Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in Perl_yylex #16097

Closed
p5pRT opened this issue Aug 4, 2017 · 25 comments

Comments

@p5pRT
Copy link

commented Aug 4, 2017

Migrated from rt.perl.org#131836 (status was 'resolved')

Searchable as RT131836$

@p5pRT

This comment has been minimized.

Copy link
Author

commented Aug 4, 2017

From gy741.kim@gmail.com

Hi.

I found a heap-buffer-overflow bug in perl.

Please confirm.

Thanks.

Version​: This is perl 5, version 27, subversion 2 (v5.27.2) built for
i686-linux
OS​: Ubuntu 16.04.2 32bit
Steps to reproduce​:
1.Download the PoC files.
2.Compile the source code with ASan.
3.Execute the following command
  : ./perl $PoC
```

==22689==ERROR​: AddressSanitizer​: heap-use-after-free on address 0xb5101102
at pc 0x082b8557 bp 0xbfefdf68 sp 0xbfefdf5c
READ of size 1 at 0xb5101102 thread T0
  #0 0x82b8556 in Perl_yylex /root/karas/perl5-blead/toke.c​:5137​:13
  #1 0x835df10 in Perl_yyparse /root/karas/perl5-blead/perly.c​:340​:34
  #2 0x8232350 in S_parse_body /root/karas/perl5-blead/perl.c​:2401​:9
  #3 0x82285e3 in perl_parse /root/karas/perl5-blead/perl.c​:1719​:2
  #4 0x81494a6 in main /root/karas/perl5-blead/perlmain.c​:121​:18
  #5 0xb7547636 in __libc_start_main
/build/glibc-KM3i_a/glibc-2.23/csu/../csu/libc-start.c​:291
  #6 0x8075847 in _start (/root/karas/perl5-blead/perl+0x8075847)

0xb5101102 is located 2 bytes inside of 64-byte region
[0xb5101100,0xb5101140)
freed by thread T0 here​:
  #0 0x8119ef4 in realloc (/root/karas/perl5-blead/perl+0x8119ef4)
  #1 0x84e3394 in Perl_safesysrealloc
/root/karas/perl5-blead/util.c​:274​:18

previously allocated by thread T0 here​:
  #0 0x8119ef4 in realloc (/root/karas/perl5-blead/perl+0x8119ef4)
  #1 0x84e3394 in Perl_safesysrealloc
/root/karas/perl5-blead/util.c​:274​:18

SUMMARY​: AddressSanitizer​: heap-use-after-free
/root/karas/perl5-blead/toke.c​:5137​:13 in Perl_yylex
Shadow bytes around the buggy address​:
  0x36a201d0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a201e0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a201f0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a20200​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a20210​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36a20220​:[fd]fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x36a20230​: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 fa
  0x36a20240​: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x36a20250​: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x36a20260​: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
  0x36a20270​: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes)​:
  Addressable​: 00
  Partially addressable​: 01 02 03 04 05 06 07
  Heap left redzone​: fa
  Heap right redzone​: fb
  Freed heap region​: fd
  Stack left redzone​: f1
  Stack mid redzone​: f2
  Stack right redzone​: f3
  Stack partial redzone​: f4
  Stack after return​: f5
  Stack use after scope​: f8
  Global redzone​: f9
  Global init order​: f6
  Poisoned by user​: f7
  Container overflow​: fc
  Array cookie​: ac
  Intra object redzone​: bb
  ASan internal​: fe
  Left alloca redzone​: ca
  Right alloca redzone​: cb
==22689==ABORTING
```

@p5pRT

This comment has been minimized.

Copy link
Author

commented Aug 4, 2017

@p5pRT

This comment has been minimized.

Copy link
Author

commented Aug 7, 2017

From @tonycoz

On Fri, 04 Aug 2017 02​:37​:31 -0700, gy741.kim@​gmail.com wrote​:

Hi.

I found a heap-buffer-overflow bug in perl.

Please confirm.

