New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-buffer-overflow in Perl_do_trans #16318
Comments
From gy741.kim@gmail.comHello, I found a heap-buffer-overflow bug in perl. Please confirm. Thanks. Version: This is perl 5, version 27, subversion 7 (v5.27.7) ```==5177==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63300001b9d6 is located 5136 bytes to the right of 105926-byte region SUMMARY: AddressSanitizer: heap-buffer-overflow
|
From @hvdsUsing a simplified test case and building without asan for debuggability, we can see that tbl[0x100] ends up as a negative signed short, which we then copy into STRLEN rlen: % gdb -q -ex "break doop.c:219" -ex run --args ./miniperl -e \ The (comp - 0x100 < rlen) check at that statement is then used to see if it can read into tbl[], and decides it can do so even for a high codepoint such as 0xd8ea. This particular problem can be avoided with a cast, but it feels like rather more than that would need to change to cover the full range of possibilities: if (PL_op->op_private & OPpTRANS_SQUASH) { At first glance, I don't think there are significant security concerns here. Hugo |
The RT System itself - Status changed from 'new' to 'open' |
From @khwilliamsonOn 01/06/2018 08:44 AM, Hugo van der Sanden via RT wrote:
FWIW, I have work in progress to rewrite this code. The motivation is |
From @khwilliamsonOn 01/06/2018 04:45 PM, Karl Williamson wrote:
Though this work is unlikely to get into 5.28 |
From @iabynOn Sat, Jan 06, 2018 at 04:45:28PM -0700, Karl Williamson wrote:
I've been independently working on this ticket. The bug is in the non-swash part of the code, and I know how to fix it. My branch also adds a bunch of commentary to S_pmtrans(), and adds comments It this work likely to interfere with yours? -- |
From @khwilliamsonOn 01/08/2018 02:47 AM, Dave Mitchell wrote:
Probably, but go ahead. I mothballed my work about a year ago when it became clear it would not |
From gy741.kim@gmail.comHello, Happy New Year. : Do you see this as a security bug? I can not find this issue in the public queue. Thanks. 2018-01-09 5:46 GMT+09:00 karl williamson via RT <
|
From @iabynOn Tue, Jan 09, 2018 at 08:03:28PM +0900, GwanYeong Kim wrote:
I think we have mostly decided that it isn't. It only occurs on Under those circumstances, those codepoints will be replaced with chars But since tr/// doesn't accept interpolated values (i.e. tr/.../$s/
It will be moved to the public queue once fixed. -- |
From @hvdsOn Wed, 10 Jan 2018 01:36:37 -0800, davem wrote:
I've seen people work around the non-interpolation by instead constructing an eval - I've probably done this myself - so it doesn't have to be a literal whacky tr///, it could be a buggy attempt to construct one. My inclination is that your conclusion is still sound though. Hugo |
From @tonycozOn Wed, 10 Jan 2018 01:36:37 -0800, davem wrote:
Why wait? We've typically moved non-security bugs from this queue immediately. Tony |
From @iabynOn Sun, Jan 14, 2018 at 08:13:43PM -0800, Tony Cook via RT wrote:
Because actually fixing the bug, rather than just a provisional diagnosis, -- |
From @iabynOn Wed, Jan 17, 2018 at 09:35:57AM +0000, Dave Mitchell wrote:
I've now moved this ticket to the public queue. The bug is fixed by commit b1f1599 [MERGE] various tr/// fixups, esp for /c and /d -- |
@iabyn - Status changed from 'open' to 'pending release' |
From @khwilliamsonThank you for filing this report. You have helped make Perl better. With the release yesterday of Perl 5.28.0, this and 185 other issues have been Perl 5.28.0 may be downloaded via: If you find that the problem persists, feel free to reopen this ticket. |
@khwilliamson - Status changed from 'pending release' to 'resolved' |
Migrated from rt.perl.org#132608 (status was 'resolved')
Searchable as RT132608$
The text was updated successfully, but these errors were encountered: