Skip Menu |
Report information
Id: 131597
Status: pending release
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: hongphi.pham95 [at] gmail.com
tadinhsung [at] gmail.com
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: (no value)
Type: (no value)
Perl Version: (no value)
Fixed In: (no value)



Subject: NULL pointer reference in Perl_newRV()
To: perl5-security-report [...] perl.org
Date: Sun, 18 Jun 2017 22:36:39 +0700
From: Phi Phạm Hồng <hongphi.pham95 [...] gmail.com>
Download (untitled) / with headers
text/plain 1.1k
Following attached file trigger a SIGSEGV in Perl_newRV()
ASAN report:

ASAN:SIGSEGV
=================================================================
==12525==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x0000004c06d0 bp 0x6210000c00a0 sp 0x7ffe6be89408 T0)
    #0 0x4c06cf  (/home/osboxes/Desktop/asan/perl5/perl+0x4c06cf)
    #1 0x439e94 in S_apply_attrs (/home/osboxes/Desktop/asan/perl5/perl+0x439e94)
    #2 0x43b0bf in S_my_kid (/home/osboxes/Desktop/asan/perl5/perl+0x43b0bf)
    #3 0x43b257 in Perl_my_attrs (/home/osboxes/Desktop/asan/perl5/perl+0x43b257)
    #4 0x46a157 in Perl_yyparse (/home/osboxes/Desktop/asan/perl5/perl+0x46a157)
    #5 0x442b04 in perl_parse (/home/osboxes/Desktop/asan/perl5/perl+0x442b04)
    #6 0x41fe1f in main (/home/osboxes/Desktop/asan/perl5/perl+0x41fe1f)
    #7 0x7fd279c2082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x41fee8 in _start (/home/osboxes/Desktop/asan/perl5/perl+0x41fee8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==12525==ABORTING

This is perl 5, version 27, subversion 1 (v5.27.1 (v5.27.0-324-g3aa3d69)) built for x86_64-linux
--
Phạm Hồng Phi
Download crash.pl
text/x-perl 222.7k

Message body is not shown because sender requested not to inline it.

RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 2.6k
On Sun, 18 Jun 2017 08:36:56 -0700, hongphi.pham95@gmail.com wrote: Show quoted text
> Following attached file trigger a SIGSEGV in Perl_newRV() > ASAN report: > > ASAN:SIGSEGV > ================================================================= > ==12525==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 > (pc 0x0000004c06d0 bp 0x6210000c00a0 sp 0x7ffe6be89408 T0) > #0 0x4c06cf (/home/osboxes/Desktop/asan/perl5/perl+0x4c06cf) > #1 0x439e94 in S_apply_attrs > (/home/osboxes/Desktop/asan/perl5/perl+0x439e94) > #2 0x43b0bf in S_my_kid (/home/osboxes/Desktop/asan/perl5/perl+0x43b0bf) > #3 0x43b257 in Perl_my_attrs > (/home/osboxes/Desktop/asan/perl5/perl+0x43b257) > #4 0x46a157 in Perl_yyparse > (/home/osboxes/Desktop/asan/perl5/perl+0x46a157) > #5 0x442b04 in perl_parse > (/home/osboxes/Desktop/asan/perl5/perl+0x442b04) > #6 0x41fe1f in main (/home/osboxes/Desktop/asan/perl5/perl+0x41fe1f) > #7 0x7fd279c2082f in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) > #8 0x41fee8 in _start (/home/osboxes/Desktop/asan/perl5/perl+0x41fee8) > > AddressSanitizer can not provide additional info. > SUMMARY: AddressSanitizer: SEGV ??:0 ?? > ==12525==ABORTING > > This is perl 5, version 27, subversion 1 (v5.27.1 (v5.27.0-324-g3aa3d69)) > built for x86_64-linux
This simplifies to: ./perl -Ilib -e 'sub dummy; our $dummy : Dummy' This isn't just a problem for scalars: ./perl -Ilib -e 'sub dummy; our @dummy : Dummy' ./perl -Ilib -e 'sub dummy; our %dummy : Dummy' crash in the same way. The crash occurs because the appropriate slot in the GV is NULL. Since this requires feeding code to the interpreter this isn't a security issue and I've made it public. The attachment prevents the crash, but I don't think it's fixing the base cause. When the parser sees our $name it ends up calling S_pending_ident(), which calls gv_fetchsv() which should be initializing the given slot in the GV. This doesn't occur because of the change in 5e0caaeb from 2007: commit 5e0caaeb4056614af54deb646e72147bdc6dcadc Author: Nicholas Clark <nick@ccl4.org> Date: Mon Oct 22 20:19:55 2007 +0000 SQL::Translator triggered a subtle piece of wrongness, whereby it managed to cause a proxy constant subroutine in the symbol table to be upgraded to a GV at precisely the point where it was being considered as a possible IO handle name. The core's user-space visible behaviour certainly was buggy - I believe this patch to be the correct fix. However, it seems to be very hard to write a test for it. p4raw-id: //depot/perl@32172 which is unfortunately untested. This was discussed at: http://www.nntp.perl.org/group/perl.perl5.porters/2007/10/msg129324.html Tony
Subject: 0001-perl-131597-ensure-the-GV-slot-is-filled-for-our-foo.patch
From de70114673a399afa93fce72868eba52c1381263 Mon Sep 17 00:00:00 2001 From: Tony Cook <tony@develop-help.com> Date: Mon, 19 Jun 2017 14:59:53 +1000 Subject: (perl #131597) ensure the GV slot is filled for our [%$@]foo: attr --- op.c | 6 +++--- t/op/attrs.t | 18 ++++++++++++++++++ 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/op.c b/op.c index 23e1640..fbffa38 100644 --- a/op.c +++ b/op.c @@ -3826,9 +3826,9 @@ S_my_kid(pTHX_ OP *o, OP *attrs, OP **imopsp) PL_parser->in_my = FALSE; PL_parser->in_my_stash = NULL; apply_attrs(GvSTASH(gv), - (type == OP_RV2SV ? GvSV(gv) : - type == OP_RV2AV ? MUTABLE_SV(GvAV(gv)) : - type == OP_RV2HV ? MUTABLE_SV(GvHV(gv)) : MUTABLE_SV(gv)), + (type == OP_RV2SV ? GvSVn(gv) : + type == OP_RV2AV ? MUTABLE_SV(GvAVn(gv)) : + type == OP_RV2HV ? MUTABLE_SV(GvHVn(gv)) : MUTABLE_SV(gv)), attrs); } o->op_private |= OPpOUR_INTRO; diff --git a/t/op/attrs.t b/t/op/attrs.t index 2514270..649525c 100644 --- a/t/op/attrs.t +++ b/t/op/attrs.t @@ -489,4 +489,22 @@ EOP is($out, '', 'RT #3605: $a ? my $var : my $othervar is perfectly valid syntax'); } +fresh_perl_is('sub dummy {} our $dummy : Dummy', <<EOS, {}, +Invalid SCALAR attribute: Dummy at - line 1. +BEGIN failed--compilation aborted at - line 1. +EOS + "attribute on our scalar with sub of same name"); + +fresh_perl_is('sub dummy {} our @dummy : Dummy', <<EOS, {}, +Invalid ARRAY attribute: Dummy at - line 1. +BEGIN failed--compilation aborted at - line 1. +EOS + "attribute on our array with sub of same name"); + +fresh_perl_is('sub dummy {} our %dummy : Dummy', <<EOS, {}, +Invalid HASH attribute: Dummy at - line 1. +BEGIN failed--compilation aborted at - line 1. +EOS + "attribute on our hash with sub of same name"); + done_testing(); -- 2.1.4
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 362b
On Sun, 18 Jun 2017 23:04:09 -0700, tonyc wrote: Show quoted text
> commit 5e0caaeb4056614af54deb646e72147bdc6dcadc > Author: Nicholas Clark <nick@ccl4.org> > Date: Mon Oct 22 20:19:55 2007 +0000 > > SQL::Translator triggered a subtle piece of wrongness, > ... > which is unfortunately untested.
But I added a test for it later, in commit 71481574. -- Father Chrysostomos
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 651b
On Mon, 19 Jun 2017 06:30:47 -0700, sprout wrote: Show quoted text
> On Sun, 18 Jun 2017 23:04:09 -0700, tonyc wrote:
> > commit 5e0caaeb4056614af54deb646e72147bdc6dcadc > > Author: Nicholas Clark <nick@ccl4.org> > > Date: Mon Oct 22 20:19:55 2007 +0000 > > > > SQL::Translator triggered a subtle piece of wrongness, > > ... > > which is unfortunately untested.
> > But I added a test for it later, in commit 71481574.
