Skip Menu |
Report information
Id: 129099
Status: resolved
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: brian.carpenter [at] gmail.com
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: (no value)
Type: (no value)
Perl Version: (no value)
Fixed In: (no value)



To: perl5-security-report [...] perl.org
Subject: global-buffer-overflow S_finalize_op (op.c:2634)
From: "Brian 'geeknik' Carpenter" <brian.carpenter [...] gmail.com>
Date: Fri, 26 Aug 2016 20:53:43 -0500
Download (untitled) / with headers
text/plain 2.8k
Perl v5.25.4-20-gc2f7c0b, + AFL + ASAN + libdislocator

./perl -e 'BEGIN():y()'

Prototype mismatch: sub main::BEGIN () vs none at over6 line 1.
=================================================================
==23205==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000ed72b4 at pc 0x0000004f1e35 bp 0x7fff9e4cca50 sp 0x7fff9e4cca48
READ of size 4 at 0x000000ed72b4 thread T0
    #0 0x4f1e34 in S_finalize_op /root/perl/op.c:2634:9
    #1 0x4f1b05 in S_finalize_op /root/perl/op.c:2671:6
    #2 0x4f1b05 in S_finalize_op /root/perl/op.c:2671:6
    #3 0x4f1b05 in S_finalize_op /root/perl/op.c:2671:6
    #4 0x4f09ed in Perl_finalize_optree /root/perl/op.c:2473:5
    #5 0x51c9ea in Perl_newATTRSUB_x /root/perl/op.c:8784:5
    #6 0x5239d2 in Perl_utilize /root/perl/op.c:6205:5
    #7 0x524d42 in Perl_vload_module /root/perl/op.c:6352:5
    #8 0x4f9fa9 in Perl_load_module /root/perl/op.c:6295:5
    #9 0x51cdd2 in Perl_newATTRSUB_x /root/perl/op.c:8798:2
    #10 0x6afc50 in Perl_yyparse /root/perl/perly.y:296:12
    #11 0x59c4e1 in S_parse_body /root/perl/perl.c:2373:9
    #12 0x59287c in perl_parse /root/perl/perl.c:1689:2
    #13 0x4de815 in main /root/perl/perlmain.c:121:18
    #14 0x7fe24eb19b44 in __libc_start_main /build/glibc-uPj9cH/glibc-2.19/csu/libc-start.c:287
    #15 0x4de4ac in _start (/root/perl/perl+0x4de4ac)

0x000000ed72b4 is located 0 bytes to the right of global variable 'PL_opargs' defined in './opcode.h:1796:14' (0xed6c80) of size 1588
SUMMARY: AddressSanitizer: global-buffer-overflow /root/perl/op.c:2634 S_finalize_op
Shadow bytes around the buggy address:
  0x0000801d2e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801d2e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801d2e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801d2e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801d2e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000801d2e50: 00 00 00 00 00 00[04]f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000801d2e60: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000801d2e70: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000801d2e80: f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0000801d2e90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801d2ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
==23205==ABORTING
From: Dave Mitchell <davem [...] iabyn.com>
Subject: Re: [perl #129099] global-buffer-overflow S_finalize_op (op.c:2634)
Date: Mon, 5 Sep 2016 13:40:33 +0100
To: perl5-security-report [...] perl.org
Download (untitled) / with headers
text/plain 1.9k
On Fri, Aug 26, 2016 at 06:54:52PM -0700, Brian Carpenter wrote: Show quoted text
> ./perl -e 'BEGIN():y()' >
This can only occur for the unusual (some might say bizarre) action of applying an attribute to a sub called BEGIN. The attribute application causes BEGIN { require attrributes; ... } to be compiled, which causes problems with BEGIN being re-defined while BEGIN is still being defined. So its not a security issue. I've fixed it with the following commit. I've also added som asserts with v5.25.4-75-g68d1ee8 to better spot things like this in future. I'll move this ticket to public queue and close it in a few days unless anyone objects. commit d1da3640384b1f8221ffa322a0ce6f7ff663a34c Author: David Mitchell <davem@iabyn.com> AuthorDate: Mon Sep 5 11:52:23 2016 +0100 Commit: David Mitchell <davem@iabyn.com> CommitDate: Mon Sep 5 12:55:57 2016 +0100 avoid using freed ops on BEGIN :attr {} If a BEGIN sub has a code attribute applied (no idea why you would want to do such a thing, but it's not illegal) then part of applying the attribute is to do 'use attributes', which compiles BEGIN { require "attributes"; attributes->import(AAA) } so we end up compiling a BEGIN while in the middle of compiling a BEGIN. The part of Perl_newATTRSUB_x() that under some circumstances copies the body of the newly-compiled CV to the old CV which occupies the name slot, kicks in here. Since the ops that make up the AAA above were allocated from the old BEGIN's op slabs, they get prematurely freed when the old BEGIN's ops are discarded by the SvREFCNT_dec(PL_compcv). The simplest fix is to just avoid the copy if we're compiling a BEGIN. -- Music lesson: a symbiotic relationship whereby a pupil's embellishments concerning the amount of practice performed since the last lesson are rewarded with embellishments from the teacher concerning the pupil's progress over the corresponding period.
Download (untitled) / with headers
text/plain 313b
Thank you for filing this report. You have helped make Perl better. With the release today of Perl 5.26.0, this and 210 other issues have been resolved. Perl 5.26.0 may be downloaded via: https://metacpan.org/release/XSAWYERX/perl-5.26.0 If you find that the problem persists, feel free to reopen this ticket.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org