This is a use-after-free, not a buffer overflow.

Since it requires feeding code to the interpreter it isn't a security
issue, so I've made it public.

=================================================================
==22689==ERROR​: AddressSanitizer​: heap-use-after-free on address 0xb5101102
at pc 0x082b8557 bp 0xbfefdf68 sp 0xbfefdf5c
READ of size 1 at 0xb5101102 thread T0
#0 0x82b8556 in Perl_yylex /root/karas/perl5-blead/toke.c​:5137​:13
#1 0x835df10 in Perl_yyparse /root/karas/perl5-blead/perly.c​:340​:34
#2 0x8232350 in S_parse_body /root/karas/perl5-blead/perl.c​:2401​:9
#3 0x82285e3 in perl_parse /root/karas/perl5-blead/perl.c​:1719​:2
#4 0x81494a6 in main /root/karas/perl5-blead/perlmain.c​:121​:18
#5 0xb7547636 in __libc_start_main
/build/glibc-KM3i_a/glibc-2.23/csu/../csu/libc-start.c​:291
#6 0x8075847 in _start (/root/karas/perl5-blead/perl+0x8075847)

The attached fixes it for me.

Tony

@p5pRT

This comment has been minimized.

Copy link
Author

commented Aug 7, 2017

From @tonycoz

0001-perl-131836-avoid-a-use-after-free-after-parsing-a-s.patch
From 6948dbaeb631c130a55bfa98b08908759a4d4201 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Mon, 7 Aug 2017 11:27:50 +1000
Subject: [PATCH] (perl #131836) avoid a use-after-free after parsing a "sub"
 keyword

The:

  d = skipspace(d);

can reallocate linestr in the test case, invalidating s.  This would
end up in PL_bufptr from the embedded (PL_bufptr = s) in the TOKEN()
macro.

Assigning s to PL_bufptr and restoring s from PL_bufptr allows
lex_next_chunk() to adjust the pointer to the reallocated buffer.
---
 t/comp/parser_run.t | 10 +++++++++-
 toke.c              |  2 ++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/t/comp/parser_run.t b/t/comp/parser_run.t
index e74644d..6845a4b 100644
--- a/t/comp/parser_run.t
+++ b/t/comp/parser_run.t
@@ -10,7 +10,7 @@ BEGIN {
 }
 
 require './test.pl';
-plan(1);
+plan(2);
 
 # [perl #130814] can reallocate lineptr while looking ahead for
 # "Missing $ on loop variable" diagnostic.
@@ -24,5 +24,13 @@ syntax error at - line 3, near "foreach m0
 Identifier too long at - line 3.
 EXPECT
 
+fresh_perl_is(<<'EOS', <<'EXPECTED', {}, "use after free (#131836)");
+${sub#xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+EOS
+Missing right curly or square bracket at - line 1, at end of line
+syntax error at - line 1, at EOF
+Execution of - aborted due to compilation errors.
+EXPECTED
+
 __END__
 # ex: set ts=8 sts=4 sw=4 et:
diff --git a/toke.c b/toke.c
index 6aa5f26..2261bb4 100644
--- a/toke.c
+++ b/toke.c
@@ -6200,8 +6200,10 @@ Perl_yylex(pTHX)
 			break;
 		    }
 		    if (strEQs(s, "sub")) {
+                        PL_bufptr = s;
 			d = s + 3;
 			d = skipspace(d);
+                        s = PL_bufptr;
 			if (*d == ':') {
 			    PL_expect = XTERM;
 			    break;
-- 
2.1.4

@p5pRT

This comment has been minimized.

Copy link
Author

commented Aug 7, 2017

The RT System itself - Status changed from 'new' to 'open'

@p5pRT

This comment has been minimized.

Copy link
Author

commented Aug 28, 2017

From @tonycoz

On Sun, 06 Aug 2017 18​:30​:40 -0700, tonyc wrote​:

On Fri, 04 Aug 2017 02​:37​:31 -0700, gy741.kim@​gmail.com wrote​:

Hi.

