From imdb95@gmail.com

Hello,
I found this bug when fuzzing perl5 with afl-fuzz.

**********Build Date & Hardware**********
Version​: Version​: the dev version (https://perl5.git.perl.org/perl.git)
manh@​manh-VirtualBox​:~/Fuzzing/afl/perl$ ./perl/perl -v

This is perl 5, version 27, subversion 4 (v5.27.4
(v5.27.3-14-gd2dccc0)) built for x86_64-linux

Copyright 1987-2017, Larry Wall

Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on
this system using "man perl" or "perldoc perl". If you have access to the
Internet, point your browser at http​://www.perl.org/, the Perl Home Page.

OS​: Ubuntu 16.04 Desktop
manh@​manh-VirtualBox​:~/Fuzzing/afl/perl$ uname -a
Linux manh-VirtualBox 4.4.0-92-generic #115-Ubuntu SMP Thu Aug 10
09​:04​:33 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Compilation​:
AFL_USE_ASAN=1 ./Configure -des -Dusedevel -DDEBUGGING
-Dcc=afl-clang-fast -Doptimize=-O0\ -g && AFL_USE_ASAN=1 make

**********Reproduce**********
manh@​manh-VirtualBox​:~/Fuzzing/afl/perl$ ./perl/perl crash_heap_S_scan_formline
String found where operator expected at crash_heap_S_scan_formline
line 476, near "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD"sidekick function
called""

==24365==ERROR​: AddressSanitizer​: heap-buffer-overflow on address
0x625000007108 at pc 0x00000044f1d5 bp 0x7fffffffc790 sp
0x7fffffffbf40
READ of size 30774 at 0x625000007108 thread T0
  #0 0x44f1d4 in __interceptor_memchr
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc​:739​:3
  #1 0x650340 in S_scan_formline
/home/manh/Fuzzing/afl/perl/perl/toke.c​:11374​:17
  #2 0x650340 in Perl_yylex /home/manh/Fuzzing/afl/perl/perl/toke.c​:5068
  #3 0x6ed7c1 in Perl_yyparse /home/manh/Fuzzing/afl/perl/perl/perly.c​:340​:34
  #4 0x5da9e9 in S_parse_body /home/manh/Fuzzing/afl/perl/perl/perl.c​:2414​:9
  #5 0x5d0f38 in perl_parse /home/manh/Fuzzing/afl/perl/perl/perl.c​:1732​:2
  #6 0x5093cc in main /home/manh/Fuzzing/afl/perl/perl/perlmain.c​:121​:18
  #7 0x7ffff6caf82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
  #8 0x435928 in _start (/home/manh/Fuzzing/afl/perl/perl/perl+0x435928)

0x625000007108 is located 0 bytes to the right of 8200-byte region
[0x625000005100,0x625000007108)
allocated by thread T0 here​:
  #0 0x4dc9de in realloc
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc​:79​:3
  #1 0x83f1b6 in Perl_safesysrealloc
/home/manh/Fuzzing/afl/perl/perl/util.c​:274​:18

SUMMARY​: AddressSanitizer​: heap-buffer-overflow
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc​:739​:3
in __interceptor_memchr
Shadow bytes around the buggy address​:
  0x0c4a7fff8dd0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8de0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8df0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8e00​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8e10​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a7fff8e20​: 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8e30​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8e40​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8e50​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8e60​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8e70​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes)​:
  Addressable​: 00
  Partially addressable​: 01 02 03 04 05 06 07
  Heap left redzone​: fa
  Freed heap region​: fd
  Stack left redzone​: f1
  Stack mid redzone​: f2
  Stack right redzone​: f3
  Stack after return​: f5
  Stack use after scope​: f8
  Global redzone​: f9
  Global init order​: f6
  Poisoned by user​: f7
  Container overflow​: fc
  Array cookie​: ac
  Intra object redzone​: bb
  ASan internal​: fe
  Left alloca redzone​: ca
  Right alloca redzone​: cb
==24365==ABORTING
**********Analysis**********
The heap-buffer-overflow occurs when memchr reads over the end of string s
  eol = (char *) memchr(s,'\n',PL_bufend-s);
The memchr call that triggers the bug has s = 0x625000005158,
(PL_bufend-s) = 0xffffffffffffffb2

