Skip Menu |
Report information
Id: 129149
Status: resolved
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: brian.carpenter [at] gmail.com
dcollinsn [at] gmail.com
randir <sergey.aleynikov [at] gmail.com>
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: (no value)
Type: (no value)
Perl Version: (no value)
Fixed In: (no value)



From: "Brian 'geeknik' Carpenter" <brian.carpenter [...] gmail.com>
Date: Wed, 31 Aug 2016 03:39:10 -0500
Subject: heap-buffer-overflow S_pack_Rec pp_pack.c:3108
To: perl5-security-report [...] perl.org
Download (untitled) / with headers
text/plain 2.6k
This one crashes v5.25.5 (v5.25.4-25-g109ac34*) with ASAN, however a non-ASAN instrumented build doesn't crash. Testcase attached:

hexdump -C over307
00000000  70 61 63 6b 00 75 63 57  3d 3e 27 30 30 30 30 27  |pack.ucW=>'0000'|
00000010  3d 3e 27 27 3d 3e 71 72  27 27                    |=>''=>qr''|
0000001a

==18296==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000e8d8 at pc 0x000000c7aeb5 bp 0x7ffc3e19e7f0 sp 0x7ffc3e19e7e8
WRITE of size 1 at 0x60300000e8d8 thread T0
    #0 0xc7aeb4 in S_pack_rec /root/perl/pp_pack.c:3108:2
    #1 0xc627b4 in Perl_packlist /root/perl/pp_pack.c:1971:11
    #2 0xc7fd16 in Perl_pp_pack /root/perl/pp_pack.c:3131:5
    #3 0x7f26a3 in Perl_runops_debug /root/perl/dump.c:2234:23
    #4 0x5a10c6 in S_run_body /root/perl/perl.c:2525:2
    #5 0x5a10c6 in perl_run /root/perl/perl.c:2448
    #6 0x4de6cd in main /root/perl/perlmain.c:123:9
    #7 0x7f37a8fd6b44 in __libc_start_main /build/glibc-uPj9cH/glibc-2.19/csu/libc-start.c:287
    #8 0x4de33c in _start (/root/perl/perl+0x4de33c)

0x60300000e8d8 is located 0 bytes to the right of 24-byte region [0x60300000e8c0,0x60300000e8d8)
allocated by thread T0 here:
    #0 0x4c0fae in realloc (/root/perl/perl+0x4c0fae)
    #1 0x7f6bd6 in Perl_safesysrealloc /root/perl/util.c:274:18

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/perl/pp_pack.c:3108 S_pack_rec
Shadow bytes around the buggy address:
  0x0c067fff9cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9d00: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
=>0x0c067fff9d10: fa fa 00 00 00 00 fa fa 00 00 00[fa]fa fa 00 00
  0x0c067fff9d20: 00 fa fa fa 00 00 00 fa fa fa fd fd fd fd fa fa
  0x0c067fff9d30: 00 00 04 fa fa fa 00 00 00 02 fa fa fd fd fd fd
  0x0c067fff9d40: fa fa 00 00 00 04 fa fa 00 00 00 fa fa fa 00 00
  0x0c067fff9d50: 05 fa fa fa 00 00 00 06 fa fa 00 00 00 00 fa fa
  0x0c067fff9d60: 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
==18296==ABORTING
Download over307.gz
application/x-gzip 49b

Message body not shown because it is not plain text.

Subject: Buffer overflow - one byte past the end of allocated buffer - in pack
From: Dan Collins <dcollinsn [...] gmail.com>
Date: Sat, 3 Sep 2016 10:46:23 -0400
To: perl5-security-report [...] perl.org
Download (untitled) / with headers
text/plain 12.5k
Download (untitled) / with headers
text/html 18.3k

Message body is not shown because it is too large.