I found a heap-buffer-overflow bug in perl.

Please confirm.

This is a use-after-free, not a buffer overflow.

Since it requires feeding code to the interpreter it isn't a security
issue, so I've made it public.

=================================================================
==22689==ERROR​: AddressSanitizer​: heap-use-after-free on address
0xb5101102
at pc 0x082b8557 bp 0xbfefdf68 sp 0xbfefdf5c
READ of size 1 at 0xb5101102 thread T0
#0 0x82b8556 in Perl_yylex /root/karas/perl5-blead/toke.c​:5137​:13
#1 0x835df10 in Perl_yyparse /root/karas/perl5-
blead/perly.c​:340​:34
#2 0x8232350 in S_parse_body /root/karas/perl5-
blead/perl.c​:2401​:9
#3 0x82285e3 in perl_parse /root/karas/perl5-blead/perl.c​:1719​:2
#4 0x81494a6 in main /root/karas/perl5-blead/perlmain.c​:121​:18
#5 0xb7547636 in __libc_start_main
/build/glibc-KM3i_a/glibc-2.23/csu/../csu/libc-start.c​:291
#6 0x8075847 in _start (/root/karas/perl5-blead/perl+0x8075847)

The attached fixes it for me.

Applied as 3b8804a.

Tony

@p5pRT

This comment has been minimized.

Copy link
Author

commented Aug 28, 2017

@tonycoz - Status changed from 'open' to 'pending release'

@p5pRT

This comment has been minimized.

Copy link
Author

commented Dec 20, 2017

From sraums2498@gmail.com

=================================================================
==51794==ERROR​: AddressSanitizer​: heap-use-after-free on address 0x61200000b7d9 at pc 0x000000bba16c bp 0x7ffe275d8d10 sp 0x7ffe275d8d00
READ of size 1 at 0x61200000b7d9 thread T0
  #0 0xbba16b in Perl_yylex /home/asan_perl/Documents/perl-5.26.1/toke.c​:5143
  #1 0xe7c7ec in Perl_yyparse /home/asan_perl/Documents/perl-5.26.1/perly.c​:340
  #2 0x90a9bc in S_parse_body /home/asan_perl/Documents/perl-5.26.1/perl.c​:2377
  #3 0x90a9bc in perl_parse /home/asan_perl/Documents/perl-5.26.1/perl.c​:1692
  #4 0x46b239 in main /home/asan_perl/Documents/perl-5.26.1/perlmain.c​:121
  #5 0x7fc3314ca82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
  #6 0x46c888 in _start (/home/asan_perl/Documents/perl-5.26.1/perl+0x46c888)

