compiled with afl-clang-fast on Debian
8 x64.

==11137==ERROR​: AddressSanitizer​: heap-buffer-overflow on address
0x60300000e87a at pc 0x10cfcad bp 0x7ffff61acd30 sp 0x7ffff61acd28
READ of size 1 at 0x60300000e87a thread T0
  #0 0x10cfcac in Perl_my_atof2 /root/perl/numeric.c​:1490
  #1 0x10d08e1 in Perl_my_atof /root/perl/numeric.c​:1244
  #2 0xb01bf4 in S_sv_setnv /root/perl/sv.c​:2111
  #3 0xbc07a9 in S_sv_2iuv_common /root/perl/sv.c​:2313
  #4 0xbc7b77 in Perl_sv_2iv_flags /root/perl/sv.c​:2506
  #5 0xc98ec0 in Perl_pp_subtract /root/perl/pp.c​:1950
  #6 0x926e76 in Perl_runops_debug /root/perl/dump.c​:2451
  #7 0x59f02a in S_run_body /root/perl/perl.c​:2543
  #8 0x59f02a in perl_run /root/perl/perl.c​:2471
  #9 0x43506d in main /root/perl/perlmain.c​:123
  #10 0x7f5015730b44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
  #11 0x436015 (/root/perl/perl+0x436015)

0x60300000e87a is located 0 bytes to the right of 26-byte region
[0x60300000e860,0x60300000e87a)
allocated by thread T0 here​:
  #0 0x7f50168829f6 in __interceptor_realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x549f6)
  #1 0x96d481 in Perl_safesysrealloc /root/perl/util.c​:274

SUMMARY​: AddressSanitizer​: heap-buffer-overflow /root/perl/numeric.c​:1490
Perl_my_atof2

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Jun 7, 2017

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Jun 13, 2017

From @tonycoz

On Wed, 07 Jun 2017 00​:59​:50 -0700, brian.carpenter@​gmail.com wrote​:

Triggered with v5.27.0-97-gd555ed0, compiled with afl-clang-fast on Debian
8 x64.

==11137==ERROR​: AddressSanitizer​: heap-buffer-overflow on address
0x60300000e87a at pc 0x10cfcad bp 0x7ffff61acd30 sp 0x7ffff61acd28
READ of size 1 at 0x60300000e87a thread T0
#0 0x10cfcac in Perl_my_atof2 /root/perl/numeric.c​:1490
#1 0x10d08e1 in Perl_my_atof /root/perl/numeric.c​:1244
#2 0xb01bf4 in S_sv_setnv /root/perl/sv.c​:2111
#3 0xbc07a9 in S_sv_2iuv_common /root/perl/sv.c​:2313
#4 0xbc7b77 in Perl_sv_2iv_flags /root/perl/sv.c​:2506
#5 0xc98ec0 in Perl_pp_subtract /root/perl/pp.c​:1950
#6 0x926e76 in Perl_runops_debug /root/perl/dump.c​:2451
#7 0x59f02a in S_run_body /root/perl/perl.c​:2543
#8 0x59f02a in perl_run /root/perl/perl.c​:2471
#9 0x43506d in main /root/perl/perlmain.c​:123
#10 0x7f5015730b44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#11 0x436015 (/root/perl/perl+0x436015)

0x60300000e87a is located 0 bytes to the right of 26-byte region
[0x60300000e860,0x60300000e87a)
allocated by thread T0 here​:
#0 0x7f50168829f6 in __interceptor_realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x549f6)
#1 0x96d481 in Perl_safesysrealloc /root/perl/util.c​:274

SUMMARY​: AddressSanitizer​: heap-buffer-overflow /root/perl/numeric.c​:1490
Perl_my_atof2

This tries to read from a file, using the script as its own input worked for me.

This is caused by this code​:

  else if (!seen_dp && GROK_NUMERIC_RADIX(&s, send)) {
  seen_dp = 1;
  if (sig_digits > MAX_SIG_DIGITS) {
  do {
  ++s;
  } while (isDIGIT(*s));
  break;
  }
  }

GROK_NUMERIC_RADIX() increments s past the decimal point, which is at the end of string in this case, so the following ++s steps past the NUL.

I have a fix testing now.

Tony

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Jun 13, 2017

The RT System itself - Status changed from 'new' to 'open'

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Jun 13, 2017

From @tonycoz

On Mon, 12 Jun 2017 23​:30​:52 -0700, tonyc wrote​:

On Wed, 07 Jun 2017 00​:59​:50 -0700, brian.carpenter@​gmail.com wrote​:

Triggered with v5.27.0-97-gd555ed0, compiled with afl-clang-fast on
Debian
8 x64.

==11137==ERROR​: AddressSanitizer​: heap-buffer-overflow on address
0x60300000e87a at pc 0x10cfcad bp 0x7ffff61acd30 sp 0x7ffff61acd28
READ of size 1 at 0x60300000e87a thread T0
#0 0x10cfcac in Perl_my_atof2 /root/perl/numeric.c​:1490
#1 0x10d08e1 in Perl_my_atof /root/perl/numeric.c​:1244
#2 0xb01bf4 in S_sv_setnv /root/perl/sv.c​:2111
#3 0xbc07a9 in S_sv_2iuv_common /root/perl/sv.c​:2313
#4 0xbc7b77 in Perl_sv_2iv_flags /root/perl/sv.c​:2506
#5 0xc98ec0 in Perl_pp_subtract /root/perl/pp.c​:1950
#6 0x926e76 in Perl_runops_debug /root/perl/dump.c​:2451
#7 0x59f02a in S_run_body /root/perl/perl.c​:2543
#8 0x59f02a in perl_run /root/perl/perl.c​:2471
#9 0x43506d in main /root/perl/perlmain.c​:123
#10 0x7f5015730b44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#11 0x436015 (/root/perl/perl+0x436015)

0x60300000e87a is located 0 bytes to the right of 26-byte region
[0x60300000e860,0x60300000e87a)
allocated by thread T0 here​:
#0 0x7f50168829f6 in __interceptor_realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x549f6)
#1 0x96d481 in Perl_safesysrealloc /root/perl/util.c​:274

SUMMARY​: AddressSanitizer​: heap-buffer-overflow
/root/perl/numeric.c​:1490
Perl_my_atof2

This tries to read from a file, using the script as its own input
worked for me.

This is caused by this code​:

else if (!seen_dp && GROK_NUMERIC_RADIX(&s, send)) {
seen_dp = 1;
if (sig_digits > MAX_SIG_DIGITS) {
do {
++s;
} while (isDIGIT(*s));
break;
}
}

GROK_NUMERIC_RADIX() increments s past the decimal point, which is at
the end of string in this case, so the following ++s steps past the
NUL.

I have a fix testing now.

Fixed in 9604fbf.

Tony

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Jun 13, 2017

@tonycoz - Status changed from 'open' to 'pending release'

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Jun 23, 2018

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release yesterday of Perl 5.28.0, this and 185 other issues have been
resolved.

Perl 5.28.0 may be downloaded via​:
https://metacpan.org/release/XSAWYERX/perl-5.28.0

If you find that the problem persists, feel free to reopen this ticket.

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Jun 23, 2018

@khwilliamson - Status changed from 'pending release' to 'resolved'

@p5pRT p5pRT closed this Jun 23, 2018
@p5pRT p5pRT added the Severity Low label Oct 19, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.