From: "Brian 'geeknik' Carpenter" <brian.carpenter [...] gmail.com>
Subject: Re: [perl #129149] AutoReply: heap-buffer-overflow S_pack_Rec pp_pack.c:3108
Date: Tue, 6 Sep 2016 16:12:37 -0500
To: perl5-security-report [...] perl.org
Download (untitled) / with headers
text/plain 2.5k
perl -e 'pack~~W9,\0,\0,0,\0' triggers this as well in v5.25.4-90-g5b549d1.

==23676==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000009a78 at pc 0x000000c882d7 bp 0x7ffce20060d0 sp 0x7ffce20060c8
WRITE of size 1 at 0x604000009a78 thread T0
    #0 0xc882d6 in S_pack_rec /home/geeknik/perl/pp_pack.c:2585:4
    #1 0xc6bda4 in Perl_packlist /home/geeknik/perl/pp_pack.c:1971:11
    #2 0xc89306 in Perl_pp_pack /home/geeknik/perl/pp_pack.c:3131:5
    #3 0x7f4a13 in Perl_runops_debug /home/geeknik/perl/dump.c:2239:23
    #4 0x5a1246 in S_run_body /home/geeknik/perl/perl.c:2525:2
    #5 0x5a1246 in perl_run /home/geeknik/perl/perl.c:2448
    #6 0x4de5fd in main /home/geeknik/perl/perlmain.c:123:9
    #7 0x7f2f69208b44 in __libc_start_main /build/glibc-uPj9cH/glibc-2.19/csu/libc-start.c:287
    #8 0x4de26c in _start (/home/geeknik/perl/perl+0x4de26c)

0x604000009a78 is located 0 bytes to the right of 40-byte region [0x604000009a50,0x604000009a78)
allocated by thread T0 here:
    #0 0x4c0ede in realloc (/home/geeknik/perl/perl+0x4c0ede)
    #1 0x7f8f46 in Perl_safesysrealloc /home/geeknik/perl/util.c:274:18

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/geeknik/perl/pp_pack.c:2585 S_pack_rec
Shadow bytes around the buggy address:
  0x0c087fff92f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c087fff9340: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00[fa]
  0x0c087fff9350: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
  0x0c087fff9360: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 06 fa
  0x0c087fff9370: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 04
  0x0c087fff9380: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 03
  0x0c087fff9390: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
==23676==ABORTING
RT-Send-CC: rt-deliver-to-perl5-security-report [...] rt.perl.org
Download (untitled) / with headers
text/plain 632b
On Wed Aug 31 01:40:20 2016, brian.carpenter@gmail.com wrote: Show quoted text
> This one crashes v5.25.5 (v5.25.4-25-g109ac34*) with ASAN, however a > non-ASAN instrumented build doesn't crash. Testcase attached: > > hexdump -C over307 > 00000000 70 61 63 6b 00 75 63 57 3d 3e 27 30 30 30 30 27 > |pack.ucW=>'0000'| > 00000010 3d 3e 27 27 3d 3e 71 72 27 27 |=>''=>qr''| > 0000001a
The attached fixes this for me. This will only ever overflow by one byte, so I could see it causing a crash (by overwriting the malloc header for the following allocation) but I don't think it could be used to take control of anything. Tony
Subject: 0001-perl-129149-avoid-a-heap-buffer-overflow-with-pack-W.patch
From ab19876f2d2aea3a1829dee139b4a1b816f09681 Mon Sep 17 00:00:00 2001 From: Tony Cook <tony@develop-help.com> Date: Wed, 7 Sep 2016 16:51:39 +1000 Subject: (perl #129149) avoid a heap buffer overflow with pack "W"... --- pp_pack.c | 2 +- t/op/pack.t | 13 ++++++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/pp_pack.c b/pp_pack.c index 40c3100..09d91a5 100644 --- a/pp_pack.c +++ b/pp_pack.c @@ -2581,7 +2581,7 @@ S_pack_rec(pTHX_ SV *cat, tempsym_t* symptr, SV **beglist, SV **endlist ) if (in_bytes) auv = auv % 0x100; if (utf8) { W_utf8: - if (cur > end) { + if (cur >= end) { *cur = '\0'; SvCUR_set(cat, cur - start); diff --git a/t/op/pack.t b/t/op/pack.t index df16464..7ec09ae 100644 --- a/t/op/pack.t +++ b/t/op/pack.t @@ -12,7 +12,7 @@ my $no_endianness = $] > 5.009 ? '' : my $no_signedness = $] > 5.009 ? '' : "Signed/unsigned pack modifiers not available on this perl"; -plan tests => 14712; +plan tests => 14713; use strict; use warnings qw(FATAL all); @@ -2049,3 +2049,14 @@ ok(1, "argument underflow did not crash"); is(pack("H40", $up_nul), $twenty_nuls, "check pack H zero fills (utf8 source)"); } + +{ + # [perl #129149] the code below would write one past the end of the output + # buffer, only detected by ASAN, not by valgrind + $Config{ivsize} >= 8 + or skip "[perl #129149] need 64-bit for this test", 1; + fresh_perl_is(<<'EOS', "ok\n", { stderr => 1 }, "pack W overflow"); +print pack("ucW", "0000", 0, 140737488355327) eq "\$,#`P,```\n\0\x{7fffffffffff}" + ? "ok\n" : "not ok\n"; +EOS +} -- 2.1.4
RT-Send-CC: rt-deliver-to-perl5-security-report [...] rt.perl.org
Download (untitled) / with headers
text/plain 863b
On Sat Sep 03 07:47:23 2016, dcollinsn@gmail.com wrote: Show quoted text
> Apologies if this is a dupe. This appears to be a legitimate bug in pack, > which may be security-related. It doesn't use the 'p' or 'P' types - it's > stuffing 0xFFFFFFFFFFFFFFFF into a char type, and in the process, it gets a > libc panic. > > perl -e 'pack SWFW, 0,0,0,-1'
... Show quoted text
> ==20524== Invalid write of size 1 > ==20524== at 0x786A1E: S_pack_rec (pp_pack.c:3108) > ==20524== by 0x7871EE: Perl_packlist (pp_pack.c:1971) > ==20524== by 0x7871EE: Perl_pp_pack (pp_pack.c:3131) > ==20524== by 0x5C9E42: Perl_runops_standard (run.c:41) > ==20524== by 0x47BFFE: S_run_body (perl.c:2525) > ==20524== by 0x47BFFE: perl_run (perl.c:2448) > ==20524== by 0x41FCDE: main (perlmain.c:123)
This looks like the same bug as security ticket 129149, which I posted the attached patch for. Tony
Subject: 0001-perl-129149-avoid-a-heap-buffer-overflow-with-pack-W.patch
From ab19876f2d2aea3a1829dee139b4a1b816f09681 Mon Sep 17 00:00:00 2001 From: Tony Cook <tony@develop-help.com> Date: Wed, 7 Sep 2016 16:51:39 +1000 Subject: (perl #129149) avoid a heap buffer overflow with pack "W"... --- pp_pack.c | 2 +- t/op/pack.t | 13 ++++++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/pp_pack.c b/pp_pack.c index 40c3100..09d91a5 100644 --- a/pp_pack.c +++ b/pp_pack.c @@ -2581,7 +2581,7 @@ S_pack_rec(pTHX_ SV *cat, tempsym_t* symptr, SV **beglist, SV **endlist ) if (in_bytes) auv = auv % 0x100; if (utf8) { W_utf8: - if (cur > end) { + if (cur >= end) { *cur = '\0'; SvCUR_set(cat, cur - start); diff --git a/t/op/pack.t b/t/op/pack.t index df16464..7ec09ae 100644 --- a/t/op/pack.t +++ b/t/op/pack.t @@ -12,7 +12,7 @@ my $no_endianness = $] > 5.009 ? '' : my $no_signedness = $] > 5.009 ? '' : "Signed/unsigned pack modifiers not available on this perl"; -plan tests => 14712; +plan tests => 14713; use strict; use warnings qw(FATAL all); @@ -2049,3 +2049,14 @@ ok(1, "argument underflow did not crash"); is(pack("H40", $up_nul), $twenty_nuls, "check pack H zero fills (utf8 source)"); } + +{ + # [perl #129149] the code below would write one past the end of the output + # buffer, only detected by ASAN, not by valgrind + $Config{ivsize} >= 8 + or skip "[perl #129149] need 64-bit for this test", 1; + fresh_perl_is(<<'EOS', "ok\n", { stderr => 1 }, "pack W overflow"); +print pack("ucW", "0000", 0, 140737488355327) eq "\$,#`P,```\n\0\x{7fffffffffff}" + ? "ok\n" : "not ok\n"; +EOS +} -- 2.1.4
CC: rt-deliver-to-perl5-security-report [...] rt.perl.org
Subject: Re: [perl #129149] heap-buffer-overflow S_pack_Rec pp_pack.c:3108
To: Tony Cook via RT <perl5-security-report [...] perl.org>
Date: Tue, 6 Dec 2016 17:17:56 +0000
From: Dave Mitchell <davem [...] iabyn.com>
Download (untitled) / with headers
text/plain 1022b
On Tue, Sep 06, 2016 at 11:54:34PM -0700, Tony Cook via RT wrote: Show quoted text
> On Wed Aug 31 01:40:20 2016, brian.carpenter@gmail.com wrote:
> > This one crashes v5.25.5 (v5.25.4-25-g109ac34*) with ASAN, however a > > non-ASAN instrumented build doesn't crash. Testcase attached: > > > > hexdump -C over307 > > 00000000 70 61 63 6b 00 75 63 57 3d 3e 27 30 30 30 30 27 > > |pack.ucW=>'0000'| > > 00000010 3d 3e 27 27 3d 3e 71 72 27 27 |=>''=>qr''| > > 0000001a
> > The attached fixes this for me. > > This will only ever overflow by one byte, so I could see it causing a > crash (by overwriting the malloc header for the following allocation) > but I don't think it could be used to take control of anything.
This fix looks good to me. An attacker would have to be in a position where pack('W') can be called with a very large arg, which is probably fairly unlikely. (But stranger things have been known). I think the fix should be pushed to blead. -- Never do today what you can put off till tomorrow.
Subject: heap-buffer-overflow in S_pack_rec
Date: Sat, 14 Jan 2017 21:29:03 +0300
To: perl5-security-report [...] perl.org
From: Sergey Aleynikov <sergey.aleynikov [...] gmail.com>
Download (untitled) / with headers
text/plain 6.3k
This is a bug report for perl from sergey.aleynikov@gmail.com, generated with the help of perlbug 1.40 running under perl 5.25.9. ----------------------------------------------------------------- [Please describe your issue here] While fuzzing perl v5.25.8-207-gcbe2fc5001 built with afl and run under libdislocator, I found the following program pack"Z*WWW",1.01E50,0,0,1E20 to perform an access outside of an allocated memory slot. ASAN diagnostics are: % ./perl /tmp/0001 Use of code point 0xFFFFFFFFFFFFFFFF is deprecated; the permissible max is 0x7FFFFFFFFFFFFFFF at /tmp/0001 line 1. ================================================================= ==4814==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000e6f8 at pc 0x000000d43b9e bp 0x7ffe105ea450 sp 0x7ffe105ea448 WRITE of size 1 at 0x60300000e6f8 thread T0 #0 0xd43b9d in S_pack_rec /home/afl/perl-git/pp_pack.c:3114:7 #1 0xd17c1d in Perl_packlist /home/afl/perl-git/pp_pack.c:1977:11 #2 0xd44a2a in Perl_pp_pack /home/afl/perl-git/pp_pack.c:3137:5 #3 0x847e31 in Perl_runops_debug /home/afl/perl-git/dump.c:2260:23 #4 0x5f02c5 in S_run_body /home/afl/perl-git/perl.c:2528:2 #5 0x5f02c5 in perl_run /home/afl/perl-git/perl.c:2451 #6 0x522402 in main /home/afl/perl-git/perlmain.c:123:9 #7 0x7fefe22922b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #8 0x43ace9 in _start (/home/afl/perl-git/perl+0x43ace9) 0x60300000e6f8 is located 0 bytes to the right of 24-byte region [0x60300000e6e0,0x60300000e6f8) allocated by thread T0 here: #0 0x4eaa10 in realloc (/home/afl/perl-git/perl+0x4eaa10) #1 