Skip Menu |
Report information
Id: 128952
Status: resolved
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: brian.carpenter [at] gmail.com
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: low
Type: unknown
Perl Version: (no value)
Fixed In: 5.25.4



Subject: (possible) stack-buffer-overflow in S_missingterm (toke.c:580)
The attached test case triggers a (possible) stack-buffer-overflow in S_missingterm (toke.c:580). I say possible because ASAN reports this may be a false positive and I'm not an Perl internals expert. This was found with AFL, ASAN and libdislocator.so and affects v5.25.4 (v5.25.3-245-g2e66fe9). Perl 5.20.2 doesn't return any sort of an error. ==68681==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffeb3e392ad at pc 0x000000698806 bp 0x7ffeb3e39270 sp 0x7ffeb3e39268 WRITE of size 1 at 0x7ffeb3e392ad thread T0 #0 0x698805 in S_missingterm /home/geeknik/perl/toke.c:580:7 #1 0x664d67 in Perl_yylex /home/geeknik/perl/toke.c:7988:3 #2 0x6ac741 in Perl_yyparse /home/geeknik/perl/perly.c:334:19 #3 0xa79cba in S_doeval_compile /home/geeknik/perl/pp_ctl.c:3406:77 #4 0xa76e83 in Perl_pp_entereval /home/geeknik/perl/pp_ctl.c:4258:9 #5 0x7f11d3 in Perl_runops_debug /home/geeknik/perl/dump.c:2234:23 #6 0x5a0c56 in S_run_body /home/geeknik/perl/perl.c:2524:2 #7 0x5a0c56 in perl_run /home/geeknik/perl/perl.c:2447 #8 0x4de7fd in main /home/geeknik/perl/perlmain.c:123:9 #9 0x7f724fb10b44 in __libc_start_main /build/glibc-uPj9cH/glibc-2.19/csu/libc-start.c:287 #10 0x4de46c in _start (/home/geeknik/perl/perl+0x4de46c) Address 0x7ffeb3e392ad is located in stack of thread T0 at offset 45 in frame #0 0x69846f in S_missingterm /home/geeknik/perl/toke.c:556 This frame has 1 object(s): [32, 45) 'tmpbuf' <== Memory access at offset 45 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /home/geeknik/perl/toke.c:580 S_missingterm Shadow bytes around the buggy address: 0x1000567bf200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000567bf210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000567bf220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000567bf230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000567bf240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x1000567bf250: f1 f1 f1 f1 00[05]f3 f3 00 00 00 00 00 00 00 00 0x1000567bf260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000567bf270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000567bf280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000567bf290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000567bf2a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc ASan internal: fe ==68681==ABORTING
Subject: test02
Download test02
application/octet-stream 107b

Message body not shown because it is not plain text.

Subject: Re: [perl #128952] (possible) stack-buffer-overflow in S_missingterm (toke.c:580)
To: perl5-porters [...] perl.org
From: Dave Mitchell <davem [...] iabyn.com>
Date: Tue, 16 Aug 2016 13:55:20 +0100
Download (untitled) / with headers
text/plain 760b
On Mon, Aug 15, 2016 at 03:23:18PM -0700, Brian Carpenter wrote: Show quoted text
> The attached test case triggers a (possible) stack-buffer-overflow in > S_missingterm (toke.c:580).
Thanks, fixed by the following: commit e487ff5ee8f0cde894977f61d319c0c4e44aa0bd Author: David Mitchell <davem@iabyn.com> AuthorDate: Tue Aug 16 13:50:46 2016 +0100 buffer overflow in "string terminator" err msg RT #128952 In eval "q" . chr(100000000064); generating the error message C<Can't find string terminator "XXX"'> was overrunning a buffer designed to hold a single utf8 char, since it wasn't allowing for the \0 at the end. -- A walk of a thousand miles begins with a single step... then continues for another 1,999,999 or so.
Download (untitled) / with headers
text/plain 313b
Thank you for filing this report. You have helped make Perl better. With the release today of Perl 5.26.0, this and 210 other issues have been resolved. Perl 5.26.0 may be downloaded via: https://metacpan.org/release/XSAWYERX/perl-5.26.0 If you find that the problem persists, feel free to reopen this ticket.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org