Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(possible) stack-buffer-overflow in S_missingterm (toke.c:580) #15519

Closed
p5pRT opened this issue Aug 15, 2016 · 7 comments
Closed

(possible) stack-buffer-overflow in S_missingterm (toke.c:580) #15519

p5pRT opened this issue Aug 15, 2016 · 7 comments

Comments

@p5pRT
Copy link

p5pRT commented Aug 15, 2016

Migrated from rt.perl.org#128952 (status was 'resolved')

Searchable as RT128952$

@p5pRT
Copy link
Author

p5pRT commented Aug 15, 2016

From @geeknik

The attached test case triggers a (possible) stack-buffer-overflow in S_missingterm (toke.c​:580). I say possible because ASAN reports this may be a false positive and I'm not an Perl internals expert. This was found with AFL, ASAN and libdislocator.so and affects v5.25.4 (v5.25.3-245-g2e66fe9). Perl 5.20.2 doesn't return any sort of an error.

==68681==ERROR​: AddressSanitizer​: stack-buffer-overflow on address 0x7ffeb3e392ad at pc 0x000000698806 bp 0x7ffeb3e39270 sp 0x7ffeb3e39268
WRITE of size 1 at 0x7ffeb3e392ad thread T0
  #0 0x698805 in S_missingterm /home/geeknik/perl/toke.c​:580​:7
  #1 0x664d67 in Perl_yylex /home/geeknik/perl/toke.c​:7988​:3
  #2 0x6ac741 in Perl_yyparse /home/geeknik/perl/perly.c​:334​:19
  #3 0xa79cba in S_doeval_compile /home/geeknik/perl/pp_ctl.c​:3406​:77
  #4 0xa76e83 in Perl_pp_entereval /home/geeknik/perl/pp_ctl.c​:4258​:9
  #5 0x7f11d3 in Perl_runops_debug /home/geeknik/perl/dump.c​:2234​:23
  #6 0x5a0c56 in S_run_body /home/geeknik/perl/perl.c​:2524​:2
  #7 0x5a0c56 in perl_run /home/geeknik/perl/perl.c​:2447
  #8 0x4de7fd in main /home/geeknik/perl/perlmain.c​:123​:9
  #9 0x7f724fb10b44 in __libc_start_main /build/glibc-uPj9cH/glibc-2.19/csu/libc-start.c​:287
  #10 0x4de46c in _start (/home/geeknik/perl/perl+0x4de46c)

Address 0x7ffeb3e392ad is located in stack of thread T0 at offset 45 in frame
  #0 0x69846f in S_missingterm /home/geeknik/perl/toke.c​:556

  This frame has 1 object(s)​:
  [32, 45) 'tmpbuf' <== Memory access at offset 45 overflows this variable
HINT​: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
  (longjmp and C++ exceptions *are* supported)
SUMMARY​: AddressSanitizer​: stack-buffer-overflow /home/geeknik/perl/toke.c​:580 S_missingterm
Shadow bytes around the buggy address​:
  0x1000567bf200​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000567bf210​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000567bf220​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000567bf230​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000567bf240​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000567bf250​: f1 f1 f1 f1 00[05]f3 f3 00 00 00 00 00 00 00 00
  0x1000567bf260​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000567bf270​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000567bf280​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000567bf290​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000567bf2a0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes)​:
  Addressable​: 00
  Partially addressable​: 01 02 03 04 05 06 07
  Heap left redzone​: fa
  Heap right redzone​: fb
  Freed heap region​: fd
  Stack left redzone​: f1
  Stack mid redzone​: f2
  Stack right redzone​: f3
  Stack partial redzone​: f4
  Stack after return​: f5
  Stack use after scope​: f8
  Global redzone​: f9
  Global init order​: f6
  Poisoned by user​: f7
  Container overflow​: fc
  ASan internal​: fe
==68681==ABORTING

@p5pRT
Copy link
Author

p5pRT commented Aug 15, 2016

From @geeknik

test02

@p5pRT
Copy link
Author

p5pRT commented Aug 16, 2016

From @iabyn

On Mon, Aug 15, 2016 at 03​:23​:18PM -0700, Brian Carpenter wrote​:

The attached test case triggers a (possible) stack-buffer-overflow in
S_missingterm (toke.c​:580).

Thanks, fixed by the following​:

commit e487ff5
Author​: David Mitchell <davem@​iabyn.com>
AuthorDate​: Tue Aug 16 13​:50​:46 2016 +0100

  buffer overflow in "string terminator" err msg
 
  RT #128952
 
  In
  eval "q" . chr(100000000064);
 
  generating the error message C<Can't find string terminator "XXX"'>
  was overrunning a buffer designed to hold a single utf8 char, since
  it wasn't allowing for the \0 at the end.

--
A walk of a thousand miles begins with a single step...
then continues for another 1,999,999 or so.

@p5pRT
Copy link
Author

p5pRT commented Aug 16, 2016

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Aug 16, 2016

@iabyn - Status changed from 'open' to 'pending release'

@p5pRT
Copy link
Author

p5pRT commented May 30, 2017

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release today of Perl 5.26.0, this and 210 other issues have been
resolved.

Perl 5.26.0 may be downloaded via​:
https://metacpan.org/release/XSAWYERX/perl-5.26.0

If you find that the problem persists, feel free to reopen this ticket.

@p5pRT p5pRT closed this as completed May 30, 2017
@p5pRT
Copy link
Author

p5pRT commented May 30, 2017

@khwilliamson - Status changed from 'pending release' to 'resolved'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant