Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fwd: [rt.cpan.org #124717] Heap buffer over read in hv.c:642 #16456

Open
p5pRT opened this issue Mar 8, 2018 · 6 comments
Open

Fwd: [rt.cpan.org #124717] Heap buffer over read in hv.c:642 #16456

p5pRT opened this issue Mar 8, 2018 · 6 comments
Labels
segfault

Comments

@p5pRT
Copy link

p5pRT commented Mar 8, 2018

Migrated from rt.perl.org#132952 (status was 'open')

Searchable as RT132952$
@p5pRT
Copy link
Author

p5pRT commented Mar 8, 2018

From bug-Perl-Core@rt.cpan.org

This is forward of transaction #1775378 of a ticket #124717

@p5pRT
Copy link
Author

p5pRT commented Mar 8, 2018

From bug-Perl-Core@rt.cpan.org

Message RFC822:
X-RT-Original-Encoding: utf-8
Content-Type: text/plain; charset="utf-8"
Subject: Heap buffer over read in hv.c:642
Content-Length: 6744
From: hackyzh002@gmail.com
X-RT-Sign: 0
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-RT-Encrypt: 0
X-RT-Interface: Web
Message-ID: rt-4.0.18-16827-1520474151-1381.0-0-0@rt.cpan.org
Content-Disposition: inline
X-Mailer: MIME-tools 5.504 (Entity 5.504)

hackyzh@hackyzh-virtual-machine:~/Desktop$ ./perl-5.27.9/perl 123

==117879==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000da30 at pc 0x0000008efe02 bp 0x7ffe2421cfd0 sp 0x7ffe2421cfc0
READ of size 8 at 0x60400000da30 thread T0
#0 0x8efe01 in Perl_hv_common /home/hackyzh/Desktop/perl-5.27.9/hv.c:642
#1 0x8f065f in Perl_hv_common_key_len /home/hackyzh/Desktop/perl-5.27.9/hv.c:337
#2 0x59faf4 in Perl_gv_override /home/hackyzh/Desktop/perl-5.27.9/gv.c:3713
#3 0x4c3dda in Perl_ck_require /home/hackyzh/Desktop/perl-5.27.9/op.c:12471
#4 0x48b07a in Perl_newUNOP /home/hackyzh/Desktop/perl-5.27.9/op.c:6134
#5 0x6aeb0d in Perl_yyparse /home/hackyzh/Desktop/perl-5.27.9/perly.y:1154
#6 0xaffbf1 in S_doeval_compile /home/hackyzh/Desktop/perl-5.27.9/pp_ctl.c:3492
#7 0xb695f5 in Perl_pp_entereval /home/hackyzh/Desktop/perl-5.27.9/pp_ctl.c:4468
#8 0x52b73d in Perl_eval_sv /home/hackyzh/Desktop/perl-5.27.9/perl.c:3196
#9 0x52cf47 in Perl_require_pv /home/hackyzh/Desktop/perl-5.27.9/perl.c:3303
#10 0x58393d in Perl_gv_fetchmethod_pvn_flags /home/hackyzh/Desktop/perl-5.27.9/gv.c:1114
#11 0x585823 in Perl_gv_fetchmethod_sv_flags /home/hackyzh/Desktop/perl-5.27.9/gv.c:1007
#12 0x983f58 in Perl_pp_method_named /home/hackyzh/Desktop/perl-5.27.9/pp_hot.c:5533
#13 0x92c74a in Perl_runops_standard /home/hackyzh/Desktop/perl-5.27.9/run.c:41
#14 0x555b39 in S_run_body /home/hackyzh/Desktop/perl-5.27.9/perl.c:2750
#15 0x555b39 in perl_run /home/hackyzh/Desktop/perl-5.27.9/perl.c:2671
#16 0x42b6e5 in main /home/hackyzh/Desktop/perl-5.27.9/perlmain.c:122
#17 0x7fe38e35282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#18 0x42c6c8 in _start (/home/hackyzh/Desktop/perl-5.27.9/perl+0x42c6c8)

0x60400000da36 is located 0 bytes to the right of 38-byte region [0x60400000da10,0x60400000da36)
allocated by thread T0 here:
#0 0x7fe38f0f6602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x8372dc in Perl_safesysmalloc /home/hackyzh/Desktop/perl-5.27.9/util.c:153

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hackyzh/Desktop/perl-5.27.9/hv.c:642 Perl_hv_common
Shadow bytes around the buggy address:
0x0c087fff9af0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 07 fa
0x0c087fff9b00: fa fa 00 00 00 00 00 02 fa fa 00 00 00 00 07 fa
0x0c087fff9b10: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x0c087fff9b20: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
0x0c087fff9b30: fa fa 00 00 00 00 00 06 fa fa fd fd fd fd fd fd
=>0x0c087fff9b40: fa fa 00 00 00 00[06]fa fa fa fd fd fd fd fd fa
0x0c087fff9b50: fa fa 00 00 00 00 04 fa fa fa fd fd fd fd fd fa
0x0c087fff9b60: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 03 fa
0x0c087fff9b70: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 03 fa
0x0c087fff9b80: fa fa 00 00 00 00 03 fa fa fa 00 00 00 00 00 00
0x0c087fff9b90: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 03 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==117879==ABORTING

