-
Notifications
You must be signed in to change notification settings - Fork 560
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-buffer-overflow in Perl_yylex #16097
Comments
From gy741.kim@gmail.comHi. I found a heap-buffer-overflow bug in perl. Please confirm. Thanks. Version: This is perl 5, version 27, subversion 2 (v5.27.2) built for
|
From @tonycozOn Fri, 04 Aug 2017 02:37:31 -0700, gy741.kim@gmail.com wrote:
This is a use-after-free, not a buffer overflow. Since it requires feeding code to the interpreter it isn't a security
The attached fixes it for me. Tony |
From @tonycoz0001-perl-131836-avoid-a-use-after-free-after-parsing-a-s.patchFrom 6948dbaeb631c130a55bfa98b08908759a4d4201 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Mon, 7 Aug 2017 11:27:50 +1000
Subject: [PATCH] (perl #131836) avoid a use-after-free after parsing a "sub"
keyword
The:
d = skipspace(d);
can reallocate linestr in the test case, invalidating s. This would
end up in PL_bufptr from the embedded (PL_bufptr = s) in the TOKEN()
macro.
Assigning s to PL_bufptr and restoring s from PL_bufptr allows
lex_next_chunk() to adjust the pointer to the reallocated buffer.
---
t/comp/parser_run.t | 10 +++++++++-
toke.c | 2 ++
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/t/comp/parser_run.t b/t/comp/parser_run.t
index e74644d..6845a4b 100644
--- a/t/comp/parser_run.t
+++ b/t/comp/parser_run.t
@@ -10,7 +10,7 @@ BEGIN {
}
require './test.pl';
-plan(1);
+plan(2);
# [perl #130814] can reallocate lineptr while looking ahead for
# "Missing $ on loop variable" diagnostic.
@@ -24,5 +24,13 @@ syntax error at - line 3, near "foreach m0
Identifier too long at - line 3.
EXPECT
+fresh_perl_is(<<'EOS', <<'EXPECTED', {}, "use after free (#131836)");
+${sub#xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+EOS
+Missing right curly or square bracket at - line 1, at end of line
+syntax error at - line 1, at EOF
+Execution of - aborted due to compilation errors.
+EXPECTED
+
__END__
# ex: set ts=8 sts=4 sw=4 et:
diff --git a/toke.c b/toke.c
index 6aa5f26..2261bb4 100644
--- a/toke.c
+++ b/toke.c
@@ -6200,8 +6200,10 @@ Perl_yylex(pTHX)
break;
}
if (strEQs(s, "sub")) {
+ PL_bufptr = s;
d = s + 3;
d = skipspace(d);
+ s = PL_bufptr;
if (*d == ':') {
PL_expect = XTERM;
break;
--
2.1.4
|
The RT System itself - Status changed from 'new' to 'open' |
From @tonycozOn Sun, 06 Aug 2017 18:30:40 -0700, tonyc wrote:
Applied as 3b8804a. Tony |
@tonycoz - Status changed from 'open' to 'pending release' |
From sraums2498@gmail.com================================================================= 0x61200000b7d9 is located 153 bytes inside of 288-byte region [0x61200000b740,0x61200000b860) previously allocated by thread T0 here: SUMMARY: AddressSanitizer: heap-use-after-free /home/asan_perl/Documents/perl-5.26.1/toke.c:5143 Perl_yylex -- |
From sraums2498@gmail.com |
From sraums2498@gmail.com================================================================= 0x61200000b7d9 is located 153 bytes inside of 288-byte region [0x61200000b740,0x61200000b860) previously allocated by thread T0 here: SUMMARY: AddressSanitizer: heap-use-after-free /home/asan_perl/Documents/perl-5.26.1/toke.c:5143 Perl_yylex -- |
From sraums2498@gmail.com |
From sraums2498@gmail.com================================================================= 0x60300000e918 is located 8 bytes to the left of 24-byte region [0x60300000e920,0x60300000e938) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/asan_perl/Documents/perl-5.26.1/pad.c:1758 Perl_pad_free -- |
From sraums2498@gmail.com |
From sraums2498@gmail.com================================================================= 0x60200000dab8 is located 0 bytes to the right of 8-byte region SUMMARY: AddressSanitizer: heap-buffer-overflow -- |
From sraums2498@gmail.com |
From @hvdsThis appears to be fixed already in blead by the commit below; it should form part of perl-5.28. The analysis on the original ticket was that it was not a security concern, so I'll mark this as a duplicate of that one. Hugo commit 3b8804a (perl #131836) avoid a use-after-free after parsing a "sub" keyword |
The RT System itself - Status changed from 'new' to 'open' |
From @hvdsThis is also a duplicate of rt131836, fixed in blead; I'll merge it. Hugo |
The RT System itself - Status changed from 'new' to 'open' |
The RT System itself - Status changed from 'new' to 'open' |
The RT System itself - Status changed from 'new' to 'open' |
From @khwilliamsonThank you for filing this report. You have helped make Perl better. With the release yesterday of Perl 5.28.0, this and 185 other issues have been Perl 5.28.0 may be downloaded via: If you find that the problem persists, feel free to reopen this ticket. |
@khwilliamson - Status changed from 'pending release' to 'resolved' |
Migrated from rt.perl.org#131836 (status was 'resolved')
Searchable as RT131836$
The text was updated successfully, but these errors were encountered: