From mtowalski@pentest.net.pl

Hello,

I've attached the poc and the asan log.
Tested on git version of perl.

Information about configuration​:

Distributor ID​: Ubuntu
Description​: Ubuntu 16.10
Release​: 16.10
Codename​: yakkety
Arch​: x86_64

Best Regards,
Marcin T.

From mtowalski@pentest.net.pl

perl-heap-buffer-overflow-b32-e56-f8c

From mtowalski@pentest.net.pl

=================================================================
==7369==ERROR​: AddressSanitizer​: heap-buffer-overflow on address 0x61500000fa00 at pc 0x000000451b33 bp 0x7ffc2e604ab0 sp 0x7ffc2e604260
READ of size 517 at 0x61500000fa00 thread T0
  #0 0x451b32 in __interceptor_strlen.part.45 (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x451b32)
  #1 0x842e56 in S_do_op_dump_bar /home/mtowalski/Fuzzing/Programs/perl-git/dump.c​:1239​:13
  #2 0x843f8c in S_do_op_dump_bar /home/mtowalski/Fuzzing/Programs/perl-git/dump.c​:1254​:6
  #3 0x843f8c in S_do_op_dump_bar /home/mtowalski/Fuzzing/Programs/perl-git/dump.c​:1254​:6
  #4 0x843f8c in S_do_op_dump_bar /home/mtowalski/Fuzzing/Programs/perl-git/dump.c​:1254​:6
  #5 0x83c19f in Perl_do_op_dump /home/mtowalski/Fuzzing/Programs/perl-git/dump.c​:1264​:5
  #6 0x83c19f in Perl_op_dump /home/mtowalski/Fuzzing/Programs/perl-git/dump.c​:1280
  #7 0x83c19f in Perl_dump_all_perl /home/mtowalski/Fuzzing/Programs/perl-git/dump.c​:627
  #8 0x5e9891 in S_run_body /home/mtowalski/Fuzzing/Programs/perl-git/perl.c​:2490​:6
  #9 0x5e9891 in perl_run /home/mtowalski/Fuzzing/Programs/perl-git/perl.c​:2447
  #10 0x503205 in main /home/mtowalski/Fuzzing/Programs/perl-git/perlmain.c​:123​:9
  #11 0x7febd40853f0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x203f0)
  #12 0x433a89 in _start (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x433a89)

0x61500000fa00 is located 0 bytes to the right of 512-byte region [0x61500000f800,0x61500000fa00)
allocated by thread T0 here​:
  #0 0x4d2210 in calloc (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x4d2210)
  #1 0x52df8b in S_pmtrans /home/mtowalski/Fuzzing/Programs/perl-git/op.c​:5527​:19
  #2 0x52df8b in Perl_pmruntime /home/mtowalski/Fuzzing/Programs/perl-git/op.c​:5740
  #3 0x700f36 in Perl_yyparse /home/mtowalski/Fuzzing/Programs/perl-git/perly.y​:1204​:23
  #4 0x5e61fd in S_parse_body /home/mtowalski/Fuzzing/Programs/perl-git/perl.c​:2377​:9
  #5 0x5ddbae in perl_parse /home/mtowalski/Fuzzing/Programs/perl-git/perl.c​:1692​:2
  #6 0x5031d1 in main /home/mtowalski/Fuzzing/Programs/perl-git/perlmain.c​:121​:18
  #7 0x7febd40853f0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x203f0)

SUMMARY​: AddressSanitizer​: heap-buffer-overflow (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x451b32) in __interceptor_strlen.part.45
Shadow bytes around the buggy address​:
  0x0c2a7fff9ef0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9f00​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9f10​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9f20​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9f30​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a7fff9f40​:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9f50​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9f60​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9f70​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9f80​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9f90​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes)​:
  Addressable​: 00
  Partially addressable​: 01 02 03 04 05 06 07
  Heap left redzone​: fa
  Heap right redzone​: fb
  Freed heap region​: fd
  Stack left redzone​: f1
  Stack mid redzone​: f2
  Stack right redzone​: f3
  Stack partial redzone​: f4
  Stack after return​: f5
  Stack use after scope​: f8
  Global redzone​: f9
  Global init order​: f6
  Poisoned by user​: f7
  Container overflow​: fc
  Array cookie​: ac
  Intra object redzone​: bb
  ASan internal​: fe
  Left alloca redzone​: ca
  Right alloca redzone​: cb
==7369==ABORTING

From @hvds

Just updating subject to function name from stack trace.

From @tonycoz

On Wed, 22 Feb 2017 06​:55​:56 -0800, mtowalski@​pentest.net.pl wrote​:

Hello,

I've attached the poc and the asan log.
Tested on git version of perl.

Information about configuration​:

Distributor ID​: Ubuntu
Description​: Ubuntu 16.10
Release​: 16.10
Codename​: yakkety
Arch​: x86_64

Simplifies to​:

./perl -Dx -e 'y;;;'

The new code in​:

commit abd07ec
Author​: David Mitchell <davem@​iabyn.com>
Date​: Tue Jan 24 14​:43​:05 2017 +0000

  handle op_pv better in op_clear() and op_dump()
 
  In op_clear(), the ops with labels stored in the op_pv field (OP_NEXT etc)
  fall-through to the OP_TRANS/OP_TRANSR code, which determines whether to
  free op_pv based on the OPpTRANS_FROM_UTF|OPpTRANS_TO_UTF flags, which are
  only valid for OP_TRANS/OP_TRANSR. At the moment the fall-through fields
  don't use either of those private bits, but in case this changes in
  future, only check those flag bits for trans ops.
 
  At the same time, enhance op_dump() to display the OP_PV field of such
  ops.
 
  Also, fix a leak I introduced in the recently-added S_gv_display()
  function.

added the dump of the PV, which I think is incorrect, since it's just a bitmap, which may be non-NUL until the end of the memory block.

To get any control over this an attacker would need to feed custom code, and the -Dx switch to the interpreter, so this isn't a security issue, so
I've moved it to the public queue.

Tony

The RT System itself - Status changed from 'new' to 'open'

From @iabyn

On Wed, Feb 22, 2017 at 04​:02​:31PM -0800, Tony Cook via RT wrote​:

Simplifies to​:

./perl -Dx -e 'y;;;'

The new code in​:

commit abd07ec
Author​: David Mitchell <davem@​iabyn.com>
Date​: Tue Jan 24 14​:43​:05 2017 +0000

handle op\_pv better in op\_clear\(\) and op\_dump\(\)

In op\_clear\(\)\, the ops with labels stored in the op\_pv field \(OP\_NEXT etc\)
fall\-through to the OP\_TRANS/OP\_TRANSR code\, which determines whether to
free op\_pv based on the OPpTRANS\_FROM\_UTF|OPpTRANS\_TO\_UTF flags\, which are
only valid for OP\_TRANS/OP\_TRANSR\. At the moment the fall\-through fields
don't use either of those private bits\, but in case this changes in
future\, only check those flag bits for trans ops\.

At the same time\, enhance op\_dump\(\) to display the OP\_PV field of such
ops\.

Also\, fix a leak I introduced in the recently\-added S\_gv\_display\(\)
function\.

added the dump of the PV, which I think is incorrect, since it's just a bitmap, which may be non-NUL until the end of the memory block.

To get any control over this an attacker would need to feed custom code,
and the -Dx switch to the interpreter, so this isn't a security issue,
so I've moved it to the public queue.

Now fixed with v5.25.10-44-gf49e846.

--
If life gives you lemons, you'll probably develop a citric acid allergy.

@iabyn - Status changed from 'open' to 'resolved'