0x61200000b7d9 is located 153 bytes inside of 288-byte region [0x61200000b740,0x61200000b860)
freed by thread T0 here​:
  #0 0x7fc33226e961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
  #1 0x1681118 in Perl_safesysrealloc /home/asan_perl/Documents/perl-5.26.1/util.c​:274
  #2 0x1de47d6 in Perl_sv_grow /home/asan_perl/Documents/perl-5.26.1/sv.c​:1598
  #3 0x1f26bb4 in Perl_sv_catpvn_flags /home/asan_perl/Documents/perl-5.26.1/sv.c​:5521
  #4 0xaf2df9 in Perl_lex_next_chunk /home/asan_perl/Documents/perl-5.26.1/toke.c​:1385
  #5 0xafc528 in Perl_lex_read_space /home/asan_perl/Documents/perl-5.26.1/toke.c​:1594
  #6 0xaff1f5 in S_skipspace_flags /home/asan_perl/Documents/perl-5.26.1/toke.c​:1897
  #7 0xd78bba in Perl_yylex /home/asan_perl/Documents/perl-5.26.1/toke.c​:6225
  #8 0xe7c7ec in Perl_yyparse /home/asan_perl/Documents/perl-5.26.1/perly.c​:340
  #9 0x90a9bc in S_parse_body /home/asan_perl/Documents/perl-5.26.1/perl.c​:2377
  #10 0x90a9bc in perl_parse /home/asan_perl/Documents/perl-5.26.1/perl.c​:1692
  #11 0x46b239 in main /home/asan_perl/Documents/perl-5.26.1/perlmain.c​:121
  #12 0x7fc3314ca82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here​:
  #0 0x7fc33226e961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
  #1 0x1681118 in Perl_safesysrealloc /home/asan_perl/Documents/perl-5.26.1/util.c​:274
  #2 0x1de47d6 in Perl_sv_grow /home/asan_perl/Documents/perl-5.26.1/sv.c​:1598
  #3 0x1fb6f0e in Perl_sv_gets /home/asan_perl/Documents/perl-5.26.1/sv.c​:8761
  #4 0xaf45d5 in S_filter_gets /home/asan_perl/Documents/perl-5.26.1/toke.c​:4583
  #5 0xaf45d5 in Perl_lex_next_chunk /home/asan_perl/Documents/perl-5.26.1/toke.c​:1359
  #6 0xbfaaa9 in Perl_yylex /home/asan_perl/Documents/perl-5.26.1/toke.c​:5283
  #7 0xe7c7ec in Perl_yyparse /home/asan_perl/Documents/perl-5.26.1/perly.c​:340
  #8 0x90a9bc in S_parse_body /home/asan_perl/Documents/perl-5.26.1/perl.c​:2377
  #9 0x90a9bc in perl_parse /home/asan_perl/Documents/perl-5.26.1/perl.c​:1692
  #10 0x46b239 in main /home/asan_perl/Documents/perl-5.26.1/perlmain.c​:121
  #11 0x7fc3314ca82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY​: AddressSanitizer​: heap-use-after-free /home/asan_perl/Documents/perl-5.26.1/toke.c​:5143 Perl_yylex
Shadow bytes around the buggy address​:
  0x0c247fff96a0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff96b0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff96c0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff96d0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff96e0​: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c247fff96f0​: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
  0x0c247fff9700​: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c247fff9710​: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff9720​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff9730​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff9740​: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes)​:
  Addressable​: 00
  Partially addressable​: 01 02 03 04 05 06 07
  Heap left redzone​: fa
  Heap right redzone​: fb
  Freed heap region​: fd
  Stack left redzone​: f1
  Stack mid redzone​: f2
  Stack right redzone​: f3
  Stack partial redzone​: f4
  Stack after return​: f5
  Stack use after scope​: f8
  Global redzone​: f9
  Global init order​: f6
  Poisoned by user​: f7
  Container overflow​: fc
  Array cookie​: ac
  Intra object redzone​: bb
  ASan internal​: fe
==51794==ABORTING

--
Regards,
SRAUMS

@p5pRT

This comment has been minimized.

Copy link
Author

commented Dec 20, 2017

@p5pRT

This comment has been minimized.

Copy link
Author

commented Dec 20, 2017

From sraums2498@gmail.com

=================================================================
==51794==ERROR​: AddressSanitizer​: heap-use-after-free on address 0x61200000b7d9 at pc 0x000000bba16c bp 0x7ffe275d8d10 sp 0x7ffe275d8d00
READ of size 1 at 0x61200000b7d9 thread T0
  #0 0xbba16b in Perl_yylex /home/asan_perl/Documents/perl-5.26.1/toke.c​:5143
  #1 0xe7c7ec in Perl_yyparse /home/asan_perl/Documents/perl-5.26.1/perly.c​:340
  #2 0x90a9bc in S_parse_body /home/asan_perl/Documents/perl-5.26.1/perl.c​:2377
  #3 0x90a9bc in perl_parse /home/asan_perl/Documents/perl-5.26.1/perl.c​:1692
  #4 0x46b239 in main /home/asan_perl/Documents/perl-5.26.1/perlmain.c​:121
  #5 0x7fc3314ca82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
  #6 0x46c888 in _start (/home/asan_perl/Documents/perl-5.26.1/perl+0x46c888)