0x84ca66 in Perl_safesysrealloc /home/afl/perl-git/util.c:274:18 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/afl/perl-git/pp_pack.c:3114:7 in S_pack_rec GDB reports the following program state: (gdb) bt #0 0x00007f05a15d52b9 in S_pack_rec (cat=0x7f059fc9be68, symptr=0x7ffc8cd8bfd0, beglist=0x7f05a18a6c38, endlist=0x7f05a18a6c38) at pp_pack.c:3114 #1 0x00007f05a15caf6f in Perl_packlist (cat=0x7f059fc9be68, pat=0x7f059f9eeff6 "Z*WWW", patend=0x7f059f9eeffb "", beglist=0x7f05a18a6c18, endlist=0x7f05a18a6c38) at pp_pack.c:1977 #2 0x00007f05a15d5691 in Perl_pp_pack () at pp_pack.c:3137 #3 0x00007f05a13dbb57 in Perl_runops_debug () at dump.c:2260 #4 0x00007f05a12d60fd in S_run_body (oldscope=1) at perl.c:2528 #5 0x00007f05a12d567b in perl_run (my_perl=0x7f05a18bcfff) at perl.c:2451 #6 0x00007f05a1290d3e in main (argc=2, argv=0x7ffc8cd8c3b8, env=0x7ffc8cd8c3d0) at perlmain.c:123 (gdb) f 0 #0 0x00007f05a15d52b9 in S_pack_rec (cat=0x7f059fc9be68, symptr=0x7ffc8cd8bfd0, beglist=0x7f05a18a6c38, endlist=0x7f05a18a6c38) at pp_pack.c:3114 3114 *cur = '\0'; (gdb) info locals fromstr = 0x7f059fc9be50 fromlen = 8 len = -1 datumtype = 87 lengthcode = 0x0 howlen = e_no_len start = 0x7f059f9e4fe8 "1.01e+50" cur = 0x7f059f9e5000 "" needs_swap = false lookahead = {patptr = 0x7f059f9eeffb "", patend = 0x7f059f9eeffb "", grpbeg = 0x0, grpend = 0x0, code = 87, length = 1, howlen = e_no_len, level = 0, flags = 9, strbeg = 0, previous = 0x0} items = 0 found = false utf8 = true warn_utf8 = false from = 0x7f05a18a6c00 "`\226\214\241\005\177" __PRETTY_FUNCTION__ = "S_pack_rec" [Please do not change anything below this line] ----------------------------------------------------------------- --- Flags: category=core severity=medium --- Site configuration information for perl 5.25.9: Configured by root at Sat Jan 14 02:25:05 MSK 2017. Summary of my perl5 (revision 5 version 25 subversion 9) configuration: Commit id: cbe2fc5001aa59cdc73e04cc35e097a2ecfbeec0 Platform: osname=linux osvers=3.16.0-4-amd64 archname=x86_64-linux uname='linux dorothy 3.16.0-4-amd64 #1 smp debian 3.16.36-1+deb8u2 (2016-10-19) x86_64 gnulinux ' config_args='-des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast -Doptimize=-O0 -g -ggdb3' hint=recommended useposix=true d_sigaction=define useithreads=undef usemultiplicity=undef use64bitint=define use64bitall=define uselongdouble=undef usemymalloc=n bincompat5005=undef Compiler: cc='afl-clang-fast' ccflags ='-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2' optimize='-O0 -g -ggdb3' cppflags='-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include' ccversion='' gccversion='4.2.1 Compatible Clang 3.9.1 (tags/RELEASE_391/rc2)' gccosandvers='' intsize=4 longsize=8 ptrsize=8 doublesize=8 byteorder=12345678 doublekind=3 d_longlong=define longlongsize=8 d_longdbl=define longdblsize=16 longdblkind=3 ivtype='long' ivsize=8 nvtype='double' nvsize=8 Off_t='off_t' lseeksize=8 alignbytes=8 prototype=define Linker and Libraries: ld='afl-clang-fast' ldflags =' -fstack-protector-strong -L/usr/local/lib' libpth=/usr/local/lib /usr/lib/llvm-3.9/bin/../lib/clang/3.9.1/lib /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc libc=libc-2.24.so so=so useshrplib=false libperl=libperl.a gnulibc_version='2.24' Dynamic Linking: dlsrc=dl_dlopen.xs dlext=so d_dlsymun=undef ccdlflags='-Wl,-E' cccdlflags='-fPIC' lddlflags='-shared -O0 -g -ggdb3 -L/usr/local/lib -fstack-protector-strong' --- @INC for perl 5.25.9: lib /usr/local/lib/perl5/site_perl/5.25.9/x86_64-linux /usr/local/lib/perl5/site_perl/5.25.9 /usr/local/lib/perl5/5.25.9/x86_64-linux /usr/local/lib/perl5/5.25.9 --- Environment for perl 5.25.9: HOME=/home/afl LANG=en_US.UTF-8 LANGUAGE=en_US:en LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games PERLBREW_BASHRC_VERSION=0.78 PERLBREW_HOME=/home/afl/.perlbrew PERLBREW_MANPATH=/home/afl/perlbrew/perls/perl-5.22.1/man PERLBREW_PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin PERLBREW_PERL=perl-5.22.1 PERLBREW_ROOT=/home/afl/perlbrew PERLBREW_VERSION=0.78 PERL_BADLANG (unset) SHELL=/usr/bin/zsh
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 400b
On Tue, 06 Dec 2016 09:18:27 -0800, davem wrote: Show quoted text
> This fix looks good to me. An attacker would have to be in a position > where pack('W') can be called with a very large arg, which is probably > fairly unlikely. (But stranger things have been known). > > I think the fix should be pushed to blead.
I've made the ticket public and pushed the patch as bf4a926a29374161655548b149d1cb37300bcc05. Tony
RT-Send-CC: rt-deliver-to-perl5-security-report [...] rt.perl.org
Download (untitled) / with headers
text/plain 1.6k
On Sat, 14 Jan 2017 10:29:27 -0800, randir wrote: Show quoted text
> While fuzzing perl v5.25.8-207-gcbe2fc5001 built with afl and run > under libdislocator, I found the following program > > pack"Z*WWW",1.01E50,0,0,1E20 > > to perform an access outside of an allocated memory slot. ASAN > diagnostics are: > > % ./perl /tmp/0001 > Use of code point 0xFFFFFFFFFFFFFFFF is deprecated; the permissible > max is 0x7FFFFFFFFFFFFFFF at /tmp/0001 line 1. > ================================================================= > ==4814==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x60300000e6f8 at pc 0x000000d43b9e bp 0x7ffe105ea450 sp > 0x7ffe105ea448 > WRITE of size 1 at 0x60300000e6f8 thread T0 > #0 0xd43b9d in S_pack_rec /home/afl/perl-git/pp_pack.c:3114:7 > #1 0xd17c1d in Perl_packlist /home/afl/perl-git/pp_pack.c:1977:11 > #2 0xd44a2a in Perl_pp_pack /home/afl/perl-git/pp_pack.c:3137:5 > #3 0x847e31 in Perl_runops_debug /home/afl/perl-git/dump.c:2260:23 > #4 0x5f02c5 in S_run_body /home/afl/perl-git/perl.c:2528:2 > #5 0x5f02c5 in perl_run /home/afl/perl-git/perl.c:2451 > #6 0x522402 in main /home/afl/perl-git/perlmain.c:123:9 > #7 0x7fefe22922b0 in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) > #8 0x43ace9 in _start (/home/afl/perl-git/perl+0x43ace9) > > 0x60300000e6f8 is located 0 bytes to the right of 24-byte region > [0x60300000e6e0,0x60300000e6f8) > allocated by thread T0 here: > #0 0x4eaa10 in realloc (/home/afl/perl-git/perl+0x4eaa10) > #1 0x84ca66 in Perl_safesysrealloc /home/afl/perl- > git/util.c:274:18
This looks like a duplicate of #129149 and my patch for that prevents the crash. Tony
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 1.1k
On Mon, 16 Jan 2017 15:49:16 -0800, tonyc wrote: Show quoted text
> On Tue, 06 Dec 2016 09:18:27 -0800, davem wrote:
> > This fix looks good to me. An attacker would have to be in a position > > where pack('W') can be called with a very large arg, which is > > probably > > fairly unlikely. (But stranger things have been known). > > > > I think the fix should be pushed to blead.
