Skip Menu |
Report information
Id: 130262
Status: resolved
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: brian.carpenter [at] gmail.com
randir <sergey.aleynikov [at] gmail.com>
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: (no value)
Type: (no value)
Perl Version: (no value)
Fixed In: (no value)

Attachments
0001-perl-130262-split-scalar-context-stack-overflow-fix.patch



Subject: heap-buffer-overflow Perl_pp_split (pp.c:6145)
From: "Brian 'geeknik' Carpenter" <brian.carpenter [...] gmail.com>
To: security [...] perl.org
Date: Sun, 4 Dec 2016 15:55:05 -0600
Download (untitled) / with headers
text/plain 2.5k
Triggered with Perl v5.25.7-26-g7332835.

./perl -e 'map{int"";split//.0>60for"0000000000000000"}split// for"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"'
=================================================================
==8844==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00001dfa8 at pc 0x000000a1e147 bp 0x7ffdd386dc50 sp 0x7ffdd386dc48
WRITE of size 8 at 0x61d00001dfa8 thread T0
    #0 0xa1e146 in Perl_pp_split /root/perl/pp.c:6145:5
    #1 0x7f63bb in Perl_runops_debug /root/perl/dump.c:2260:23
    #2 0x5a06c3 in S_run_body /root/perl/perl.c:2526:2
    #3 0x5a06c3 in perl_run /root/perl/perl.c:2449
    #4 0x4de6cd in main /root/perl/perlmain.c:123:9
    #5 0x7f37e05a4b44 in __libc_start_main /build/glibc-daoqzt/glibc-2.19/csu/libc-start.c:287
    #6 0x4de33c in _start (/root/perl/perl+0x4de33c)

0x61d00001dfa8 is located 0 bytes to the right of 2344-byte region [0x61d00001d680,0x61d00001dfa8)
allocated by thread T0 here:
    #0 0x4c0fae in realloc (/root/perl/perl+0x4c0fae)
    #1 0x7fa916 in Perl_safesysrealloc /root/perl/util.c:274:18

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/perl/pp.c:6145 Perl_pp_split
Shadow bytes around the buggy address:
  0x0c3a7fffbba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbbb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbbc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbbd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbbe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a7fffbbf0: 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbc00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbc10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbc20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbc30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbc40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
==8844==ABORTING
RT-Send-CC: rt-deliver-to-perl5-security-report [...] rt.perl.org
Download (untitled) / with headers
text/plain 1.4k
On Sun, 04 Dec 2016 13:56:12 -0800, brian.carpenter@gmail.com wrote: Show quoted text
> Triggered with Perl v5.25.7-26-g7332835. > > ./perl -e 'map{int"";split//.0>60for"0000000000000000"}split// > for"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"'
From valgrind: ==26813== Invalid write of size 8 ==26813== at 0x64602D: Perl_pp_split (pp.c:6145) ==26813== by 0x556DAA: Perl_runops_debug (dump.c:2260) ==26813== by 0x460EB1: S_run_body (perl.c:2526) ==26813== by 0x460494: perl_run (perl.c:2449) ==26813== by 0x41EFDD: main (perlmain.c:123) ==26813== Address 0x5f86b88 is 0 bytes after a block of size 2,344 alloc'd ==26813== at 0x4C2AF2E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==26813== by 0x5586EE: Perl_safesysrealloc (util.c:274) ==26813== by 0x59A2AF: Perl_av_extend_guts (av.c:163) ==26813== by 0x599FDB: Perl_av_extend (av.c:80) ==26813== by 0x64AE56: Perl_stack_grow (scope.c:57) ==26813== by 0x644D6E: Perl_pp_split (pp.c:5913) ==26813== by 0x556DAA: Perl_runops_debug (dump.c:2260) ==26813== by 0x460EB1: S_run_body (perl.c:2526) ==26813== by 0x460494: perl_run (perl.c:2449) ==26813== by 0x41EFDD: main (perlmain.c:123) This is a stack overflow from the final: PUSHi(iters); in pp_split. An attacker has no control over the value stored, and it's always stored at the end of the stack. I don't believe this is a security issue. Fixed by the attached. Tony