(gdb) b /home/manh/Fuzzing/afl/perl/perl/toke.c​:11374
Breakpoint 9 at 0x65030a​: file toke.c, line 11374.
(gdb) ignore 9 346
Will ignore next 346 crossings of breakpoint 9.
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program​: /home/manh/Fuzzing/afl/perl/perl/perl id​:000034*
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
String found where operator expected at
id​:000034,sig​:06,src​:000048+001627,op​:splice,rep​:2 line 476, near
"DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD"sidekick function called""

Breakpoint 9, S_scan_formline (s=<optimized out>) at toke.c​:11374
11374 eol = (char *) memchr(s,'\n',PL_bufend-s);
(gdb) b *memchr
Breakpoint 10 at 0x44ee80​: file
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc,
line 723.
(gdb) c
Continuing.

Breakpoint 10, __interceptor_memchr ()
  at /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc​:723
723 /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc​:
No such file or directory.
(gdb) printf "arg0​: %p, arg1​: %p, arg2​: %p\n", $rdi, $rsi, $rdx
arg0​: 0x625000005158, arg1​: 0xa, arg2​: 0xffffffffffffffb2

**********Additional Information**********
My default perl also crashes with the crafted file​:
manh@​manh-VirtualBox​:~/Fuzzing/afl/perl$ perl -v

This is perl 5, version 22, subversion 1 (v5.22.1) built for
x86_64-linux-gnu-thread-multi
(with 58 registered patches, see perl -V for more detail)

Copyright 1987-2015, Larry Wall

Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on
this system using "man perl" or "perldoc perl". If you have access to the
Internet, point your browser at http​://www.perl.org/, the Perl Home Page.

manh@​manh-VirtualBox​:~/Fuzzing/afl/perl$ perl crash_heap_S_scan_formline
String found where operator expected at crash_heap_S_scan_formline
line 476, near "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD"sidekick function
called""
Attempt to free unreferenced scalar​: SV 0x835678, Perl interpreter​:
0x7d2010 at crash_heap_S_scan_formline line 497.
Attempt to free unreferenced scalar​: SV 0x835678, Perl interpreter​:
0x7d2010 at crash_heap_S_scan_formline line 497.
Segmentation fault (core dumped)

Best,
Manh

From imdb95@gmail.com

crash_heap_S_scan_formline

From imdb95@gmail.com

Greetings,
Have you take a look at fixing this bug please?

On Thu, Aug 24, 2017 at 12​:16 PM, <perl5-security-report@​perl.org> wrote​:

Greetings,

This message has been automatically generated in response to the
creation of a perl security report regarding​:
"heap-buffer-overflow in token.c​:S_scan_formline()".

There is no need to reply to this message right now. Your ticket has been
assigned an ID of [perl #131955].

Please include the string​:

[perl #131955]

in the subject line of all future correspondence about this issue. To do
so,
you may reply to this message (please delete unnecessary quotes and text.)

