New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

perl_parse needs NULL terminated parameter list. #619

Merged
merged 1 commit into from Jan 15, 2017

Conversation

Projects
None yet
3 participants
@hannob
Contributor

hannob commented Jan 15, 2017

the perl_parse call needs a null-terminated parameter list, see here:
http://search.cpan.org/~xsawyerx/perl-5.25.8/pod/perlembed.pod

It says:
"Mind that argv[argc] must be NULL, same as those passed to a main function in C."

The patch adds a trailing NULL and changes the number of elements to G_N_ELEMENTS(perl_args)-1 (because it needs the number of elements without the NULL terminator).

If the perl_args array is not NULL terminated this will cause an out of bounds read in the perl code in S_parse_body(). This can be seen with address sanitizer, but therefore you need to compile both irssi and libperl with asan enabled.
I originally thought this is a perl bug, but as it's clearly documented it needs to be fixed in irssi.

Here's a stack trace from asan:

==7887==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000088b998 at pc 0x7f3d87e36d1f bp 0x7ffcc8164b80 sp 0x7ffcc8164b70
READ of size 8 at 0x00000088b998 thread T0
    #0 0x7f3d87e36d1e in S_parse_body /var/tmp/portage/dev-lang/perl-5.22.3_rc4/work/perl-5.22.3-RC4/perl.c:2131
    #1 0x7f3d87e36d1e in perl_parse /var/tmp/portage/dev-lang/perl-5.22.3_rc4/work/perl-5.22.3-RC4/perl.c:1626
    #2 0x57e18d in perl_scripts_init /tmp/irssi-1.0.0/src/perl/perl-core.c:126
    #3 0x581860 in perl_core_init /tmp/irssi-1.0.0/src/perl/perl-core.c:462
    #4 0x45a027 in textui_finish_init /tmp/irssi-1.0.0/src/fe-text/irssi.c:191
    #5 0x45a4a9 in main /tmp/irssi-1.0.0/src/fe-text/irssi.c:314
    #6 0x7f3d8648a78f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #7 0x419318 in _start (/tmp/irssi-1.0.0/src/fe-text/irssi+0x419318)

0x00000088b998 is located 0 bytes to the right of global variable 'perl_args' from 'perl-core.c' (0x88b980) of size 24

@LemonBoy LemonBoy merged commit 6e36ddc into irssi:master Jan 15, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@LemonBoy

This comment has been minimized.

Member

LemonBoy commented Jan 15, 2017

Great job as usual!

ailin-nemui added a commit to ailin-nemui/irssi that referenced this pull request Feb 5, 2017

Merge pull request irssi#619 from hannob/master
perl_parse needs NULL terminated parameter list.

@ailin-nemui ailin-nemui added this to the 1.0.1 milestone Jan 10, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment