Skip Menu |
Report information
Id: 131836
Status: pending release
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: gy741.kim [at] gmail.com
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: (no value)
Type: (no value)
Perl Version: (no value)
Fixed In: (no value)



Date: Fri, 4 Aug 2017 18:37:21 +0900
To: perl5-security-report [...] perl.org
Subject: heap-buffer-overflow in Perl_yylex
From: GwanYeong Kim <gy741.kim [...] gmail.com>
Download (untitled) / with headers
text/plain 2.9k

Hi.

I found a heap-buffer-overflow bug in perl.

Please confirm.

Thanks.

Version: This is perl 5, version 27, subversion 2 (v5.27.2) built for i686-linux
OS: Ubuntu 16.04.2 32bit
Steps to reproduce:
 1.Download the PoC files.
 2.Compile the source code with ASan.
 3.Execute the following command
   : ./perl $PoC
```
=================================================================
==22689==ERROR: AddressSanitizer: heap-use-after-free on address 0xb5101102 at pc 0x082b8557 bp 0xbfefdf68 sp 0xbfefdf5c
READ of size 1 at 0xb5101102 thread T0
    #0 0x82b8556 in Perl_yylex /root/karas/perl5-blead/toke.c:5137:13
    #1 0x835df10 in Perl_yyparse /root/karas/perl5-blead/perly.c:340:34
    #2 0x8232350 in S_parse_body /root/karas/perl5-blead/perl.c:2401:9
    #3 0x82285e3 in perl_parse /root/karas/perl5-blead/perl.c:1719:2
    #4 0x81494a6 in main /root/karas/perl5-blead/perlmain.c:121:18
    #5 0xb7547636 in __libc_start_main /build/glibc-KM3i_a/glibc-2.23/csu/../csu/libc-start.c:291
    #6 0x8075847 in _start (/root/karas/perl5-blead/perl+0x8075847)

0xb5101102 is located 2 bytes inside of 64-byte region [0xb5101100,0xb5101140)
freed by thread T0 here:
    #0 0x8119ef4 in realloc (/root/karas/perl5-blead/perl+0x8119ef4)
    #1 0x84e3394 in Perl_safesysrealloc /root/karas/perl5-blead/util.c:274:18

previously allocated by thread T0 here:
    #0 0x8119ef4 in realloc (/root/karas/perl5-blead/perl+0x8119ef4)
    #1 0x84e3394 in Perl_safesysrealloc /root/karas/perl5-blead/util.c:274:18

SUMMARY: AddressSanitizer: heap-use-after-free /root/karas/perl5-blead/toke.c:5137:13 in Perl_yylex
Shadow bytes around the buggy address:
  0x36a201d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a201e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a201f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a20200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a20210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36a20220:[fd]fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x36a20230: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 fa
  0x36a20240: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x36a20250: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x36a20260: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
  0x36a20270: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==22689==ABORTING
```

Download 000004_perl_BoF_PoC_08_04
application/octet-stream 61b

Message body not shown because it is not plain text.

