Skip Menu |
Report information
Id: 131526
Status: pending release
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: brian.carpenter [at] gmail.com
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: low
Type: unknown
Perl Version: (no value)
Fixed In: (no value)



Subject: heap-buffer-overflow (READ of size 1) in Perl_my_atof2()
To: perlbug [...] perl.org
From: Brian Carpenter <brian.carpenter [...] gmail.com>
Date: Wed, 7 Jun 2017 02:59:03 -0500
Download (untitled) / with headers
text/plain 1.2k
Triggered with v5.27.0-97-gd555ed0, compiled with afl-clang-fast on Debian 8 x64.

==11137==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000e87a at pc 0x10cfcad bp 0x7ffff61acd30 sp 0x7ffff61acd28
READ of size 1 at 0x60300000e87a thread T0
    #0 0x10cfcac in Perl_my_atof2 /root/perl/numeric.c:1490
    #1 0x10d08e1 in Perl_my_atof /root/perl/numeric.c:1244
    #2 0xb01bf4 in S_sv_setnv /root/perl/sv.c:2111
    #3 0xbc07a9 in S_sv_2iuv_common /root/perl/sv.c:2313
    #4 0xbc7b77 in Perl_sv_2iv_flags /root/perl/sv.c:2506
    #5 0xc98ec0 in Perl_pp_subtract /root/perl/pp.c:1950
    #6 0x926e76 in Perl_runops_debug /root/perl/dump.c:2451
    #7 0x59f02a in S_run_body /root/perl/perl.c:2543
    #8 0x59f02a in perl_run /root/perl/perl.c:2471
    #9 0x43506d in main /root/perl/perlmain.c:123
    #10 0x7f5015730b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #11 0x436015 (/root/perl/perl+0x436015)

0x60300000e87a is located 0 bytes to the right of 26-byte region [0x60300000e860,0x60300000e87a)
allocated by thread T0 here:
    #0 0x7f50168829f6 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x549f6)
    #1 0x96d481 in Perl_safesysrealloc /root/perl/util.c:274

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/perl/numeric.c:1490 Perl_my_atof2

Download test39.pl
text/x-perl 31b

Message body is not shown because sender requested not to inline it.

RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 1.8k
On Wed, 07 Jun 2017 00:59:50 -0700, brian.carpenter@gmail.com wrote: Show quoted text
> Triggered with v5.27.0-97-gd555ed0, compiled with afl-clang-fast on Debian > 8 x64. > > ==11137==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x60300000e87a at pc 0x10cfcad bp 0x7ffff61acd30 sp 0x7ffff61acd28 > READ of size 1 at 0x60300000e87a thread T0 > #0 0x10cfcac in Perl_my_atof2 /root/perl/numeric.c:1490 > #1 0x10d08e1 in Perl_my_atof /root/perl/numeric.c:1244 > #2 0xb01bf4 in S_sv_setnv /root/perl/sv.c:2111 > #3 0xbc07a9 in S_sv_2iuv_common /root/perl/sv.c:2313 > #4 0xbc7b77 in Perl_sv_2iv_flags /root/perl/sv.c:2506 > #5 0xc98ec0 in Perl_pp_subtract /root/perl/pp.c:1950 > #6 0x926e76 in Perl_runops_debug /root/perl/dump.c:2451 > #7 0x59f02a in S_run_body /root/perl/perl.c:2543 > #8 0x59f02a in perl_run /root/perl/perl.c:2471 > #9 0x43506d in main /root/perl/perlmain.c:123 > #10 0x7f5015730b44 in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) > #11 0x436015 (/root/perl/perl+0x436015) > > 0x60300000e87a is located 0 bytes to the right of 26-byte region > [0x60300000e860,0x60300000e87a) > allocated by thread T0 here: > #0 0x7f50168829f6 in __interceptor_realloc > (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x549f6) > #1 0x96d481 in Perl_safesysrealloc /root/perl/util.c:274 > > SUMMARY: AddressSanitizer: heap-buffer-overflow /root/perl/numeric.c:1490 > Perl_my_atof2
This tries to read from a file, using the script as its own input worked for me. This is caused by this code: else if (!seen_dp && GROK_NUMERIC_RADIX(&s, send)) { seen_dp = 1; if (sig_digits > MAX_SIG_DIGITS) { do { ++s; } while (isDIGIT(*s)); break; } } GROK_NUMERIC_RADIX() increments s past the decimal point, which is at the end of string in this case, so the following ++s steps past the NUL. I have a fix testing now. Tony
RT-Send-CC: perl5-porters [...] perl.org
On Mon, 12 Jun 2017 23:30:52 -0700, tonyc wrote: Show quoted text
> On Wed, 07 Jun 2017 00:59:50 -0700, brian.carpenter@gmail.com wrote:
> > Triggered with v5.27.0-97-gd555ed0, compiled with afl-clang-fast on > > Debian > > 8 x64. > > > > ==11137==ERROR: AddressSanitizer: heap-buffer-overflow on address > > 0x60300000e87a at pc 0x10cfcad bp 0x7ffff61acd30 sp 0x7ffff61acd28 > > READ of size 1 at 0x60300000e87a thread T0 > > #0 0x10cfcac in Perl_my_atof2 /root/perl/numeric.c:1490 > > #1 0x10d08e1 in Perl_my_atof /root/perl/numeric.c:1244 > > #2 0xb01bf4 in S_sv_setnv /root/perl/sv.c:2111 > > #3 0xbc07a9 in S_sv_2iuv_common /root/perl/sv.c:2313 > > #4 0xbc7b77 in Perl_sv_2iv_flags /root/perl/sv.c:2506 > > #5 0xc98ec0 in Perl_pp_subtract /root/perl/pp.c:1950 > > #6 0x926e76 in Perl_runops_debug /root/perl/dump.c:2451 > > #7 0x59f02a in S_run_body /root/perl/perl.c:2543 > > #8 0x59f02a in perl_run /root/perl/perl.c:2471 > > #9 0x43506d in main /root/perl/perlmain.c:123 > > #10 0x7f5015730b44 in __libc_start_main > > (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) > > #11 0x436015 (/root/perl/perl+0x436015) > > > > 0x60300000e87a is located 0 bytes to the right of 26-byte region > > [0x60300000e860,0x60300000e87a) > > allocated by thread T0 here: > > #0 0x7f50168829f6 in __interceptor_realloc > > (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x549f6) > > #1 0x96d481 in Perl_safesysrealloc /root/perl/util.c:274 > > > > SUMMARY: AddressSanitizer: heap-buffer-overflow > > /root/perl/numeric.c:1490 > > Perl_my_atof2
> > This tries to read from a file, using the script as its own input > worked for me. > > This is caused by this code: > > else if (!seen_dp && GROK_NUMERIC_RADIX(&s, send)) { > seen_dp = 1; > if (sig_digits > MAX_SIG_DIGITS) { > do { > ++s; > } while (isDIGIT(*s)); > break; > } > } > > GROK_NUMERIC_RADIX() increments s past the decimal point, which is at > the end of string in this case, so the following ++s steps past the > NUL. > > I have a fix testing now.
Fixed in 9604fbf0722bd97ca6031a263c50ad52b6633db7. Tony


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org