hackyzh@hackyzh-virtual-machine:~/Desktop$ cat 123
ET. @A.\b#d"�.�*^o ;

for atoNSOCKE,ET, tktoNSCKT,E, tktoNSCKP,ET,Y$=^=^V=$=:=^==^=^V=$=:=^=^V=$=^=^V=$=^=^=^V=$=:=^==^=^V=$=:=^=^V=$=^=%^V=$=^=^V=$z=:=^=^V=$=^=*^V=$^A#=$mm�@^\��������������������o�j|�\\�@^\..������������F*^V=^=^=^V=$z=:=^=^V=$=^=*^V=$^A#=$mm�@^\��������������������o�j|�\\�@^\..������������F*^V=$z=��������������������������������������������������������������������������������������������������������������������������������������������������������������������
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������:=^=^V=$=^H.���������������\h?\Q|^ \dZ.�.���;l��

I have tested on Ubuntu 16.04 x64.

@p5pRT
Copy link
Author

p5pRT commented Mar 8, 2018

From bug-Perl-Core@rt.cpan.org

hackyzh@​hackyzh-virtual-machine​:~/Desktop$ ./perl-5.27.9/perl 123

==117879==ERROR​: AddressSanitizer​: heap-buffer-overflow on address 0x60400000da30 at pc 0x0000008efe02 bp 0x7ffe2421cfd0 sp 0x7ffe2421cfc0
READ of size 8 at 0x60400000da30 thread T0
  #0 0x8efe01 in Perl_hv_common /home/hackyzh/Desktop/perl-5.27.9/hv.c​:642
  #1 0x8f065f in Perl_hv_common_key_len /home/hackyzh/Desktop/perl-5.27.9/hv.c​:337
  #2 0x59faf4 in Perl_gv_override /home/hackyzh/Desktop/perl-5.27.9/gv.c​:3713
  #3 0x4c3dda in Perl_ck_require /home/hackyzh/Desktop/perl-5.27.9/op.c​:12471
  #4 0x48b07a in Perl_newUNOP /home/hackyzh/Desktop/perl-5.27.9/op.c​:6134
  #5 0x6aeb0d in Perl_yyparse /home/hackyzh/Desktop/perl-5.27.9/perly.y​:1154
  #6 0xaffbf1 in S_doeval_compile /home/hackyzh/Desktop/perl-5.27.9/pp_ctl.c​:3492
  #7 0xb695f5 in Perl_pp_entereval /home/hackyzh/Desktop/perl-5.27.9/pp_ctl.c​:4468
  #8 0x52b73d in Perl_eval_sv /home/hackyzh/Desktop/perl-5.27.9/perl.c​:3196
  #9 0x52cf47 in Perl_require_pv /home/hackyzh/Desktop/perl-5.27.9/perl.c​:3303
  #10 0x58393d in Perl_gv_fetchmethod_pvn_flags /home/hackyzh/Desktop/perl-5.27.9/gv.c​:1114
  #11 0x585823 in Perl_gv_fetchmethod_sv_flags /home/hackyzh/Desktop/perl-5.27.9/gv.c​:1007
  #12 0x983f58 in Perl_pp_method_named /home/hackyzh/Desktop/perl-5.27.9/pp_hot.c​:5533
  #13 0x92c74a in Perl_runops_standard /home/hackyzh/Desktop/perl-5.27.9/run.c​:41
  #14 0x555b39 in S_run_body /home/hackyzh/Desktop/perl-5.27.9/perl.c​:2750
  #15 0x555b39 in perl_run /home/hackyzh/Desktop/perl-5.27.9/perl.c​:2671
  #16 0x42b6e5 in main /home/hackyzh/Desktop/perl-5.27.9/perlmain.c​:122
  #17 0x7fe38e35282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
  #18 0x42c6c8 in _start (/home/hackyzh/Desktop/perl-5.27.9/perl+0x42c6c8)

0x60400000da36 is located 0 bytes to the right of 38-byte region [0x60400000da10,0x60400000da36)
allocated by thread T0 here​:
  #0 0x7fe38f0f6602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
  #1 0x8372dc in Perl_safesysmalloc /home/hackyzh/Desktop/perl-5.27.9/util.c​:153