Thank you,
perl5-security-report@​perl.org

-------------------------------------------------------------------------
X-GM-Message-State​: AHYfb5gYFqK4X9bQanqlIN28v4lvRQAhMyXAup1DxMqTNZSnESbQaaLL
mQjNDAkAQ4aNGAToeR+gtpom2zEaFW/c
Dkim-Signature​: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com;
s=20161025; h=mime-version​:from​:date​:message-id​:subject​:to;
bh=wLm4OS1LVS7bwMAkvsK/MUFfM2EeUMNUe8IYtdrl6hM=;
b=an1SIzrcHiF5e0dSEbsqrIQ+JqtYjvrMb9838ejHZoNfCsnztu3l9oiWL5p0yKk4Qc
pNWkfuaqHLOqB9/y6SaOWddD5bCb1n8Fmqm7d3OenSsyPDeFUrMe+4bSPbM+BwsRoXH2
J0kqtsefIItWFuYPprQnaIU6fqhcEkVbz9I4DVQfieB3bvrQzQffhRyOPC1Zi0aNP3u5
15JWF6AHy/j6i88RiLW0tyJ546HXdN3lSQfpm8O8ZI+SU9YJZzh1F2qu+FAvMgn2lcSe
9a8Wv1LaEg4LvWHc86qBmdx5ExB1Wq2VpBWqxPk8PB8Wb6jjKe+kH1UMubt18aA4ViE0
XBAQ==
MIME-Version​: 1.0
X-RT-Mail-Extension​: perl5-security
Received​: from xx1.develooper.com (xx1.dev [10.0.100.115]) by
rtperl.develooper.com (Postfix) with ESMTP id 3E4071FD for
<rt-perl5-security@​rtperl.dev>; Wed, 23 Aug 2017 22​:16​:10 -0700 (PDT)
Received​: from localhost (xx1.develooper.com [127.0.0.1]) by localhost
(Postfix) with ESMTP id 4161E11DED8 for <rt-perl5-security@​rtperl.dev>;
Wed, 23 Aug 2017 22​:16​:05 -0700 (PDT)
Received​: from xx1.develooper.com (xx1.develooper.com [127.0.0.1]) by
localhost (Postfix) with SMTP id F080E11DA46 for
<rt-perl5-security@​rtperl.dev>; Wed, 23 Aug 2017 22​:16​:01 -0700 (PDT)
Received​: from x6.develooper.com (x6.develooper.com [207.171.7.86])
(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client
certificate requested) by xx1.develooper.com (Postfix) with ESMTPS id
9AD7911DA22 for <rt-perl5-security@​rt.perl.org>; Wed, 23 Aug 2017
22​:16​:01 -0700 (PDT)
Received​: by x6.develooper.com (Postfix, from userid 514) id 66D415B;
Wed, 23 Aug 2017 22​:16​:01 -0700 (PDT)
Received​: (qmail 22880 invoked from network); 24 Aug 2017 05​:16​:01 -0000
Received​: from xx1.develooper.com (207.171.7.115) by x6.develooper.com
with SMTP; 24 Aug 2017 05​:16​:01 -0000
Received​: from localhost (xx1.develooper.com [127.0.0.1]) by localhost
(Postfix) with ESMTP id BDCDC11DA22 for <perlmail-perl5-security-
report@​onion.perl.org>; Wed, 23 Aug 2017 22​:16​:00 -0700 (PDT)
Received​: from xx1.develooper.com (xx1.develooper.com [127.0.0.1]) by
localhost (Postfix) with SMTP id B8FBE11DA46 for <perlmail-perl5-security-
report@​onion.perl.org>; Wed, 23 Aug 2017 22​:15​:57 -0700 (PDT)
Received​: from mail-io0-f173.google.com (mail-io0-f173.google.com
[209.85.223.173]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No
client certificate requested) by xx1.develooper.com (Postfix) with ESMTPS
id 9363411DA22 for <perl5-security-report@​perl.org>; Wed, 23 Aug 2017
22​:15​:55 -0700 (PDT)
Received​: by mail-io0-f173.google.com with SMTP id j99so1243818ioo.1 for <
perl5-security-report@​perl.org>; Wed, 23 Aug 2017 22​:15​:55 -0700 (PDT)
Received​: by 10.79.208.248 with HTTP; Wed, 23 Aug 2017 22​:15​:53 -0700 (PDT)