Thanks. From testing and looking over the code I suspect my patch is the practical patch. This means gv_fetchpvn_flags() isn't following its (undocumented) API - if the stash has a non-GV the slot indicated by svtype isn't being filled. Tony
From: Ta Sung <tadinhsung [...] gmail.com>
Date: Tue, 20 Jun 2017 15:11:37 +0700
To: perl5-security-report [...] perl.org
Subject: Unknow address reference in Perl_newRV()
Download (untitled) / with headers
text/plain 5.3k
I found a sample that's causing crash, please check file attached below to check.
This is perl 5, version 27, subversion 1 (v5.27.1 (v5.27.0-324-g3aa3d69)) built for x86_64-linux
[----------------------------------registers-----------------------------------]
RAX: 0x615000000408 (0x0000615000000408)
RBX: 0x615000000408 (0x0000615000000408)
RCX: 0x62100000c208 --> 0x6200000007b0 --> 0x36 ('6')
RDX: 0x18014403 
RSI: 0x0 
RDI: 0x0 
RBP: 0x62100000c3a0 --> 0x620000000280 --> 0x620000000350 --> 0x620000000340 --> 0x620000000380 --> 0x620000000360 (--> ...)
RSP: 0x7fffffffdff8 --> 0x439f92 (<S_apply_attrs+82>:   xor    esi,esi)
RIP: 0x4c2ae0 (<Perl_newRV>:    add    DWORD PTR [rdi+0x8],0x1)
R8 : 0x0 
R9 : 0x0 
R10: 0x0 
R11: 0x0 
R12: 0x0 
R13: 0x7fffffffe070 --> 0x0 
R14: 0x616000000680 --> 0x0 
R15: 0xea
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x4c2ad0 <Perl_sv_free+32>:  jmp    0x4c23a0 <Perl_sv_free2>
   0x4c2ad5:    nop
   0x4c2ad6:    nop    WORD PTR cs:[rax+rax*1+0x0]
=> 0x4c2ae0 <Perl_newRV>:       add    DWORD PTR [rdi+0x8],0x1
   0x4c2ae4 <Perl_newRV+4>:     jmp    0x4c14a0 <Perl_newRV_noinc>
   0x4c2ae9:    nop    DWORD PTR [rax+0x0]
   0x4c2af0 <Perl_sv_2cv>:      test   rdi,rdi
   0x4c2af3 <Perl_sv_2cv+3>:    je     0x4c2b28 <Perl_sv_2cv+56>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdff8 --> 0x439f92 (<S_apply_attrs+82>:  xor    esi,esi)
0008| 0x7fffffffe000 --> 0x615000000488 --> 0x0 
0016| 0x7fffffffe008 --> 0x0 
0024| 0x7fffffffe010 --> 0x615000000448 (0x0000615000000448)
0032| 0x7fffffffe018 --> 0x43b1de (<S_my_kid+974>:      jmp    0x43b18b <S_my_kid+891>)
0040| 0x7fffffffe020 --> 0x101 
0048| 0x7fffffffe028 --> 0x4c2400 (<Perl_sv_free2+96>:  mov    eax,DWORD PTR [rbx+0x8])
0056| 0x7fffffffe030 --> 0x615000000488 --> 0x0 
[------------------------------------------------------------------------------] blue
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00000000004c2ae0 in Perl_newRV ()
gdb-peda$ where
#0  0x00000000004c2ae0 in Perl_newRV ()
#1  0x0000000000439f92 in S_apply_attrs ()
#2  0x000000000043b1de in S_my_kid ()
#3  0x000000000043b348 in Perl_my_attrs ()
#4  0x000000000046bc8f in Perl_yyparse ()
#5  0x0000000000442ccb in perl_parse ()
#6  0x0000000000420210 in main ()
#7  0x00007ffff6113830 in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6
#8  0x00000000004202d9 in _start ()
gdb-peda$q
This is perl 5, version 26, subversion 0 (v5.26.0) built for x86_64-linux
[----------------------------------registers-----------------------------------]
RAX: 0xeabd48 --> 0xeabd00 --> 0xed0480 --> 0xeabdc0 --> 0xeabda8 --> 0xeabe08 (--> ...)
RBX: 0x0 
RCX: 0xeabb98 --> 0xe98460 --> 0x36 ('6')
RDX: 0x18014403 
RSI: 0x18014403 
RDI: 0x0 
RBP: 0x0 
RSP: 0x7fffffffdfc0 --> 0xeb68a8 (0x0000000000eb68a8)
RIP: 0x7e0f43 (<Perl_newRV+67>: add    DWORD PTR [rdi+0x8],0x1)
R8 : 0x3 
R9 : 0x5 
R10: 0xeb6780 --> 0x0 
R11: 0x23 ('#')
R12: 0x4 
R13: 0xeb6868 (0x0000000000eb6868)
R14: 0xeb68e8 --> 0x0 
R15: 0xeabc28 --> 0xeae970 --> 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7e0f38 <Perl_newRV+56>:    mov    rax,QWORD PTR [rip+0x6b30f1]        # 0xe94030 <PL_sv_root>
   0x7e0f3f <Perl_newRV+63>:    push   rbx
   0x7e0f40 <Perl_newRV+64>:    mov    rbx,rdi
=> 0x7e0f43 <Perl_newRV+67>:    add    DWORD PTR [rdi+0x8],0x1
   0x7e0f47 <Perl_newRV+71>:    test   rax,rax
   0x7e0f4a <Perl_newRV+74>:    je     0x7e1000 <Perl_newRV+256>
   0x7e0f50 <Perl_newRV+80>:    lea    rsp,[rsp-0x98]
   0x7e0f58 <Perl_newRV+88>:    mov    QWORD PTR [rsp],rdx
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdfc0 --> 0xeb68a8 (0x0000000000eb68a8)
0008| 0x7fffffffdfc8 --> 0x4b215e (<S_apply_attrs+814>: mov    edi,0x30)
0016| 0x7fffffffdfd0 --> 0xeb3400 --> 0x0 
0024| 0x7fffffffdfd8 --> 0xff 
0032| 0x7fffffffdfe0 --> 0xeabd30 --> 0xe97ef0 --> 0xe97fc0 --> 0xe97fb0 --> 0xe97ff0 (--> ...)
0040| 0x7fffffffdfe8 --> 0x0 
0048| 0x7fffffffdff0 --> 0x7fffffffe090 --> 0x0 
0056| 0x7fffffffdff8 --> 0xeb68a8 (0x0000000000eb68a8)
[------------------------------------------------------------------------------] blue
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
Perl_newRV (sv=sv@entry=0x0) at sv.c:9728
9728    sv.c: No such file or directory.
gdb-peda$ where
#0  Perl_newRV (sv=sv@entry=0x0) at sv.c:9728
#1  0x00000000004b215e in S_apply_attrs (stash=<optimized out>, target=0x0, attrs=attrs@entry=0xeb68a8) at op.c:3575
#2  0x00000000004b803b in S_my_kid (o=o@entry=0xeb68e8, attrs=attrs@entry=0xeb68a8, imopsp=imopsp@entry=0x7fffffffe090) at op.c:3828
#3  0x00000000004b9206 in Perl_my_attrs (o=0xeb68e8, attrs=0xeb68a8) at op.c:3897
#4  0x00000000005bd0a5 in Perl_yyparse (gramtype=gramtype@entry=0x102) at perly.y:1217
#5  0x00000000004e1229 in S_parse_body (xsinit=0x425c00 <xs_init>, env=0x0) at perl.c:2377
#6  perl_parse (my_perl=<optimized out>, xsinit=xsinit@entry=0x425c00 <xs_init>, argc=<optimized out>, argv=<optimized out>, env=env@entry=0x0) at perl.c:1692
#7  0x0000000000425818 in main (argc=0x2, argv=0x7fffffffe538, env=0x7fffffffe550) at perlmain.c:121
#8  0x00007ffff70cc830 in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6
#9  0x0000000000425b29 in _start ()
gdb-peda$ q
-- 
Ta Dinh Sung,

