Skip Menu |
Report information
Id: 131537
Status: open
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: tadinhsung [at] gmail.com
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: (no value)
Type: (no value)
Perl Version: (no value)
Fixed In: (no value)



From: Ta Sung <tadinhsung [...] gmail.com>
Date: Thu, 8 Jun 2017 21:25:11 +0700
To: perl5-security-report [...] perl.org
Subject: stack overflow in Perl_push_scope ()
Download (untitled) / with headers
text/plain 2.1k
I have found a bug that triggered stack-buffer-overflow. this bug affect on perl v5.22.1.
Please find POC attached bellow to check.
some info about this bug with GDB and ASAN.
[GDB]
[----------------------------------registers-----------------------------------]
RAX: 0x2d ('-')
RBX: 0x0 
RCX: 0x2decfb0 --> 0x0 
RDX: 0x0 
RSI: 0x2d ('-')
RDI: 0xeb5b98 --> 0xeb40f8 --> 0x0 
RBP: 0x2e10b00 --> 0x2e1e430 --> 0xeb5c10 --> 0xea0ee0 --> 0x0 
RSP: 0x7fffff7fefd0 
RIP: 0x8ced88 (<Perl_push_scope+8>:     mov    QWORD PTR [rsp],rdx)
R8 : 0x0 
R9 : 0x2decfb0 --> 0x0 
R10: 0x0 
R11: 0x2e10b48 --> 0x2decfb0 --> 0x0 
R12: 0xeb5b98 --> 0xeb40f8 --> 0x0 
R13: 0x1 
R14: 0x2e10b30 --> 0x2e10b20 --> 0xff00000000 
R15: 0xeb5b98 --> 0xeb40f8 --> 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x8ced78 <Perl_cxinc+328>:   call   0x8ce900 <S_croak_memory_wrap>
   0x8ced7d:    nop    DWORD PTR [rax]
   0x8ced80 <Perl_push_scope>:  lea    rsp,[rsp-0x98]
=> 0x8ced88 <Perl_push_scope+8>:        mov    QWORD PTR [rsp],rdx
   0x8ced8c <Perl_push_scope+12>:       mov    QWORD PTR [rsp+0x8],rcx
   0x8ced91 <Perl_push_scope+17>:       mov    QWORD PTR [rsp+0x10],rax
   0x8ced96 <Perl_push_scope+22>:       mov    rcx,0x67e
   0x8ced9d <Perl_push_scope+29>:       call   0x8d95c0 <__afl_maybe_log>
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x7fffff7fefd0
[------------------------------------------------------------------------------] blue
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00000000008ced88 in Perl_push_scope () at scope.c:105

[ASAN]
    #246 0x5dc819  (/home/mipu94/fuzz/fuzzperl/perl-asan+0x5dc819)
    #247 0x5dbd29  (/home/mipu94/fuzz/fuzzperl/perl-asan+0x5dbd29)
    #248 0x5dca19  (/home/mipu94/fuzz/fuzzperl/perl-asan+0x5dca19)
    #249 0x5fc1ae  (/home/mipu94/fuzz/fuzzperl/perl-asan+0x5fc1ae)
    #250 0x548ee0  (/home/mipu94/fuzz/fuzzperl/perl-asan+0x548ee0)

SUMMARY: AddressSanitizer: stack-overflow (/home/mipu94/fuzz/fuzzperl/perl-asan+0x4b91b5) 
==24209==ABORTING


--
Ta Dinh Sung,

 
Download poc
application/octet-stream 120b

Message body not shown because it is not plain text.

To: perl5-security-report [...] perl.org
Subject: Re: [perl #131537] stack overflow in Perl_push_scope ()
From: Dave Mitchell <davem [...] iabyn.com>
Date: Fri, 9 Jun 2017 11:30:07 +0100
Download (untitled) / with headers
text/plain 458b
On Thu, Jun 08, 2017 at 07:26:11AM -0700, sung wrote: Show quoted text
> I have found a bug that triggered stack-buffer-overflow. this bug > affect on perl v5.22.1.
This is one of a class of perl bugs which can cause the C stack to overflow. As well as your recursive DESTROY example, you can create similar effects with tied variable handlers, overload handlers etc. I don't see that that it's a security issue though. -- Never work with children, animals, or actors.
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 661b
On Fri, 09 Jun 2017 03:30:56 -0700, davem wrote: Show quoted text
> On Thu, Jun 08, 2017 at 07:26:11AM -0700, sung wrote:
> > I have found a bug that triggered stack-buffer-overflow. this bug > > affect on perl v5.22.1.
> > This is one of a class of perl bugs which can cause the C stack to > overflow. As well as your recursive DESTROY example, you can create > similar effects with tied variable handlers, overload handlers etc. > > I don't see that that it's a security issue though.
Yes, this isn't a security issue, and is now public. If we treat it as a bug, I'm not sure how we could fix it without breaking other things (eg. time of destruction might change.) Tony


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org