Subject: 0001-perl-130262-split-scalar-context-stack-overflow-fix.patch
From 071b4693c6bfb5496be82ae23e136b7f58c7e86d Mon Sep 17 00:00:00 2001 From: Tony Cook <tony@develop-help.com> Date: Mon, 5 Dec 2016 11:48:14 +1100 Subject: (perl #130262) split scalar context stack overflow fix pp_split didn't ensure there was space for its return value in scalar context. --- pp.c | 2 +- t/op/split.t | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/pp.c b/pp.c index b198b47..737111a 100644 --- a/pp.c +++ b/pp.c @@ -6142,7 +6142,7 @@ PP(pp_split) } GETTARGET; - PUSHi(iters); + XPUSHi(iters); RETURN; } diff --git a/t/op/split.t b/t/op/split.t index ceaea00..6d1ed25 100644 --- a/t/op/split.t +++ b/t/op/split.t @@ -7,7 +7,7 @@ BEGIN { set_up_inc('../lib'); } -plan tests => 161; +plan tests => 162; $FS = ':'; @@ -621,3 +621,7 @@ is "@a", '1 2 3', 'assignment to split-to-array (stacked)'; ok eval { $a[0] = 'a'; 1; }, "array split filling AvARRAY: assign 0"; is "@a", "a b", "array split filling AvARRAY: result"; } + +fresh_perl_is(<<'CODE', '', {}, "scalar split stack overflow"); +map{int"";split//.0>60for"0000000000000000"}split// for"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" +CODE -- 2.1.4
Subject: heap-buffer-overflow in Perl_pp_split
Date: Sun, 15 Jan 2017 01:01:28 +0300
To: perl5-security-report [...] perl.org
From: Sergey Aleynikov <sergey.aleynikov [...] gmail.com>
Download (untitled) / with headers
text/plain 5.9k
This is a bug report for perl from sergey.aleynikov@gmail.com, generated with the help of perlbug 1.40 running under perl 5.25.9. ----------------------------------------------------------------- [Please describe your issue here] While fuzzing perl v5.25.8-207-gcbe2fc5001 built with afl and run under libdislocator, I found the following program @0=s//000000000000000000000000000000000000000000000000000000000000000000000000000000000\000000000000000000000000000000000000000000000000000000000000f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f00000000000000000000000000000000000000000000000000000000000000000000000/; s//$_"f0/g; split /f/; to perform an access outside of an allocated memory slot. ASAN diagnostics are: % ./perl /tmp/0002 ================================================================= ==18293==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62400000bed8 at pc 0x000000a93240 bp 0x7fff8c21d070 sp 0x7fff8c21d068 WRITE of size 8 at 0x62400000bed8 thread T0 #0 0xa9323f in Perl_pp_split /home/afl/perl-git/pp.c:6145:5 #1 0x847e81 in Perl_runops_debug /home/afl/perl-git/dump.c:2260:23 #2 0x5f0305 in S_run_body /home/afl/perl-git/perl.c:2528:2 #3 0x5f0305 in perl_run /home/afl/perl-git/perl.c:2451 #4 0x522402 in main /home/afl/perl-git/perlmain.c:123:9 #5 0x7ff27fcd02b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #6 0x43ace9 in _start (/home/afl/perl-git/perl+0x43ace9) 0x62400000bed8 is located 0 bytes to the right of 7640-byte region [0x62400000a100,0x62400000bed8) allocated by thread T0 here: #0 0x4eaa10 in realloc (/home/afl/perl-git/perl+0x4eaa10) #1 0x84cab6 in Perl_safesysrealloc /home/afl/perl-git/util.c:274:18 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/afl/perl-git/pp.c:6145:5 in Perl_pp_split GDB reports the following program state: (gdb) bt #0 0x00007f165a096d39 in Perl_pp_split () at pp.c:6145 #1 0x00007f1659f99b57 in Perl_runops_debug () at dump.c:2260 #2 0x00007f1659e940fd