0x61200000b7d9 is located 153 bytes inside of 288-byte region [0x61200000b740,0x61200000b860)
freed by thread T0 here​:
  #0 0x7fc33226e961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
  #1 0x1681118 in Perl_safesysrealloc /home/asan_perl/Documents/perl-5.26.1/util.c​:274
  #2 0x1de47d6 in Perl_sv_grow /home/asan_perl/Documents/perl-5.26.1/sv.c​:1598
  #3 0x1f26bb4 in Perl_sv_catpvn_flags /home/asan_perl/Documents/perl-5.26.1/sv.c​:5521
  #4 0xaf2df9 in Perl_lex_next_chunk /home/asan_perl/Documents/perl-5.26.1/toke.c​:1385
  #5 0xafc528 in Perl_lex_read_space /home/asan_perl/Documents/perl-5.26.1/toke.c​:1594
  #6 0xaff1f5 in S_skipspace_flags /home/asan_perl/Documents/perl-5.26.1/toke.c​:1897
  #7 0xd78bba in Perl_yylex /home/asan_perl/Documents/perl-5.26.1/toke.c​:6225
  #8 0xe7c7ec in Perl_yyparse /home/asan_perl/Documents/perl-5.26.1/perly.c​:340
  #9 0x90a9bc in S_parse_body /home/asan_perl/Documents/perl-5.26.1/perl.c​:2377
  #10 0x90a9bc in perl_parse /home/asan_perl/Documents/perl-5.26.1/perl.c​:1692
  #11 0x46b239 in main /home/asan_perl/Documents/perl-5.26.1/perlmain.c​:121
  #12 0x7fc3314ca82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here​:
  #0 0x7fc33226e961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
  #1 0x1681118 in Perl_safesysrealloc /home/asan_perl/Documents/perl-5.26.1/util.c​:274
  #2 0x1de47d6 in Perl_sv_grow /home/asan_perl/Documents/perl-5.26.1/sv.c​:1598
  #3 0x1fb6f0e in Perl_sv_gets /home/asan_perl/Documents/perl-5.26.1/sv.c​:8761
  #4 0xaf45d5 in S_filter_gets /home/asan_perl/Documents/perl-5.26.1/toke.c​:4583
  #5 0xaf45d5 in Perl_lex_next_chunk /home/asan_perl/Documents/perl-5.26.1/toke.c​:1359
  #6 0xbfaaa9 in Perl_yylex /home/asan_perl/Documents/perl-5.26.1/toke.c​:5283
  #7 0xe7c7ec in Perl_yyparse /home/asan_perl/Documents/perl-5.26.1/perly.c​:340
  #8 0x90a9bc in S_parse_body /home/asan_perl/Documents/perl-5.26.1/perl.c​:2377
  #9 0x90a9bc in perl_parse /home/asan_perl/Documents/perl-5.26.1/perl.c​:1692
  #10 0x46b239 in main /home/asan_perl/Documents/perl-5.26.1/perlmain.c​:121
  #11 0x7fc3314ca82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY​: AddressSanitizer​: heap-use-after-free /home/asan_perl/Documents/perl-5.26.1/toke.c​:5143 Perl_yylex
Shadow bytes around the buggy address​:
  0x0c247fff96a0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff96b0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff96c0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff96d0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff96e0​: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c247fff96f0​: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
  0x0c247fff9700​: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c247fff9710​: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff9720​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff9730​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff9740​: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes)​:
  Addressable​: 00
  Partially addressable​: 01 02 03 04 05 06 07
  Heap left redzone​: fa
  Heap right redzone​: fb
  Freed heap region​: fd
  Stack left redzone​: f1
  Stack mid redzone​: f2
  Stack right redzone​: f3
  Stack partial redzone​: f4
  Stack after return​: f5
  Stack use after scope​: f8
  Global redzone​: f9
  Global init order​: f6
  Poisoned by user​: f7
  Container overflow​: fc
  Array cookie​: ac
  Intra object redzone​: bb
  ASan internal​: fe
==51794==ABORTING

--
Regards,
SRAUMS

@p5pRT

This comment has been minimized.