SUMMARY​: AddressSanitizer​: heap-buffer-overflow /home/hackyzh/Desktop/perl-5.27.9/hv.c​:642 Perl_hv_common
Shadow bytes around the buggy address​:
  0x0c087fff9af0​: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 07 fa
  0x0c087fff9b00​: fa fa 00 00 00 00 00 02 fa fa 00 00 00 00 07 fa
  0x0c087fff9b10​: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fff9b20​: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c087fff9b30​: fa fa 00 00 00 00 00 06 fa fa fd fd fd fd fd fd
=>0x0c087fff9b40​: fa fa 00 00 00 00[06]fa fa fa fd fd fd fd fd fa
  0x0c087fff9b50​: fa fa 00 00 00 00 04 fa fa fa fd fd fd fd fd fa
  0x0c087fff9b60​: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 03 fa
  0x0c087fff9b70​: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 03 fa
  0x0c087fff9b80​: fa fa 00 00 00 00 03 fa fa fa 00 00 00 00 00 00
  0x0c087fff9b90​: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 03 fa
Shadow byte legend (one shadow byte represents 8 application bytes)​:
  Addressable​: 00
  Partially addressable​: 01 02 03 04 05 06 07
  Heap left redzone​: fa
  Heap right redzone​: fb
  Freed heap region​: fd
  Stack left redzone​: f1
  Stack mid redzone​: f2
  Stack right redzone​: f3
  Stack partial redzone​: f4
  Stack after return​: f5
  Stack use after scope​: f8
  Global redzone​: f9
  Global init order​: f6
  Poisoned by user​: f7
  Container overflow​: fc
  Array cookie​: ac
  Intra object redzone​: bb
  ASan internal​: fe
==117879==ABORTING

hackyzh@​hackyzh-virtual-machine​:~/Desktop$ cat 123
ET. @​a.\b#d"�.�*^o ;

for atoNSOCKE,ET, tktoNSCKT,E, tktoNSCKP,ET,Y$\=*^=*^V=$\=*​:=*^=*\=*^=*^V=$\=*​:=*^=*^V=$\=*^=*^V=$=*^\=*^=*^V=$\=*​:=*^=*\=*^=*^V=$\=*​:=*^=*^V=$\=*^=%^V=$\=*^=*^V=$z=*​:=*^=*^V=$\=*^=*^V=$^A#=$mm�@​^\��������������������o�j\|�\\\�@​^\\..������������F*^V=^=*^=*^V=$z=*​:=*^=*^V=$\=*^=*^V=$^A#=$mm�@​^\��������������������o�j\|�\\\�@​^\\..������������F*^V=$z=*��������������������������������������������������������������������������������������������������������������������������������������������������������������������
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������​:=*^=*^V=$\=*^H.���������������\h?\Q\|\^ \dZ.�.���;l��

I have tested on Ubuntu 16.04 x64.

@p5pRT
Copy link
Author

p5pRT commented Mar 9, 2018

From @iabyn

On Thu, Mar 08, 2018 at 12​:27​:19AM -0800, via RT wrote​:

=================================================================
==117879==ERROR​: AddressSanitizer​: heap-buffer-overflow on address 0x60400000da30 at pc 0x0000008efe02 bp 0x7ffe2421cfd0 sp 0x7ffe2421cfc0
READ of size 8 at 0x60400000da30 thread T0
#0 0x8efe01 in Perl_hv_common /home/hackyzh/Desktop/perl-5.27.9/hv.c​:642
[snip]
0x60400000da36 is located 0 bytes to the right of 38-byte region [0x60400000da10,0x60400000da36)

This can be reduced to

  %​:: = ();
  *STDOUT->foo;

The whole main stash is emptied, then using an IO glob as an object in a
method call lookup triggers requiring IO​::File, which (on debugging
builds) dies with this assertion​:

perl​: hv.c​:360​: Perl_hv_common​: Assertion `((svtype)((hv)->sv_flags & 0xff)) == SVt_PVHV' failed.

This is because something expected to be a hash has been freed and then
reused as a different type of scalar.

Although in an ideal world we'd like perl not to crash when the main stash
is emptied, it's not a terribly high priority, and its definitely not a
security issue.

--
"Procrastination grows to fill the available time"
  -- Mitchell's corollary to Parkinson's Law

@p5pRT
Copy link
Author

p5pRT commented Mar 9, 2018

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Mar 12, 2018

From @tonycoz

On Fri, 09 Mar 2018 07​:00​:49 -0800, davem wrote​:

On Thu, Mar 08, 2018 at 12​:27​:19AM -0800, via RT wrote​:

=================================================================
==117879==ERROR​: AddressSanitizer​: heap-buffer-overflow on address
0x60400000da30 at pc 0x0000008efe02 bp 0x7ffe2421cfd0 sp
0x7ffe2421cfc0
READ of size 8 at 0x60400000da30 thread T0
#0 0x8efe01 in Perl_hv_common /home/hackyzh/Desktop/perl-
5.27.9/hv.c​:642
[snip]
0x60400000da36 is located 0 bytes to the right of 38-byte region
[0x60400000da10,0x60400000da36)

This can be reduced to

%​:: = ();
*STDOUT->foo;

The whole main stash is emptied, then using an IO glob as an object in
a
method call lookup triggers requiring IO​::File, which (on debugging
builds) dies with this assertion​:

perl​: hv.c​:360​: Perl_hv_common​: Assertion `((svtype)((hv)->sv_flags &
0xff)) == SVt_PVHV' failed.

This is because something expected to be a hash has been freed and
then
reused as a different type of scalar.

Although in an ideal world we'd like perl not to crash when the main
stash
is emptied, it's not a terribly high priority, and its definitely not
a
security issue.

Now in the public queue.

Tony

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
segfault
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@khwilliamson @p5pRT