> > I've made the ticket public and pushed the patch as > bf4a926a29374161655548b149d1cb37300bcc05. > > Tony
Your patch is failing on 32 bit windows. Your skip() has no SKIP: in the patch. -------------------------------- ok 14713 # skip [perl #129149] need 64-bit for this test Dubious, test returned 255 (wstat 65280, 0xff00) All 14713 subtests passed (less 491 skipped subtests: 14222 okay) Test Summary Report ------------------- op/pack.t (Wstat: 65280 Tests: 14713 Failed: 0) Non-zero exit status: 255 Files=1, Tests=14713, 5 wallclock secs ( 1.28 usr + 0.11 sys = 1.39 CPU) Result: FAIL ------------------------------- Label not found for "last SKIP" at ./test.pl line 518. ------------------------------- -- bulk88 ~ bulk88 at hotmail.com
From: Tony Cook <tony [...] develop-help.com>
To: bulk88 via RT <perlbug-followup [...] perl.org>
Date: Tue, 17 Jan 2017 15:58:29 +1100
Subject: Re: [perl #129149] heap-buffer-overflow S_pack_Rec pp_pack.c:3108
CC: ;, perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 1.2k
On Mon, Jan 16, 2017 at 08:15:39PM -0800, bulk88 via RT wrote: Show quoted text
> On Mon, 16 Jan 2017 15:49:16 -0800, tonyc wrote:
> > On Tue, 06 Dec 2016 09:18:27 -0800, davem wrote:
> > > This fix looks good to me. An attacker would have to be in a position > > > where pack('W') can be called with a very large arg, which is > > > probably > > > fairly unlikely. (But stranger things have been known). > > > > > > I think the fix should be pushed to blead.
> > > > I've made the ticket public and pushed the patch as > > bf4a926a29374161655548b149d1cb37300bcc05. > > > > Tony
> > Your patch is failing on 32 bit windows. Your skip() has no SKIP: in the patch. > -------------------------------- > ok 14713 # skip [perl #129149] need 64-bit for this test > Dubious, test returned 255 (wstat 65280, 0xff00) > All 14713 subtests passed > (less 491 skipped subtests: 14222 okay) > > Test Summary Report > ------------------- > op/pack.t (Wstat: 65280 Tests: 14713 Failed: 0) > Non-zero exit status: 255 > Files=1, Tests=14713, 5 wallclock secs ( 1.28 usr + 0.11 sys = 1.39 CPU) > Result: FAIL > ------------------------------- > Label not found for "last SKIP" at ./test.pl line 518. > -------------------------------
Thanks, fixed in 30be69c851a7fa7e29d85c9b6e070273df82f3e7. Tony
RT-Send-CC: perl5-porters [...] perl.org
On Wed, 07 Sep 2016 17:44:54 -0700, tonyc wrote: Show quoted text
> On Sat Sep 03 07:47:23 2016, dcollinsn@gmail.com wrote:
> > Apologies if this is a dupe. This appears to be a legitimate bug in > > pack, > > which may be security-related. It doesn't use the 'p' or 'P' types - > > it's > > stuffing 0xFFFFFFFFFFFFFFFF into a char type, and in the process, it > > gets a > > libc panic. > > > > perl -e 'pack SWFW, 0,0,0,-1'
> ...
