Skip Menu |
Report information
Id: 131836
Status: pending release
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: gy741.kim [at] gmail.com
sraums2498 [at] gmail.com
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: (no value)
Type: (no value)
Perl Version: (no value)
Fixed In: (no value)



Date: Fri, 4 Aug 2017 18:37:21 +0900
To: perl5-security-report [...] perl.org
Subject: heap-buffer-overflow in Perl_yylex
From: GwanYeong Kim <gy741.kim [...] gmail.com>
Download (untitled) / with headers
text/plain 2.9k

Hi.

I found a heap-buffer-overflow bug in perl.

Please confirm.

Thanks.

Version: This is perl 5, version 27, subversion 2 (v5.27.2) built for i686-linux
OS: Ubuntu 16.04.2 32bit
Steps to reproduce:
 1.Download the PoC files.
 2.Compile the source code with ASan.
 3.Execute the following command
   : ./perl $PoC
```
=================================================================
==22689==ERROR: AddressSanitizer: heap-use-after-free on address 0xb5101102 at pc 0x082b8557 bp 0xbfefdf68 sp 0xbfefdf5c
READ of size 1 at 0xb5101102 thread T0
    #0 0x82b8556 in Perl_yylex /root/karas/perl5-blead/toke.c:5137:13
    #1 0x835df10 in Perl_yyparse /root/karas/perl5-blead/perly.c:340:34
    #2 0x8232350 in S_parse_body /root/karas/perl5-blead/perl.c:2401:9
    #3 0x82285e3 in perl_parse /root/karas/perl5-blead/perl.c:1719:2
    #4 0x81494a6 in main /root/karas/perl5-blead/perlmain.c:121:18
    #5 0xb7547636 in __libc_start_main /build/glibc-KM3i_a/glibc-2.23/csu/../csu/libc-start.c:291
    #6 0x8075847 in _start (/root/karas/perl5-blead/perl+0x8075847)

0xb5101102 is located 2 bytes inside of 64-byte region [0xb5101100,0xb5101140)
freed by thread T0 here:
    #0 0x8119ef4 in realloc (/root/karas/perl5-blead/perl+0x8119ef4)
    #1 0x84e3394 in Perl_safesysrealloc /root/karas/perl5-blead/util.c:274:18

previously allocated by thread T0 here:
    #0 0x8119ef4 in realloc (/root/karas/perl5-blead/perl+0x8119ef4)
    #1 0x84e3394 in Perl_safesysrealloc /root/karas/perl5-blead/util.c:274:18

SUMMARY: AddressSanitizer: heap-use-after-free /root/karas/perl5-blead/toke.c:5137:13 in Perl_yylex
Shadow bytes around the buggy address:
  0x36a201d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a201e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a201f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a20200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a20210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36a20220:[fd]fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x36a20230: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 fa
  0x36a20240: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x36a20250: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x36a20260: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
  0x36a20270: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==22689==ABORTING
```

Download 000004_perl_BoF_PoC_08_04
application/octet-stream 61b

Message body not shown because it is not plain text.

RT-Send-CC: perl5-porters [...] perl.org
On Fri, 04 Aug 2017 02:37:31 -0700, gy741.kim@gmail.com wrote: Show quoted text
> Hi. > > I found a heap-buffer-overflow bug in perl. > > Please confirm.
This is a use-after-free, not a buffer overflow. Since it requires feeding code to the interpreter it isn't a security issue, so I've made it public. Show quoted text
> ================================================================= > ==22689==ERROR: AddressSanitizer: heap-use-after-free on address 0xb5101102 > at pc 0x082b8557 bp 0xbfefdf68 sp 0xbfefdf5c > READ of size 1 at 0xb5101102 thread T0 > #0 0x82b8556 in Perl_yylex /root/karas/perl5-blead/toke.c:5137:13 > #1 0x835df10 in Perl_yyparse /root/karas/perl5-blead/perly.c:340:34 > #2 0x8232350 in S_parse_body /root/karas/perl5-blead/perl.c:2401:9 > #3 0x82285e3 in perl_parse /root/karas/perl5-blead/perl.c:1719:2 > #4 0x81494a6 in main /root/karas/perl5-blead/perlmain.c:121:18 > #5 0xb7547636 in __libc_start_main > /build/glibc-KM3i_a/glibc-2.23/csu/../csu/libc-start.c:291 > #6 0x8075847 in _start (/root/karas/perl5-blead/perl+0x8075847)
The attached fixes it for me. Tony
Subject: 0001-perl-131836-avoid-a-use-after-free-after-parsing-a-s.patch
From 6948dbaeb631c130a55bfa98b08908759a4d4201 Mon Sep 17 00:00:00 2001 From: Tony Cook <tony@develop-help.com> Date: Mon, 7 Aug 2017 11:27:50 +1000 Subject: [PATCH] (perl #131836) avoid a use-after-free after parsing a "sub" keyword The: d = skipspace(d); can reallocate linestr in the test case, invalidating s. This would end up in PL_bufptr from the embedded (PL_bufptr = s) in the TOKEN() macro. Assigning s to PL_bufptr and restoring s from PL_bufptr allows lex_next_chunk() to adjust the pointer to the reallocated buffer. --- t/comp/parser_run.t | 10 +++++++++- toke.c | 2 ++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/t/comp/parser_run.t b/t/comp/parser_run.t index e74644d..6845a4b 100644 --- a/t/comp/parser_run.t +++ b/t/comp/parser_run.t @@ -10,7 +10,7 @@ BEGIN { } require './test.pl'; -plan(1); +plan(2); # [perl #130814] can reallocate lineptr while looking ahead for # "Missing $ on loop variable" diagnostic. @@ -24,5 +24,13 @@ syntax error at - line 3, near "foreach m0 Identifier too long at - line 3. EXPECT +fresh_perl_is(<<'EOS', <<'EXPECTED', {}, "use after free (#131836)"); +${sub#xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx +EOS +Missing right curly or square bracket at - line 1, at end of line +syntax error at - line 1, at EOF +Execution of - aborted due to compilation errors. +EXPECTED + __END__ # ex: set ts=8 sts=4 sw=4 et: diff --git a/toke.c b/toke.c index 6aa5f26..2261bb4 100644 --- a/toke.c +++ b/toke.c @@ -6200,8 +6200,10 @@ Perl_yylex(pTHX) break; } if (strEQs(s, "sub")) { + PL_bufptr = s; d = s + 3; d = skipspace(d); + s = PL_bufptr; if (*d == ':') { PL_expect = XTERM; break; -- 2.1.4
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 1.2k
On Sun, 06 Aug 2017 18:30:40 -0700, tonyc wrote: Show quoted text
> On Fri, 04 Aug 2017 02:37:31 -0700, gy741.kim@gmail.com wrote:
> > Hi. > > > > I found a heap-buffer-overflow bug in perl. > > > > Please confirm.
> > This is a use-after-free, not a buffer overflow. > > Since it requires feeding code to the interpreter it isn't a security > issue, so I've made it public. >
> > ================================================================= > > ==22689==ERROR: AddressSanitizer: heap-use-after-free on address > > 0xb5101102 > > at pc 0x082b8557 bp 0xbfefdf68 sp 0xbfefdf5c > > READ of size 1 at 0xb5101102 thread T0 > > #0 0x82b8556 in Perl_yylex /root/karas/perl5-blead/toke.c:5137:13 > > #1 0x835df10 in Perl_yyparse /root/karas/perl5- > > blead/perly.c:340:34 > > #2 0x8232350 in S_parse_body /root/karas/perl5- > > blead/perl.c:2401:9 > > #3 0x82285e3 in perl_parse /root/karas/perl5-blead/perl.c:1719:2 > > #4 0x81494a6 in main /root/karas/perl5-blead/perlmain.c:121:18 > > #5 0xb7547636 in __libc_start_main > > /build/glibc-KM3i_a/glibc-2.23/csu/../csu/libc-start.c:291 > > #6 0x8075847 in _start (/root/karas/perl5-blead/perl+0x8075847)
> > The attached fixes it for me.
Applied as 3b8804a4c2320ae4e7e713c5836d340eb210b6cd. Tony
Subject: PERL-5.26.1 heap_use_after_free READ of size 1
From: SRAUMS JN <sraums2498 [...] gmail.com>
Date: Wed, 20 Dec 2017 13:41:06 +0530
To: perl5-security-report [...] perl.org
Download (untitled) / with headers
text/plain 4.4k
=================================================================
==51794==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200000b7d9 at pc 0x000000bba16c bp 0x7ffe275d8d10 sp 0x7ffe275d8d00
READ of size 1 at 0x61200000b7d9 thread T0
    #0 0xbba16b in Perl_yylex /home/asan_perl/Documents/perl-5.26.1/toke.c:5143
    #1 0xe7c7ec in Perl_yyparse /home/asan_perl/Documents/perl-5.26.1/perly.c:340
    #2 0x90a9bc in S_parse_body /home/asan_perl/Documents/perl-5.26.1/perl.c:2377
    #3 0x90a9bc in perl_parse /home/asan_perl/Documents/perl-5.26.1/perl.c:1692
    #4 0x46b239 in main /home/asan_perl/Documents/perl-5.26.1/perlmain.c:121
    #5 0x7fc3314ca82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x46c888 in _start (/home/asan_perl/Documents/perl-5.26.1/perl+0x46c888)

0x61200000b7d9 is located 153 bytes inside of 288-byte region [0x61200000b740,0x61200000b860)
freed by thread T0 here:
    #0 0x7fc33226e961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
    #1 0x1681118 in Perl_safesysrealloc /home/asan_perl/Documents/perl-5.26.1/util.c:274
    #2 0x1de47d6 in Perl_sv_grow /home/asan_perl/Documents/perl-5.26.1/sv.c:1598
    #3 0x1f26bb4 in Perl_sv_catpvn_flags /home/asan_perl/Documents/perl-5.26.1/sv.c:5521
    #4 0xaf2df9 in Perl_lex_next_chunk /home/asan_perl/Documents/perl-5.26.1/toke.c:1385
    #5 0xafc528 in Perl_lex_read_space /home/asan_perl/Documents/perl-5.26.1/toke.c:1594
    #6 0xaff1f5 in S_skipspace_flags /home/asan_perl/Documents/perl-5.26.1/toke.c:1897
    #7 0xd78bba in Perl_yylex /home/asan_perl/Documents/perl-5.26.1/toke.c:6225
    #8 0xe7c7ec in Perl_yyparse /home/asan_perl/Documents/perl-5.26.1/perly.c:340
    #9 0x90a9bc in S_parse_body /home/asan_perl/Documents/perl-5.26.1/perl.c:2377
    #10 0x90a9bc in perl_parse /home/asan_perl/Documents/perl-5.26.1/perl.c:1692
    #11 0x46b239 in main /home/asan_perl/Documents/perl-5.26.1/perlmain.c:121
    #12 0x7fc3314ca82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:
    #0 0x7fc33226e961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
    #1 0x1681118 in Perl_safesysrealloc /home/asan_perl/Documents/perl-5.26.1/util.c:274
    #2 0x1de47d6 in Perl_sv_grow /home/asan_perl/Documents/perl-5.26.1/sv.c:1598
    #3 0x1fb6f0e in Perl_sv_gets /home/asan_perl/Documents/perl-5.26.1/sv.c:8761
    #4 0xaf45d5 in S_filter_gets /home/asan_perl/Documents/perl-5.26.1/toke.c:4583
    #5 0xaf45d5 in Perl_lex_next_chunk /home/asan_perl/Documents/perl-5.26.1/toke.c:1359
    #6 0xbfaaa9 in Perl_yylex /home/asan_perl/Documents/perl-5.26.1/toke.c:5283
    #7 0xe7c7ec in Perl_yyparse /home/asan_perl/Documents/perl-5.26.1/perly.c:340
    #8 0x90a9bc in S_parse_body /home/asan_perl/Documents/perl-5.26.1/perl.c:2377
    #9 0x90a9bc in perl_parse /home/asan_perl/Documents/perl-5.26.1/perl.c:1692
    #10 0x46b239 in main /home/asan_perl/Documents/perl-5.26.1/perlmain.c:121
    #11 0x7fc3314ca82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-use-after-free /home/asan_perl/Documents/perl-5.26.1/toke.c:5143 Perl_yylex
Shadow bytes around the buggy address:
  0x0c247fff96a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff96b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff96c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff96d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff96e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c247fff96f0: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
  0x0c247fff9700: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c247fff9710: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff9720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff9730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff9740: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==51794==ABORTING


--
Regards,
SRAUMS
Download 140
application/octet-stream 286b

Message body not shown because it is not plain text.

To: perl5-security-report [...] perl.org
Date: Wed, 20 Dec 2017 13:41:00 +0530
Subject: PERL-5.26.1 heap_use_after_free READ of size 1
From: SRAUMS JN <sraums2498 [...] gmail.com>
Download (untitled) / with headers
text/plain 4.4k
=================================================================
==51794==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200000b7d9 at pc 0x000000bba16c bp 0x7ffe275d8d10 sp 0x7ffe275d8d00
READ of size 1 at 0x61200000b7d9 thread T0
    #0 0xbba16b in Perl_yylex /home/asan_perl/Documents/perl-5.26.1/toke.c:5143
    #1 0xe7c7ec in Perl_yyparse /home/asan_perl/Documents/perl-5.26.1/perly.c:340
    #2 0x90a9bc in S_parse_body /home/asan_perl/Documents/perl-5.26.1/perl.c:2377
    #3 0x90a9bc in perl_parse /home/asan_perl/Documents/perl-5.26.1/perl.c:1692
    #4 0x46b239 in main /home/asan_perl/Documents/perl-5.26.1/perlmain.c:121
    #5 0x7fc3314ca82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x46c888 in _start (/home/asan_perl/Documents/perl-5.26.1/perl+0x46c888)

0x61200000b7d9 is located 153 bytes inside of 288-byte region [0x61200000b740,0x61200000b860)
freed by thread T0 here:
    #0 0x7fc33226e961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
    #1 0x1681118 in Perl_safesysrealloc /home/asan_perl/Documents/perl-5.26.1/util.c:274
    #2 0x1de47d6 in Perl_sv_grow /home/asan_perl/Documents/perl-5.26.1/sv.c:1598
    #3 0x1f26bb4 in Perl_sv_catpvn_flags /home/asan_perl/Documents/perl-5.26.1/sv.c:5521
    #4 0xaf2df9 in Perl_lex_next_chunk /home/asan_perl/Documents/perl-5.26.1/toke.c:1385
    #5 0xafc528 in Perl_lex_read_space /home/asan_perl/Documents/perl-5.26.1/toke.c:1594
    #6 0xaff1f5 in S_skipspace_flags /home/asan_perl/Documents/perl-5.26.1/toke.c:1897
    #7 0xd78bba in Perl_yylex /home/asan_perl/Documents/perl-5.26.1/toke.c:6225
    #8 0xe7c7ec in Perl_yyparse /home/asan_perl/Documents/perl-5.26.1/perly.c:340
    #9 0x90a9bc in S_parse_body /home/asan_perl/Documents/perl-5.26.1/perl.c:2377
    #10 0x90a9bc in perl_parse /home/asan_perl/Documents/perl-5.26.1/perl.c:1692
    #11 0x46b239 in main /home/asan_perl/Documents/perl-5.26.1/perlmain.c:121
    #12 0x7fc3314ca82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:
    #0 0x7fc33226e961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
    #1 0x1681118 in Perl_safesysrealloc /home/asan_perl/Documents/perl-5.26.1/util.c:274
    #2 0x1de47d6 in Perl_sv_grow /home/asan_perl/Documents/perl-5.26.1/sv.c:1598
    #3 0x1fb6f0e in Perl_sv_gets /home/asan_perl/Documents/perl-5.26.1/sv.c:8761
    #4 0xaf45d5 in S_filter_gets /home/asan_perl/Documents/perl-5.26.1/toke.c:4583
    #5 0xaf45d5 in Perl_lex_next_chunk /home/asan_perl/Documents/perl-5.26.1/toke.c:1359
    #6 0xbfaaa9 in Perl_yylex /home/asan_perl/Documents/perl-5.26.1/toke.c:5283
    #7 0xe7c7ec in Perl_yyparse /home/asan_perl/Documents/perl-5.26.1/perly.c:340
    #8 0x90a9bc in S_parse_body /home/asan_perl/Documents/perl-5.26.1/perl.c:2377
    #9 0x90a9bc in perl_parse /home/asan_perl/Documents/perl-5.26.1/perl.c:1692
    #10 0x46b239 in main /home/asan_perl/Documents/perl-5.26.1/perlmain.c:121
    #11 0x7fc3314ca82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-use-after-free /home/asan_perl/Documents/perl-5.26.1/toke.c:5143 Perl_yylex
Shadow bytes around the buggy address:
  0x0c247fff96a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff96b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff96c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff96d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff96e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c247fff96f0: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
  0x0c247fff9700: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c247fff9710: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff9720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff9730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff9740: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==51794==ABORTING


--
Regards,
SRAUMS
Download 140
application/octet-stream 286b

Message body not shown because it is not plain text.

Subject: PERL-5.26.1 heap_buffer_overflow READ of size 8
From: SRAUMS JN <sraums2498 [...] gmail.com>
Date: Thu, 21 Dec 2017 16:14:30 +0530
To: perl5-security-report [...] perl.org
Download (untitled) / with headers
text/plain 3.1k
=================================================================
==10580==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000e918 at pc 0x000000eef22c bp 0x7ffd19936320 sp 0x7ffd19936310
READ of size 8 at 0x60300000e918 thread T0
    #0 0xeef22b in Perl_pad_free /home/asan_perl/Documents/perl-5.26.1/pad.c:1758
    #1 0x4be7f7 in Perl_op_clear /home/asan_perl/Documents/perl-5.26.1/op.c:1171
    #2 0x4c5553 in Perl_op_free /home/asan_perl/Documents/perl-5.26.1/op.c:855
    #3 0xe78183 in Perl_yyparse /home/asan_perl/Documents/perl-5.26.1/perly.c:546
    #4 0x90a9bc in S_parse_body /home/asan_perl/Documents/perl-5.26.1/perl.c:2377
    #5 0x90a9bc in perl_parse /home/asan_perl/Documents/perl-5.26.1/perl.c:1692
    #6 0x46b239 in main /home/asan_perl/Documents/perl-5.26.1/perlmain.c:121
    #7 0x7fadfef2d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x46c888 in _start (/home/asan_perl/Documents/perl-5.26.1/perl+0x46c888)

0x60300000e918 is located 8 bytes to the left of 24-byte region [0x60300000e920,0x60300000e938)
allocated by thread T0 here:
    #0 0x7fadffcd179a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
    #1 0x168f668 in Perl_safesyscalloc /home/asan_perl/Documents/perl-5.26.1/util.c:442
    #2 0xf245ea in Perl_pad_new /home/asan_perl/Documents/perl-5.26.1/pad.c:219
    #3 0x905842 in S_parse_body /home/asan_perl/Documents/perl-5.26.1/perl.c:2272
    #4 0x905842 in perl_parse /home/asan_perl/Documents/perl-5.26.1/perl.c:1692
    #5 0x46b239 in main /home/asan_perl/Documents/perl-5.26.1/perlmain.c:121
    #6 0x7fadfef2d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/asan_perl/Documents/perl-5.26.1/pad.c:1758 Perl_pad_free
Shadow bytes around the buggy address:
  0x0c067fff9cd0: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fff9ce0: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c067fff9cf0: 00 00 fa fa fd fd fd fd fa fa 00 00 00 00 fa fa
  0x0c067fff9d00: 00 00 00 00 fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff9d10: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
=>0x0c067fff9d20: 00 00 fa[fa]00 00 00 fa fa fa 00 00 00 00 fa fa
  0x0c067fff9d30: 00 00 00 00 fa fa 00 00 00 05 fa fa 00 00 00 00
  0x0c067fff9d40: fa fa fd fd fd fd fa fa 00 00 03 fa fa fa 00 00
  0x0c067fff9d50: 00 02 fa fa 00 00 00 07 fa fa 00 00 03 fa fa fa
  0x0c067fff9d60: 00 00 00 00 fa fa 00 00 02 fa fa fa 00 00 00 02
  0x0c067fff9d70: fa fa 00 00 02 fa fa fa 00 00 00 03 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==10580==ABORTING


--
Regards,
SRAUMS
Download 28
application/octet-stream 1.1k

Message body not shown because it is not plain text.

To: perl5-security-report [...] perl.org
Date: Fri, 22 Dec 2017 00:03:08 +0530
Subject: PERL-5.26.1 heap_buffer_overflow READ of size 8
From: SRAUMS JN <sraums2498 [...] gmail.com>
Download (untitled) / with headers
text/plain 3.2k
=================================================================
==46260==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000dab8 at pc 0x00000082bf8c bp 0x7fff0b8e1810 sp 0x7fff0b8e1800
READ of size 8 at 0x60200000dab8 thread T0
    #0 0x82bf8b in Perl_newMYSUB /home/asan_perl/Documents/perl-5.26.1/op.c:8213
    #1 0xe94717 in Perl_yyparse /home/asan_perl/Documents/perl-5.26.1/perly.y:297
    #2 0x90a9bc in S_parse_body /home/asan_perl/Documents/perl-5.26.1/perl.c:2377
    #3 0x90a9bc in perl_parse /home/asan_perl/Documents/perl-5.26.1/perl.c:1692
    #4 0x46b239 in main /home/asan_perl/Documents/perl-5.26.1/perlmain.c:121
    #5 0x7f686f39882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x46c888 in _start (/home/asan_perl/Documents/perl-5.26.1/perl+0x46c888)

0x60200000dab8 is located 0 bytes to the right of 8-byte region [0x60200000dab0,0x60200000dab8)
allocated by thread T0 here:
    #0 0x7f687013c79a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
    #1 0x168f668 in Perl_safesyscalloc /home/asan_perl/Documents/perl-5.26.1/util.c:442
    #2 0xf24910 in Perl_newPADNAMELIST /home/asan_perl/Documents/perl-5.26.1/pad.c:2607
    #3 0xf24910 in Perl_pad_new /home/asan_perl/Documents/perl-5.26.1/pad.c:232
    #4 0xb626cd in Perl_start_subparse /home/asan_perl/Documents/perl-5.26.1/toke.c:11449
    #5 0xead969 in Perl_yyparse /home/asan_perl/Documents/perl-5.26.1/perly.y:598
    #6 0x90a9bc in S_parse_body /home/asan_perl/Documents/perl-5.26.1/perl.c:2377
    #7 0x90a9bc in perl_parse /home/asan_perl/Documents/perl-5.26.1/perl.c:1692
    #8 0x46b239 in main /home/asan_perl/Documents/perl-5.26.1/perlmain.c:121
    #9 0x7f686f39882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/asan_perl/Documents/perl-5.26.1/op.c:8213 Perl_newMYSUB
Shadow bytes around the buggy address:
  0x0c047fff9b00: fa fa fd fd fa fa 00 00 fa fa 00 02 fa fa 00 00
  0x0c047fff9b10: fa fa 00 fa fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff9b20: fa fa 00 00 fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c047fff9b30: fa fa fd fd fa fa fd fd fa fa fd fd fa fa 00 02
  0x0c047fff9b40: fa fa fd fd fa fa fd fd fa fa fd fd fa fa 00 02
=>0x0c047fff9b50: fa fa 00 00 fa fa 00[fa]fa fa fd fd fa fa 00 00
  0x0c047fff9b60: fa fa fd fd fa fa 00 04 fa fa fd fd fa fa 00 05
  0x0c047fff9b70: fa fa fd fd fa fa fd fd fa fa fd fd fa fa 00 04
  0x0c047fff9b80: fa fa 02 fa fa fa 07 fa fa fa 00 03 fa fa 00 02
  0x0c047fff9b90: fa fa 00 06 fa fa 00 02 fa fa 00 02 fa fa 00 fa
  0x0c047fff9ba0: fa fa 00 02 fa fa 00 00 fa fa 00 00 fa fa 00 04
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==46260==ABORTING


--
Regards,
SRAUMS
Download 98
application/octet-stream 1.3k

Message body not shown because it is not plain text.

RT-Send-CC: perl5-security-report [...] perl.org
Download (untitled) / with headers
text/plain 775b
This appears to be fixed already in blead by the commit below; it should form part of perl-5.28. The analysis on the original ticket was that it was not a security concern, so I'll mark this as a duplicate of that one. Hugo commit 3b8804a4c2320ae4e7e713c5836d340eb210b6cd Author: Tony Cook <tony@develop-help.com> Date: Mon Aug 7 11:27:50 2017 +1000 (perl #131836) avoid a use-after-free after parsing a "sub" keyword The: d = skipspace(d); can reallocate linestr in the test case, invalidating s. This would end up in PL_bufptr from the embedded (PL_bufptr = s) in the TOKEN() macro. Assigning s to PL_bufptr and restoring s from PL_bufptr allows lex_next_chunk() to adjust the pointer to the reallocated buffer.
RT-Send-CC: perl5-security-report [...] perl.org
This is also a duplicate of rt131836, fixed in blead; I'll merge it. Hugo
RT-Send-CC: perl5-security-report [...] perl.org
Download (untitled) / with headers
text/plain 128b
This is also fixed by 3b8804a4, same as rt132614, though it's a different stack trace. I'll merge it to rt131836 likewise. Hugo
RT-Send-CC: perl5-security-report [...] perl.org
This was also fixed by 3b8804a4, I'll merge it. Hugo


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org