To​: perl5-security-report@​perl.org
Delivered-To​: rt-perl5-security@​rtperl.dev
Delivered-To​: perlmail-perl5-security-report@​onion.perl.org
Date​: Thu, 24 Aug 2017 12​:15​:53 +0700
Content-Type​: multipart/mixed; boundary="001a114441283a5834055778ecd3"
X-PMX-Spam​: Gauge=IIIIIIII, Probability=8%, Report='
BODYTEXTH_SIZE_10000_LESS 0, BODYTEXTH_SIZE_3000_MORE 0,
BODY_SIZE_10000_PLUS 0, DKIM_SIGNATURE 0, SPF_PASS 0, WEBMAIL_SOURCE 0,
__ANY_URI 0, __ATTACHMENT_SIZE_10_25K 0, __CP_URI_IN_BODY 0, __CT 0,
__CTYPE_HAS_BOUNDARY 0, __CTYPE_MULTIPART 0, __CTYPE_MULTIPART_MIXED 0,
__DQ_NEG_HEUR 0, __DQ_NEG_IP 0, __FRAUD_BADTHINGS 0, __FRAUD_CONTACT_ADDY
0, __FRAUD_MONEY_CURRENCY 0, __FRAUD_MONEY_CURRENCY_DOLLAR 0,
__FRAUD_WEBMAIL 0, __FRAUD_WEBMAIL_FROM 0, __FROM_GMAIL 0, __HAS_ATTACHMENT
0, __HAS_ATTACHMENT1 0, __HAS_ATTACHMENT2 0, __HAS_FROM 0, __HAS_HTML 0,
__HAS_MSGID 0, __HELO_GMAIL 0, __HEX28_LC_BOUNDARY 0, __HTML_AHREF_TAG 0,
__HTML_TAG_DIV 0, __HTTPS_URI 0, __INT_PROD_COMP 0, __MIME_HTML 0,
__MIME_TEXT_H 0, __MIME_TEXT_H1 0, __MIME_TEXT_H2 0, __MIME_TEXT_P 0,
__MIME_TEXT_P1 0, __MIME_TEXT_P2 0, __MIME_VERSION 0, __MULTIPLE_URI_HTML
0, __MULTIPLE_URI_TEXT 0, __PHISH_SPEAR_HTTP_RECEIVED 0,
__PHISH_SPEAR_STRUCTURE_1 0, __RDNS_GMAI
L 0, __SANE_MSGID 0, __SUBJ_ALPHA_START 0, __TO_MALFORMED_2 0,
__TO_NO_NAME 0, __URI_IN_BODY 0, __URI_NOT_IMG 0, __URI_NO_MAILTO 0,
__URI_NS , __URI_WITHOUT_PATH 0, __URI_WITH_PATH 0, __YOUTUBE_RCVD 0,
__zen.spamhaus.org_ERROR '
Return-Path​: <perlmail@​x6.develooper.com>
Message-ID​: <CAMmf60gR68FgVtGkCEHJjyNZUhL5mxcuSOdZY0Ba2jicz0n+KA@​mail.
gmail.com>
From​: Manh Nguyen <imdb95@​gmail.com>
X-Spam-Checker-Version​: SpamAssassin 3.3.1 (2010-03-16) on
mx3.develooper.com
X-Original-To​: rt-perl5-security@​rtperl.dev
X-PMX-Version​: 5.6.1.2065439, Antispam-Engine​: 2.7.2.376379,
Antispam-Data​: 2017.8.24.50316
X-PMX-Version​: 5.6.1.2065439, Antispam-Engine​: 2.7.2.376379,
Antispam-Data​: 2017.8.24.50316
X-Spam-Status​: No, score=-1.5 required=6.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
RCVD_IN_SORBS_SPAM autolearn=no version=3.3.1
Subject​: heap-buffer-overflow in token.c​:S_scan_formline()
X-Received​: by 10.107.48.21 with SMTP id w21mr5010448iow.12.1503551754478;
Wed, 23 Aug 2017 22​:15​:54 -0700 (PDT)
X-Google-Dkim-Signature​: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net;
s=20161025; h=x-gm-message-state​:mime-version​:from​:date​:message-id​:subject​:to;
bh=wLm4OS1LVS7bwMAkvsK/MUFfM2EeUMNUe8IYtdrl6hM=; b=VJGDQqCDnZBGSskJmXJ/
aDhGxKdVn4Eo2kdySH9Xl9wve3JMnSVwbyemghzzbaUyOs CG+
e6sUgaS2RKBOY9j5GRVWdE5shBxfe63eNgbNR2zsY89trwcS4vhIYVFiYIWvZVoyN
LF2U9hyz/m8v3YYzpjS4OZccM9m0yUttmPQvymNTcDZyo1pC9pLxkgHlmYBAc3yqWjoP
LCnCC3cS0EHgu4DgdFk8AS6BupnoNcNEEv6RRPsLFnlQiCOXm81FMEY/of7+kawWN5Tr
gR7zr7ZQatwGnwwZxeGP7VclFfEmAKQXUMZzRNc9+k74eIWRrySoJ5swBIWFwEfGLVGw
+UwA==
From perlmail@​x6.develooper.com Wed Aug 23 22​:16​:10 2017
X-RT-Interface​: Email