in S_run_body (oldscope=1) at perl.c:2528 #3 0x00007f1659e9367b in perl_run (my_perl=0x7f165a47afff) at perl.c:2451 #4 0x00007f1659e4ed3e in main (argc=2, argv=0x7fffd50da758, env=0x7fffd50da770) at perlmain.c:123 (gdb) f 0 #0 0x00007f165a096d39 in Perl_pp_split () at pp.c:6145 6145 PUSHi(iters); (gdb) info locals sp = 0x7f1657c50000 targ = 0x7f1658859fb8 ary = 0x0 limit = 100497 __PRETTY_FUNCTION__ = "Perl_pp_split" sv = 0x7f1658859f70 len = 1 s = 0x7f165821a25e "0" do_utf8 = false strend = 0x7f165821a25f "" pm = 0x7f165854ef50 rx = 0x7f1658859f28 dstr = 0x7f1657af48f8 m = 0x7f165821a25f "" iters = 954 slen = 101439 maxiters = 101449 trailing_empty = 0 orig = 0x7f1658201620 '0' <repeats 81 times> origlimit = 0 realarray = 0 base = 0 gimme = 1 '\001' gimme_scalar = false oldsave = 0 make_mortal = 524288 multiline = false mg = 0x0 [Please do not change anything below this line] ----------------------------------------------------------------- --- Flags: category=core severity=high --- Site configuration information for perl 5.25.9: Configured by root at Sat Jan 14 02:25:05 MSK 2017. Summary of my perl5 (revision 5 version 25 subversion 9) configuration: Commit id: cbe2fc5001aa59cdc73e04cc35e097a2ecfbeec0 Platform: osname=linux osvers=3.16.0-4-amd64 archname=x86_64-linux uname='linux dorothy 3.16.0-4-amd64 #1 smp debian 3.16.36-1+deb8u2 (2016-10-19) x86_64 gnulinux ' config_args='-des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast -Doptimize=-O0 -g -ggdb3' hint=recommended useposix=true d_sigaction=define useithreads=undef usemultiplicity=undef use64bitint=define use64bitall=define uselongdouble=undef usemymalloc=n bincompat5005=undef Compiler: cc='afl-clang-fast' ccflags ='-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2' optimize='-O0 -g -ggdb3' cppflags='-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include' ccversion='' gccversion='4.2.1 Compatible Clang 3.9.1 (tags/RELEASE_391/rc2)' gccosandvers='' intsize=4 longsize=8 ptrsize=8 doublesize=8 byteorder=12345678 doublekind=3 d_longlong=define longlongsize=8 d_longdbl=define longdblsize=16 longdblkind=3 ivtype='long' ivsize=8 nvtype='double' nvsize=8 Off_t='off_t' lseeksize=8 alignbytes=8 prototype=define Linker and Libraries: ld='afl-clang-fast' ldflags =' -fstack-protector-strong -L/usr/local/lib' libpth=/usr/local/lib /usr/lib/llvm-3.9/bin/../lib/clang/3.9.1/lib /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc libc=libc-2.24.so so=so useshrplib=false libperl=libperl.a gnulibc_version='2.24' Dynamic Linking: dlsrc=dl_dlopen.xs dlext=so d_dlsymun=undef ccdlflags='-Wl,-E' cccdlflags='-fPIC' lddlflags='-shared -O0 -g -ggdb3 -L/usr/local/lib -fstack-protector-strong' --- @INC for perl 5.25.9: lib /usr/local/lib/perl5/site_perl/5.25.9/x86_64-linux /usr/local/lib/perl5/site_perl/5.25.9 /usr/local/lib/perl5/5.25.9/x86_64-linux /usr/local/lib/perl5/5.25.9 --- Environment for perl 5.25.9: HOME=/home/afl LANG=en_US.UTF-8 LANGUAGE=en_US:en LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games PERLBREW_BASHRC_VERSION=0.78 PERLBREW_HOME=/home/afl/.perlbrew PERLBREW_MANPATH=/home/afl/perlbrew/perls/perl-5.22.1/man PERLBREW_PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin PERLBREW_PERL=perl-5.22.1 PERLBREW_ROOT=/home/afl/perlbrew PERLBREW_VERSION=0.78 PERL_BADLANG (unset) SHELL=/usr/bin/zsh
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 1.7k
On Sun, 04 Dec 2016 16:58:42 -0800, tonyc wrote: Show quoted text
> On Sun, 04 Dec 2016 13:56:12 -0800, brian.carpenter@gmail.com wrote:
> > Triggered with Perl v5.25.7-26-g7332835. > > > > ./perl -e 'map{int"";split//.0>60for"0000000000000000"}split// > > for"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"'