Copy link
Author

commented Dec 20, 2017

@p5pRT

This comment has been minimized.

Copy link
Author

commented Dec 21, 2017

From sraums2498@gmail.com

=================================================================
==10580==ERROR​: AddressSanitizer​: heap-buffer-overflow on address 0x60300000e918 at pc 0x000000eef22c bp 0x7ffd19936320 sp 0x7ffd19936310
READ of size 8 at 0x60300000e918 thread T0
  #0 0xeef22b in Perl_pad_free /home/asan_perl/Documents/perl-5.26.1/pad.c​:1758
  #1 0x4be7f7 in Perl_op_clear /home/asan_perl/Documents/perl-5.26.1/op.c​:1171
  #2 0x4c5553 in Perl_op_free /home/asan_perl/Documents/perl-5.26.1/op.c​:855
  #3 0xe78183 in Perl_yyparse /home/asan_perl/Documents/perl-5.26.1/perly.c​:546
  #4 0x90a9bc in S_parse_body /home/asan_perl/Documents/perl-5.26.1/perl.c​:2377
  #5 0x90a9bc in perl_parse /home/asan_perl/Documents/perl-5.26.1/perl.c​:1692
  #6 0x46b239 in main /home/asan_perl/Documents/perl-5.26.1/perlmain.c​:121
  #7 0x7fadfef2d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
  #8 0x46c888 in _start (/home/asan_perl/Documents/perl-5.26.1/perl+0x46c888)

0x60300000e918 is located 8 bytes to the left of 24-byte region [0x60300000e920,0x60300000e938)
allocated by thread T0 here​:
  #0 0x7fadffcd179a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
  #1 0x168f668 in Perl_safesyscalloc /home/asan_perl/Documents/perl-5.26.1/util.c​:442
  #2 0xf245ea in Perl_pad_new /home/asan_perl/Documents/perl-5.26.1/pad.c​:219
  #3 0x905842 in S_parse_body /home/asan_perl/Documents/perl-5.26.1/perl.c​:2272
  #4 0x905842 in perl_parse /home/asan_perl/Documents/perl-5.26.1/perl.c​:1692
  #5 0x46b239 in main /home/asan_perl/Documents/perl-5.26.1/perlmain.c​:121
  #6 0x7fadfef2d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY​: AddressSanitizer​: heap-buffer-overflow /home/asan_perl/Documents/perl-5.26.1/pad.c​:1758 Perl_pad_free
Shadow bytes around the buggy address​:
  0x0c067fff9cd0​: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fff9ce0​: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c067fff9cf0​: 00 00 fa fa fd fd fd fd fa fa 00 00 00 00 fa fa
  0x0c067fff9d00​: 00 00 00 00 fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff9d10​: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
=>0x0c067fff9d20​: 00 00 fa[fa]00 00 00 fa fa fa 00 00 00 00 fa fa
  0x0c067fff9d30​: 00 00 00 00 fa fa 00 00 00 05 fa fa 00 00 00 00
  0x0c067fff9d40​: fa fa fd fd fd fd fa fa 00 00 03 fa fa fa 00 00
  0x0c067fff9d50​: 00 02 fa fa 00 00 00 07 fa fa 00 00 03 fa fa fa
  0x0c067fff9d60​: 00 00 00 00 fa fa 00 00 02 fa fa fa 00 00 00 02
  0x0c067fff9d70​: fa fa 00 00 02 fa fa fa 00 00 00 03 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes)​:
  Addressable​: 00
  Partially addressable​: 01 02 03 04 05 06 07
  Heap left redzone​: fa
  Heap right redzone​: fb
  Freed heap region​: fd
  Stack left redzone​: f1
  Stack mid redzone​: f2
  Stack right redzone​: f3
  Stack partial redzone​: f4
  Stack after return​: f5
  Stack use after scope​: f8
  Global redzone​: f9
  Global init order​: f6
  Poisoned by user​: f7
  Container overflow​: fc
  Array cookie​: ac
  Intra object redzone​: bb
  ASan internal​: fe
==10580==ABORTING

--
Regards,
SRAUMS

@p5pRT

This comment has been minimized.