From @tonycoz

On Sun, 27 Aug 2017 01​:10​:04 -0700, imdb95@​gmail.com wrote​:

Greetings,
Have you take a look at fixing this bug please?

I expect to take a close look at it tomorrow (or maybe later today).

Just from the backtrace it doesn't appear to be a security issue, but I won't be sure of that until I take that close look.

Tony

The RT System itself - Status changed from 'new' to 'open'

From @tonycoz

On Sun, 27 Aug 2017 17​:10​:40 -0700, tonyc wrote​:

On Sun, 27 Aug 2017 01​:10​:04 -0700, imdb95@​gmail.com wrote​:

Greetings,
Have you take a look at fixing this bug please?

I expect to take a close look at it tomorrow (or maybe later today).

Just from the backtrace it doesn't appear to be a security issue, but
I won't be sure of that until I take that close look.

This requires feeding code to the parser and isn't a security issue.

scan_formline() is being entered with PL_bufptr == PL_bufend+1 and things go downhill from there.

I haven't tracked down exactly why that's happening though.

Tony

From @tonycoz

On Mon, 28 Aug 2017 18​:42​:02 -0700, tonyc wrote​:

On Sun, 27 Aug 2017 17​:10​:40 -0700, tonyc wrote​:

On Sun, 27 Aug 2017 01​:10​:04 -0700, imdb95@​gmail.com wrote​:

Greetings,
Have you take a look at fixing this bug please?

I expect to take a close look at it tomorrow (or maybe later today).

Just from the backtrace it doesn't appear to be a security issue, but
I won't be sure of that until I take that close look.

This requires feeding code to the parser and isn't a security issue.

scan_formline() is being entered with PL_bufptr == PL_bufend+1 and
things go downhill from there.

I haven't tracked down exactly why that's happening though.

This looks like it was fixed by 8174801.

Tony

From @tonycoz

On Sun, 20 Jan 2019 19​:31​:32 -0800, tonyc wrote​:

On Mon, 28 Aug 2017 18​:42​:02 -0700, tonyc wrote​:

On Sun, 27 Aug 2017 17​:10​:40 -0700, tonyc wrote​:

On Sun, 27 Aug 2017 01​:10​:04 -0700, imdb95@​gmail.com wrote​:

Greetings,
Have you take a look at fixing this bug please?

I expect to take a close look at it tomorrow (or maybe later today).

Just from the backtrace it doesn't appear to be a security issue, but
I won't be sure of that until I take that close look.

This requires feeding code to the parser and isn't a security issue.

scan_formline() is being entered with PL_bufptr == PL_bufend+1 and
things go downhill from there.

I haven't tracked down exactly why that's happening though.

This looks like it was fixed by 8174801.

So closing.

Tony

@tonycoz - Status changed from 'open' to 'pending release'

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release today of Perl 5.30.0, this and 160 other issues have been
resolved.

Perl 5.30.0 may be downloaded via​:
https://metacpan.org/release/XSAWYERX/perl-5.30.0

If you find that the problem persists, feel free to reopen this ticket.

@khwilliamson - Status changed from 'pending release' to 'resolved'