Skip Menu |
Report information
Id: 130936
Status: pending release
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: mtowalski [at] pentest.net.pl
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: (no value)
Type: (no value)
Perl Version: (no value)
Fixed In: (no value)



To: perl5-security-report [...] perl.org
From: Marcin Towalski <mtowalski [...] pentest.net.pl>
Subject: AddressSanitizer: SEGV on unknown address 0x618df5f5f678 in S_opmethod_stash
Date: Mon, 6 Mar 2017 17:22:51 +0100
Download (untitled) / with headers
text/plain 526b
Hello,

I've attached the poc and the asan log.
Tested on git version of perl.

Configure options:

./Configure -des -Dusedevel -DDEBUGGING -Dcc=clang -Doptimize=-O2 -Accflags="-fsanitize=address -fsanitize-coverage=edge" -Aldflags="-fsanitize=address -fsanitize-coverage=edge" -Alddlflags=-shared"

Information about configuration:

Distributor ID: Ubuntu
Description:    Ubuntu 16.10
Release:        16.10
Codename:       yakkety
Arch:           x86_64

ps. last crash from this round of fuzzing

Best Regards,
Marcin T.
Download SEGV-b40-108-c44
application/octet-stream 40b

Message body not shown because it is not plain text.

Message body is not shown because sender requested not to inline it.

Subject: Re: [perl #130936] AddressSanitizer: SEGV on unknown address 0x618df5f5f678 in S_opmethod_stash
To: perl5-security-report [...] perl.org
CC: "bugs-bitbucket [...] rt.perl.org" <bugs-bitbucket [...] rt.perl.org>
Date: Mon, 6 Mar 2017 18:20:48 +0000
From: Aaron Crane <arc [...] cpan.org>
Download (untitled) / with headers
text/plain 3.3k
via RT <perl5-security-report@perl.org> wrote: Show quoted text
> I've attached the poc and the asan log.
Reduction: $ ./miniperl -e 'goto X; meth {X:}' Use of "goto" to jump into a construct is deprecated at -e line 1. ASAN:SIGSEGV ================================================================= ==73698==ERROR: AddressSanitizer: SEGV on unknown address 0x618df5f6af78 (pc 0x000102b549ff bp 0x7fff5d49fe90 sp 0x7fff5d49fda0 T0) #0 0x102b549fe in S_opmethod_stash (miniperl+0x1003f59fe) #1 0x102b55fca in Perl_pp_method_named (miniperl+0x1003f6fca) #2 0x102b0f822 in Perl_runops_standard (miniperl+0x1003b0822) #3 0x10283eb69 in perl_run (miniperl+0x1000dfb69) #4 0x102f46c7f in main (miniperl+0x1007e7c7f) #5 0x7fff92f4a5fc in start (libdyld.dylib+0x35fc) #6 0x2 (<unknown module>) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (miniperl+0x1003f59fe) in S_opmethod_stash ==73698==ABORTING Abort trap: 6 Patch attached. I think this isn't a security vulnerability, as it doesn't involve attacker-controlled data. I therefore propose it for application to blead before 5.26.0; Sawyer? I believe that other uses of TOPMARK may have similar bugs. For example: $ ./miniperl -e 'goto X; map { X: } ()' Use of "goto" to jump into a construct is deprecated at -e line 1. ================================================================= ==93438==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c00000bf7c at pc 0x0001101addf8 bp 0x7fff4ffa8e40 sp 0x7fff4ffa8e38 READ of size 4 at 0x60c00000bf7c thread T0 #0 0x1101addf7 in Perl_pp_mapwhile (miniperl+0x100557df7) #1 0x110006782 in Perl_runops_standard (miniperl+0x1003b0782) #2 0x10fd35ac9 in perl_run (miniperl+0x1000dfac9) #3 0x11043dc7f in main (miniperl+0x1007e7c7f) #4 0x7fff92f4a5fc in start (libdyld.dylib+0x35fc) #5 0x2 (<unknown module>) 0x60c00000bf7c is located 4 bytes to the left of 128-byte region [0x60c00000bf80,0x60c00000c000) allocated by thread T0 here: #0 0x110626770 in wrap_malloc (libclang_rt.asan_osx_dynamic.dylib+0x46770) #1 0x10ff45d41 in Perl_safesysmalloc (miniperl+0x1002efd41) #2 0x10fd1b299 in perl_construct (miniperl+0x1000c5299) #3 0x11043dbcc in main (miniperl+0x1007e7bcc) #4 0x7fff92f4a5fc in start (libdyld.dylib+0x35fc) #5 0x2 (<unknown module>) I'm not sure on how to fix that. Or entersub, the prospect of hacking on which scares me even more: $ ./miniperl -e 'sub f {} goto X; f(do { X: })' Use of "goto" to jump into a construct is deprecated at -e line 1. ASAN:SIGSEGV ================================================================= ==93645==ERROR: AddressSanitizer: SEGV on unknown address 0x618df5f6af78 (pc 0x000101dd7ce7 bp 0x7fff5e216ef0 sp 0x7fff5e216d80 T0) #0 0x101dd7ce6 in Perl_pp_entersub (miniperl+0x1003efce6) #1 0x101d98782 in Perl_runops_standard (miniperl+0x1003b0782) #2 0x101ac7ac9 in perl_run (miniperl+0x1000dfac9) #3 0x1021cfc7f in main (miniperl+0x1007e7c7f) #4 0x7fff92f4a5fc in start (libdyld.dylib+0x35fc) #5 0x2 (<unknown module>) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (miniperl+0x1003efce6) in Perl_pp_entersub ==93645==ABORTING Abort trap: 6 At the p5h we decided to remove goto-into-a-construct in the 5.27.x series, but it got reprieved after objections on the mailing list. Perhaps we should reconsider its reprieval. -- Aaron Crane ** http://aaroncrane.co.uk/