RT-Send-CC: perl5-porters [...] perl.org
On Fri, 04 Aug 2017 02:37:31 -0700, gy741.kim@gmail.com wrote: Show quoted text
> Hi. > > I found a heap-buffer-overflow bug in perl. > > Please confirm.
This is a use-after-free, not a buffer overflow. Since it requires feeding code to the interpreter it isn't a security issue, so I've made it public. Show quoted text
> ================================================================= > ==22689==ERROR: AddressSanitizer: heap-use-after-free on address 0xb5101102 > at pc 0x082b8557 bp 0xbfefdf68 sp 0xbfefdf5c > READ of size 1 at 0xb5101102 thread T0 > #0 0x82b8556 in Perl_yylex /root/karas/perl5-blead/toke.c:5137:13 > #1 0x835df10 in Perl_yyparse /root/karas/perl5-blead/perly.c:340:34 > #2 0x8232350 in S_parse_body /root/karas/perl5-blead/perl.c:2401:9 > #3 0x82285e3 in perl_parse /root/karas/perl5-blead/perl.c:1719:2 > #4 0x81494a6 in main /root/karas/perl5-blead/perlmain.c:121:18 > #5 0xb7547636 in __libc_start_main > /build/glibc-KM3i_a/glibc-2.23/csu/../csu/libc-start.c:291 > #6 0x8075847 in _start (/root/karas/perl5-blead/perl+0x8075847)
The attached fixes it for me. Tony
Subject: 0001-perl-131836-avoid-a-use-after-free-after-parsing-a-s.patch
From 6948dbaeb631c130a55bfa98b08908759a4d4201 Mon Sep 17 00:00:00 2001 From: Tony Cook <tony@develop-help.com> Date: Mon, 7 Aug 2017 11:27:50 +1000 Subject: [PATCH] (perl #131836) avoid a use-after-free after parsing a "sub" keyword The: d = skipspace(d); can reallocate linestr in the test case, invalidating s. This would end up in PL_bufptr from the embedded (PL_bufptr = s) in the TOKEN() macro. Assigning s to PL_bufptr and restoring s from PL_bufptr allows lex_next_chunk() to adjust the pointer to the reallocated buffer. --- t/comp/parser_run.t | 10 +++++++++- toke.c | 2 ++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/t/comp/parser_run.t b/t/comp/parser_run.t index e74644d..6845a4b 100644 --- a/t/comp/parser_run.t +++ b/t/comp/parser_run.t @@ -10,7 +10,7 @@ BEGIN { } require './test.pl'; -plan(1); +plan(2); # [perl #130814] can reallocate lineptr while looking ahead for # "Missing $ on loop variable" diagnostic. @@ -24,5 +24,13 @@ syntax error at - line 3, near "foreach m0 Identifier too long at - line 3. EXPECT +fresh_perl_is(<<'EOS', <<'EXPECTED', {}, "use after free (#131836)"); +${sub#xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx +EOS +Missing right curly or square bracket at - line 1, at end of line +syntax error at - line 1, at EOF +Execution of - aborted due to compilation errors. +EXPECTED + __END__ # ex: set ts=8 sts=4 sw=4 et: diff --git a/toke.c b/toke.c index 6aa5f26..2261bb4 100644 --- a/toke.c +++ b/toke.c @@ -6200,8 +6200,10 @@ Perl_yylex(pTHX) break; } if (strEQs(s, "sub")) { + PL_bufptr = s; d = s + 3; d = skipspace(d); + s = PL_bufptr; if (*d == ':') { PL_expect = XTERM; break; -- 2.1.4
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 1.2k
On Sun, 06 Aug 2017 18:30:40 -0700, tonyc wrote: Show quoted text
> On Fri, 04 Aug 2017 02:37:31 -0700, gy741.kim@gmail.com wrote:
> > Hi. > > > > I found a heap-buffer-overflow bug in perl. > > > > Please confirm.
> > This is a use-after-free, not a buffer overflow. > > Since it requires feeding code to the interpreter it isn't a security > issue, so I've made it public. >
> > ================================================================= > > ==22689==ERROR: AddressSanitizer: heap-use-after-free on address > > 0xb5101102 > > at pc 0x082b8557 bp 0xbfefdf68 sp 0xbfefdf5c > > READ of size 1 at 0xb5101102 thread T0 > > #0 0x82b8556 in Perl_yylex /root/karas/perl5-blead/toke.c:5137:13 > > #1 0x835df10 in Perl_yyparse /root/karas/perl5- > > blead/perly.c:340:34 > > #2 0x8232350 in S_parse_body /root/karas/perl5- > > blead/perl.c:2401:9 > > #3 0x82285e3 in perl_parse /root/karas/perl5-blead/perl.c:1719:2 > > #4 0x81494a6 in main /root/karas/perl5-blead/perlmain.c:121:18 > > #5 0xb7547636 in __libc_start_main > > /build/glibc-KM3i_a/glibc-2.23/csu/../csu/libc-start.c:291 > > #6 0x8075847 in _start (/root/karas/perl5-blead/perl+0x8075847)
> > The attached fixes it for me.
Applied as 3b8804a4c2320ae4e7e713c5836d340eb210b6cd. Tony


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org