Copy link
Author

commented Dec 21, 2017

@p5pRT

This comment has been minimized.

Copy link
Author

commented Dec 21, 2017

From sraums2498@gmail.com

=================================================================
==46260==ERROR​: AddressSanitizer​: heap-buffer-overflow on address
0x60200000dab8 at pc 0x00000082bf8c bp 0x7fff0b8e1810 sp 0x7fff0b8e1800
READ of size 8 at 0x60200000dab8 thread T0
  #0 0x82bf8b in Perl_newMYSUB
/home/asan_perl/Documents/perl-5.26.1/op.c​:8213
  #1 0xe94717 in Perl_yyparse
/home/asan_perl/Documents/perl-5.26.1/perly.y​:297
  #2 0x90a9bc in S_parse_body
/home/asan_perl/Documents/perl-5.26.1/perl.c​:2377
  #3 0x90a9bc in perl_parse
/home/asan_perl/Documents/perl-5.26.1/perl.c​:1692
  #4 0x46b239 in main /home/asan_perl/Documents/perl-5.26.1/perlmain.c​:121
  #5 0x7f686f39882f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
  #6 0x46c888 in _start
(/home/asan_perl/Documents/perl-5.26.1/perl+0x46c888)

0x60200000dab8 is located 0 bytes to the right of 8-byte region
[0x60200000dab0,0x60200000dab8)
allocated by thread T0 here​:
  #0 0x7f687013c79a in __interceptor_calloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
  #1 0x168f668 in Perl_safesyscalloc
/home/asan_perl/Documents/perl-5.26.1/util.c​:442
  #2 0xf24910 in Perl_newPADNAMELIST
/home/asan_perl/Documents/perl-5.26.1/pad.c​:2607
  #3 0xf24910 in Perl_pad_new
/home/asan_perl/Documents/perl-5.26.1/pad.c​:232
  #4 0xb626cd in Perl_start_subparse
/home/asan_perl/Documents/perl-5.26.1/toke.c​:11449
  #5 0xead969 in Perl_yyparse
/home/asan_perl/Documents/perl-5.26.1/perly.y​:598
  #6 0x90a9bc in S_parse_body
/home/asan_perl/Documents/perl-5.26.1/perl.c​:2377
  #7 0x90a9bc in perl_parse
/home/asan_perl/Documents/perl-5.26.1/perl.c​:1692
  #8 0x46b239 in main /home/asan_perl/Documents/perl-5.26.1/perlmain.c​:121
  #9 0x7f686f39882f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY​: AddressSanitizer​: heap-buffer-overflow
/home/asan_perl/Documents/perl-5.26.1/op.c​:8213 Perl_newMYSUB
Shadow bytes around the buggy address​:
  0x0c047fff9b00​: fa fa fd fd fa fa 00 00 fa fa 00 02 fa fa 00 00
  0x0c047fff9b10​: fa fa 00 fa fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff9b20​: fa fa 00 00 fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c047fff9b30​: fa fa fd fd fa fa fd fd fa fa fd fd fa fa 00 02
  0x0c047fff9b40​: fa fa fd fd fa fa fd fd fa fa fd fd fa fa 00 02
=>0x0c047fff9b50​: fa fa 00 00 fa fa 00[fa]fa fa fd fd fa fa 00 00
  0x0c047fff9b60​: fa fa fd fd fa fa 00 04 fa fa fd fd fa fa 00 05
  0x0c047fff9b70​: fa fa fd fd fa fa fd fd fa fa fd fd fa fa 00 04
  0x0c047fff9b80​: fa fa 02 fa fa fa 07 fa fa fa 00 03 fa fa 00 02
  0x0c047fff9b90​: fa fa 00 06 fa fa 00 02 fa fa 00 02 fa fa 00 fa
  0x0c047fff9ba0​: fa fa 00 02 fa fa 00 00 fa fa 00 00 fa fa 00 04
Shadow byte legend (one shadow byte represents 8 application bytes)​:
  Addressable​: 00
  Partially addressable​: 01 02 03 04 05 06 07
  Heap left redzone​: fa
  Heap right redzone​: fb
  Freed heap region​: fd
  Stack left redzone​: f1
  Stack mid redzone​: f2
  Stack right redzone​: f3
  Stack partial redzone​: f4
  Stack after return​: f5
  Stack use after scope​: f8
  Global redzone​: f9
  Global init order​: f6
  Poisoned by user​: f7
  Container overflow​: fc
  Array cookie​: ac
  Intra object redzone​: bb
  ASan internal​: fe
==46260==ABORTING