Message body is not shown because sender requested not to inline it.

From: Dave Mitchell <davem [...] iabyn.com>
Subject: Re: [perl #130936] AddressSanitizer: SEGV on unknown address 0x618df5f5f678 in S_opmethod_stash
To: Aaron Crane <arc [...] cpan.org>
CC: perl5-security-report [...] perl.org, "bugs-bitbucket [...] rt.perl.org" <bugs-bitbucket [...] rt.perl.org>
Date: Fri, 17 Mar 2017 16:45:17 +0000
Download (untitled) / with headers
text/plain 1.7k
On Mon, Mar 06, 2017 at 06:20:48PM +0000, Aaron Crane wrote: Show quoted text
> via RT <perl5-security-report@perl.org> wrote:
> > I've attached the poc and the asan log.
> > Reduction: > > $ ./miniperl -e 'goto X; meth {X:}' > Use of "goto" to jump into a construct is deprecated at -e line 1.
Show quoted text
> Patch attached.
Unless I'm misreading that, I don't think the patch really fixes the underlying issue: it checks whether there is a missing mark by seeing if the mark stack is empty. But there could be other marks on the stack, so you can't tell if just one happens to be missing. Show quoted text
> I think this isn't a security vulnerability, as it > doesn't involve attacker-controlled data.
Agreed. Show quoted text
> I therefore propose it for > application to blead before 5.26.0; Sawyer?
Given my reservations above, lets not! Show quoted text
> I believe that other uses of TOPMARK may have similar bugs. For example: > > $ ./miniperl -e 'goto X; map { X: } ()' > Use of "goto" to jump into a construct is deprecated at -e line 1.
IIUC, what really needs to happen is for goto, whenever it notices that's about to leap into a contruct (i.e. where it would issue the deprecation warning), either needs to forbid the goto, or needs to completely set up the context, mark, save, scope stacks etc to accurately fake up as if the contstruct had been successfully entered previously. I think this latter would be very hard in practice. Therefore... Show quoted text
> At the p5h we decided to remove goto-into-a-construct in the 5.27.x > series, but it got reprieved after objections on the mailing list.
(In http://nntp.perl.org/group/perl.perl5.porters/242200) Show quoted text
> Perhaps we should reconsider its reprieval.
+1 I propose we move this ticket to the public queue for any further discussion. -- My get-up-and-go just got up and went.
CC: perl5-security-report [...] perl.org, "bugs-bitbucket [...] rt.perl.org" <bugs-bitbucket [...] rt.perl.org>
Date: Fri, 17 Mar 2017 17:07:35 +0000
Subject: Re: [perl #130936] AddressSanitizer: SEGV on unknown address 0x618df5f5f678 in S_opmethod_stash
To: Dave Mitchell <davem [...] iabyn.com>
From: Aaron Crane <arc [...] cpan.org>
Download (untitled) / with headers
text/plain 1.3k
Dave Mitchell <davem@iabyn.com> wrote: Show quoted text
> On Mon, Mar 06, 2017 at 06:20:48PM +0000, Aaron Crane wrote:
>> $ ./miniperl -e 'goto X; meth {X:}' >> Use of "goto" to jump into a construct is deprecated at -e line 1.
>
>> Patch attached.