> > From valgrind: > > ==26813== Invalid write of size 8 > ==26813== at 0x64602D: Perl_pp_split (pp.c:6145) > ==26813== by 0x556DAA: Perl_runops_debug (dump.c:2260) > ==26813== by 0x460EB1: S_run_body (perl.c:2526) > ==26813== by 0x460494: perl_run (perl.c:2449) > ==26813== by 0x41EFDD: main (perlmain.c:123) > ==26813== Address 0x5f86b88 is 0 bytes after a block of size 2,344 > alloc'd > ==26813== at 0x4C2AF2E: realloc (in > /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) > ==26813== by 0x5586EE: Perl_safesysrealloc (util.c:274) > ==26813== by 0x59A2AF: Perl_av_extend_guts (av.c:163) > ==26813== by 0x599FDB: Perl_av_extend (av.c:80) > ==26813== by 0x64AE56: Perl_stack_grow (scope.c:57) > ==26813== by 0x644D6E: Perl_pp_split (pp.c:5913) > ==26813== by 0x556DAA: Perl_runops_debug (dump.c:2260) > ==26813== by 0x460EB1: S_run_body (perl.c:2526) > ==26813== by 0x460494: perl_run (perl.c:2449) > ==26813== by 0x41EFDD: main (perlmain.c:123) > > This is a stack overflow from the final: > > PUSHi(iters); > > in pp_split. > > An attacker has no control over the value stored, and it's always > stored > at the end of the stack. I don't believe this is a security issue.
No comments, so treating as a non-security issue, and moved to the perl5 queue. Show quoted text
> Fixed by the attached.
Applied as 02c161ef974f8f1efbb5632f741c1164adb6ca75 (with some noise). Tony
RT-Send-CC: rt-deliver-to-perl5-security-report [...] rt.perl.org
Download (untitled) / with headers
text/plain 803b
On Sat, 14 Jan 2017 14:02:01 -0800, randir wrote: Show quoted text
> [Please describe your issue here] > > While fuzzing perl v5.25.8-207-gcbe2fc5001 built with afl and run > under libdislocator, I found the following program > > @0=s//000000000000000000000000000000000000000000000000000000000000000000000000000000000\000000000000000000000000000000000000000000000000000000000000f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f00000000000000000000000000000000000000000000000000000000000000000000000/; > s//$_"f0/g; > split /f/; > > to perform an access outside of an allocated memory slot. ASAN > diagnostics are:
This looks like a duplicate of #130262, and my fix from that seems to fix this issue. As with that I don't think this is a security issue. Tony
RT-Send-CC: rt-deliver-to-perl5-security-report [...] rt.perl.org
Download (untitled) / with headers
text/plain 920b
On Sun, 15 Jan 2017 21:40:27 -0800, tonyc wrote: Show quoted text
> On Sat, 14 Jan 2017 14:02:01 -0800, randir wrote:
> > [Please describe your issue here] > > > > While fuzzing perl v5.25.8-207-gcbe2fc5001 built with afl and run > > under libdislocator, I found the following program > > > > @0=s//000000000000000000000000000000000000000000000000000000000000000000000000000000000\000000000000000000000000000000000000000000000000000000000000f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f00000000000000000000000000000000000000000000000000000000000000000000000/; > > s//$_"f0/g; > > split /f/; > > > > to perform an access outside of an allocated memory slot. ASAN > > diagnostics are:
> > This looks like a duplicate of #130262, and my fix from that seems to > fix this issue. > > As with that I don't think this is a security issue.
No dissent, so merging into 130262. Tony
Download (untitled) / with headers
text/plain 313b
Thank you for filing this report. You have helped make Perl better. With the release today of Perl 5.26.0, this and 210 other issues have been resolved. Perl 5.26.0 may be downloaded via: https://metacpan.org/release/XSAWYERX/perl-5.26.0 If you find that the problem persists, feel free to reopen this ticket.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org