 
Download poc
application/octet-stream 57b

Message body not shown because it is not plain text.

RT-Send-CC: rt-deliver-to-perl5-security-report [...] rt.perl.org
Download (untitled) / with headers
text/plain 258b
On Tue, 20 Jun 2017 01:11:51 -0700, tadinhsung@gmail.com wrote: Show quoted text
> I found a sample that's causing crash, please check file attached > below to > check.
sub dummy { my $dummy : Dummy; } {our $dummy : Dummy; } This is a duplicate of #131597, merging. Tony
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 792b
On Mon, 19 Jun 2017 22:56:51 -0700, tonyc wrote: Show quoted text
> On Mon, 19 Jun 2017 06:30:47 -0700, sprout wrote:
> > On Sun, 18 Jun 2017 23:04:09 -0700, tonyc wrote:
> > > commit 5e0caaeb4056614af54deb646e72147bdc6dcadc > > > Author: Nicholas Clark <nick@ccl4.org> > > > Date: Mon Oct 22 20:19:55 2007 +0000 > > > > > > SQL::Translator triggered a subtle piece of wrongness, > > > ... > > > which is unfortunately untested.
> > > > But I added a test for it later, in commit 71481574.
> > Thanks. > > From testing and looking over the code I suspect my patch is the > practical patch. > > This means gv_fetchpvn_flags() isn't following its (undocumented) API > - if the stash has a non-GV the slot indicated by svtype isn't being > filled.
Applied as 6091bd4ca4a4a4c9b6f8cadddb53c19b96748a04. Tony


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org