> > Unless I'm misreading that, I don't think the patch really fixes the > underlying issue: it checks whether there is a missing mark by seeing if > the mark stack is empty. But there could be other marks on the stack, so > you can't tell if just one happens to be missing.
Ah. This is presumably where it becomes apparent that I don't fully understand the way this stuff works, and I'm just faking it :-) Show quoted text
>> I therefore propose it for >> application to blead before 5.26.0; Sawyer?
> > Given my reservations above, lets not!
OK. In the light of your concerns about the approach my patch takes, I suspect that any complete fix would be sufficiently invasive that it wouldn't be a candidate for a 5.26.x maint release. Show quoted text
>> At the p5h we decided to remove goto-into-a-construct in the 5.27.x >> series, but it got reprieved after objections on the mailing list.
> > (In http://nntp.perl.org/group/perl.perl5.porters/242200) >
>> Perhaps we should reconsider its reprieval.
> > +1 > > I propose we move this ticket to the public queue for any further > discussion.
Seconded. -- Aaron Crane ** http://aaroncrane.co.uk/
CC: perl5-porters [...] perl.org
Date: Mon, 20 Mar 2017 10:36:07 +0000
From: Dave Mitchell <davem [...] iabyn.com>
Subject: Re: [perl #130936] AddressSanitizer: SEGV on unknown address 0x618df5f5f678 in S_opmethod_stash
To: Aaron Crane <arc [...] cpan.org>
Download (untitled) / with headers
text/plain 1.4k
On Fri, Mar 17, 2017 at 05:07:35PM +0000, Aaron Crane wrote: Show quoted text
> Dave Mitchell <davem@iabyn.com> wrote:
> > On Mon, Mar 06, 2017 at 06:20:48PM +0000, Aaron Crane wrote:
> >> $ ./miniperl -e 'goto X; meth {X:}' > >> Use of "goto" to jump into a construct is deprecated at -e line 1.
> >
> >> Patch attached.
> > > > Unless I'm misreading that, I don't think the patch really fixes the > > underlying issue: it checks whether there is a missing mark by seeing if > > the mark stack is empty. But there could be other marks on the stack, so > > you can't tell if just one happens to be missing.
> > Ah. This is presumably where it becomes apparent that I don't fully > understand the way this stuff works, and I'm just faking it :-) >
> >> I therefore propose it for > >> application to blead before 5.26.0; Sawyer?
> > > > Given my reservations above, lets not!
> > OK. In the light of your concerns about the approach my patch takes, I > suspect that any complete fix would be sufficiently invasive that it > wouldn't be a candidate for a 5.26.x maint release. >
> >> At the p5h we decided to remove goto-into-a-construct in the 5.27.x > >> series, but it got reprieved after objections on the mailing list.
> > > > (In http://nntp.perl.org/group/perl.perl5.porters/242200) > >
> >> Perhaps we should reconsider its reprieval.
> > > > +1 > > > > I propose we move this ticket to the public queue for any further > > discussion.
> > Seconded.
Now moved. -- My get-up-and-go just got up and went.
RT-Send-CC: perl5-porters [...] perl.org
Fixed in 6d90e9838414. The cases that would crash are now forbidden. -- Father Chrysostomos


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org