Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Null Pointer Dereference in Perl_sv_setpv_bufsize #16104

Open
p5pRT opened this issue Aug 9, 2017 · 5 comments
Open

Null Pointer Dereference in Perl_sv_setpv_bufsize #16104

p5pRT opened this issue Aug 9, 2017 · 5 comments

Comments

@p5pRT
Copy link

p5pRT commented Aug 9, 2017

Migrated from rt.perl.org#131866 (status was 'open')

Searchable as RT131866$
@p5pRT
Copy link
Author

p5pRT commented Aug 9, 2017

From gy741.kim@gmail.com

Hi.

I found a Null Pointer Dereference bug in perl.

Please confirm.
Thanks.

Version​: This is perl 5, version 27, subversion 2 (v5.27.2) built for
i686-linux
OS​: Ubuntu 16.04.2 32bit
Steps to reproduce​:
1.Download the PoC files.
2.Compile the source code with ASan.
3.Execute the following command
  : ./perl $PoC

```
ASAN​:DEADLYSIGNAL

==22852==ERROR​: AddressSanitizer​: SEGV on unknown address 0xbebebebe (pc
0x0865ec98 bp 0x16ba0f87 sp 0xbf95b2d0 T0)
  #0 0x865ec97 in Perl_sv_setpv_bufsize
/root/karas/perl5-blead/sv.c​:4958​:17
  #1 0x85b15bf in Perl_pp_concat /root/karas/perl5-blead/pp_hot.c​:292​:13
  #2 0x84debdc in Perl_runops_debug /root/karas/perl5-blead/dump.c​:2483​:23
  #3 0x823aaf3 in S_run_body /root/karas/perl5-blead/perl.c​:2553​:2
  #4 0x823aaf3 in perl_run /root/karas/perl5-blead/perl.c​:2476
  #5 0x81494d4 in main /root/karas/perl5-blead/perlmain.c​:123​:9
  #6 0xb74b4636 in __libc_start_main
/build/glibc-KM3i_a/glibc-2.23/csu/../csu/libc-start.c​:291
  #7 0x8075847 in _start (/root/karas/perl5-blead/perl+0x8075847)

AddressSanitizer can not provide additional info.
SUMMARY​: AddressSanitizer​: SEGV /root/karas/perl5-blead/sv.c​:4958​:17 in
Perl_sv_setpv_bufsize
==22852==ABORTING
```

@p5pRT
Copy link
Author

p5pRT commented Aug 9, 2017

From gy741.kim@gmail.com

021_Perl_sv_setpv_bufsize_PoC

@p5pRT
Copy link
Author

p5pRT commented Aug 10, 2017

From @tonycoz

On Wed, 09 Aug 2017 00​:28​:24 -0700, gy741.kim@​gmail.com wrote​:

Hi.

I found a Null Pointer Dereference bug in perl.

Please confirm.
Thanks.

Version​: This is perl 5, version 27, subversion 2 (v5.27.2) built for
i686-linux
OS​: Ubuntu 16.04.2 32bit
Steps to reproduce​:
1.Download the PoC files.
2.Compile the source code with ASan.
3.Execute the following command
: ./perl $PoC

```
ASAN​:DEADLYSIGNAL

==22852==ERROR​: AddressSanitizer​: SEGV on unknown address 0xbebebebe (pc
0x0865ec98 bp 0x16ba0f87 sp 0xbf95b2d0 T0)
#0 0x865ec97 in Perl_sv_setpv_bufsize
/root/karas/perl5-blead/sv.c​:4958​:17
#1 0x85b15bf in Perl_pp_concat /root/karas/perl5-

This simplifies down to​:

  $_.=*_='x';

and is a stack-not-refcounted bug.

This isn't a security issue - it depends on the code executed destroying an SV as it's assigned to, which is only under the control of an attacker.

Tony

@p5pRT
Copy link
Author

p5pRT commented Aug 10, 2017

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Aug 21, 2017

From @tonycoz

On Wed, 09 Aug 2017 17​:52​:11 -0700, tonyc wrote​:

This simplifies down to​:

$_.=*_='x';

and is a stack-not-refcounted bug.

This isn't a security issue - it depends on the code executed
destroying an SV as it's assigned to, which is only under the control
of an attacker.

Now public and linked to the stack-not-refcounted meta ticket.

Tony

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@p5pRT