> > ==20524== Invalid write of size 1 > > ==20524== at 0x786A1E: S_pack_rec (pp_pack.c:3108) > > ==20524== by 0x7871EE: Perl_packlist (pp_pack.c:1971) > > ==20524== by 0x7871EE: Perl_pp_pack (pp_pack.c:3131) > > ==20524== by 0x5C9E42: Perl_runops_standard (run.c:41) > > ==20524== by 0x47BFFE: S_run_body (perl.c:2525) > > ==20524== by 0x47BFFE: perl_run (perl.c:2448) > > ==20524== by 0x41FCDE: main (perlmain.c:123)
> > This looks like the same bug as security ticket 129149, which I posted > the attached patch for.
Which has been fixed and your case no longer fails. Merged your 129187 into 129149 (which is public.) Tony
RT-Send-CC: rt-deliver-to-perl5-security-report [...] rt.perl.org
Download (untitled) / with headers
text/plain 1.8k
On Mon, 16 Jan 2017 15:58:07 -0800, tonyc wrote: Show quoted text
> On Sat, 14 Jan 2017 10:29:27 -0800, randir wrote:
> > While fuzzing perl v5.25.8-207-gcbe2fc5001 built with afl and run > > under libdislocator, I found the following program > > > > pack"Z*WWW",1.01E50,0,0,1E20 > > > > to perform an access outside of an allocated memory slot. ASAN > > diagnostics are: > > > > % ./perl /tmp/0001 > > Use of code point 0xFFFFFFFFFFFFFFFF is deprecated; the permissible > > max is 0x7FFFFFFFFFFFFFFF at /tmp/0001 line 1. > > ================================================================= > > ==4814==ERROR: AddressSanitizer: heap-buffer-overflow on address > > 0x60300000e6f8 at pc 0x000000d43b9e bp 0x7ffe105ea450 sp > > 0x7ffe105ea448 > > WRITE of size 1 at 0x60300000e6f8 thread T0 > > #0 0xd43b9d in S_pack_rec /home/afl/perl-git/pp_pack.c:3114:7 > > #1 0xd17c1d in Perl_packlist /home/afl/perl-git/pp_pack.c:1977:11 > > #2 0xd44a2a in Perl_pp_pack /home/afl/perl-git/pp_pack.c:3137:5 > > #3 0x847e31 in Perl_runops_debug /home/afl/perl- > > git/dump.c:2260:23 > > #4 0x5f02c5 in S_run_body /home/afl/perl-git/perl.c:2528:2 > > #5 0x5f02c5 in perl_run /home/afl/perl-git/perl.c:2451 > > #6 0x522402 in main /home/afl/perl-git/perlmain.c:123:9 > > #7 0x7fefe22922b0 in __libc_start_main > > (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) > > #8 0x43ace9 in _start (/home/afl/perl-git/perl+0x43ace9) > > > > 0x60300000e6f8 is located 0 bytes to the right of 24-byte region > > [0x60300000e6e0,0x60300000e6f8) > > allocated by thread T0 here: > > #0 0x4eaa10 in realloc (/home/afl/perl-git/perl+0x4eaa10) > > #1 0x84ca66 in Perl_safesysrealloc /home/afl/perl- > > git/util.c:274:18
> > This looks like a duplicate of #129149 and my patch for that prevents > the crash.
No dissent, so merging into the (closed) 129149. Tony
Download (untitled) / with headers
text/plain 313b
Thank you for filing this report. You have helped make Perl better. With the release today of Perl 5.26.0, this and 210 other issues have been resolved. Perl 5.26.0 may be downloaded via: https://metacpan.org/release/XSAWYERX/perl-5.26.0 If you find that the problem persists, feel free to reopen this ticket.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org