--
Regards,
SRAUMS

@p5pRT

This comment has been minimized.

Copy link
Author

commented Dec 21, 2017

@p5pRT

This comment has been minimized.

Copy link
Author

commented Jan 6, 2018

From @hvds

This appears to be fixed already in blead by the commit below; it should form part of perl-5.28.

The analysis on the original ticket was that it was not a security concern, so I'll mark this as a duplicate of that one.

Hugo

commit 3b8804a
Author​: Tony Cook <tony@​develop-help.com>
Date​: Mon Aug 7 11​:27​:50 2017 +1000

  (perl #131836) avoid a use-after-free after parsing a "sub" keyword
 
  The​:
 
  d = skipspace(d);
 
  can reallocate linestr in the test case, invalidating s. This would
  end up in PL_bufptr from the embedded (PL_bufptr = s) in the TOKEN()
  macro.
 
  Assigning s to PL_bufptr and restoring s from PL_bufptr allows
  lex_next_chunk() to adjust the pointer to the reallocated buffer.

@p5pRT

This comment has been minimized.

Copy link
Author

commented Jan 6, 2018

The RT System itself - Status changed from 'new' to 'open'

@p5pRT

This comment has been minimized.

Copy link
Author

commented Jan 7, 2018

From @hvds

This is also a duplicate of rt131836, fixed in blead; I'll merge it.

Hugo

@p5pRT

This comment has been minimized.

Copy link
Author

commented Jan 7, 2018

The RT System itself - Status changed from 'new' to 'open'

@p5pRT

This comment has been minimized.

Copy link
Author

commented Jan 8, 2018

From @hvds

This is also fixed by 3b8804a, same as rt132614, though it's a different stack trace. I'll merge it to rt131836 likewise.

Hugo

@p5pRT

This comment has been minimized.

Copy link
Author

commented Jan 8, 2018

The RT System itself - Status changed from 'new' to 'open'

@p5pRT

This comment has been minimized.

Copy link
Author

commented Jan 9, 2018

From @hvds

This was also fixed by 3b8804a, I'll merge it.

Hugo

@p5pRT

This comment has been minimized.

Copy link
Author

commented Jan 9, 2018

The RT System itself - Status changed from 'new' to 'open'

@p5pRT

This comment has been minimized.

Copy link
Author

commented Jun 23, 2018

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release yesterday of Perl 5.28.0, this and 185 other issues have been
resolved.

Perl 5.28.0 may be downloaded via​:
https://metacpan.org/release/XSAWYERX/perl-5.28.0

If you find that the problem persists, feel free to reopen this ticket.

@p5pRT p5pRT closed this Jun 23, 2018
@p5pRT

This comment has been minimized.

Copy link
Author

commented Jun 23, 2018

@khwilliamson - Status changed from 'pending release' to 'resolved'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.