Skip Menu |
Report information
Id: 131866
Status: open
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: gy741.kim [at] gmail.com
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: (no value)
Type: (no value)
Perl Version: (no value)
Fixed In: (no value)



Subject: Null Pointer Dereference in Perl_sv_setpv_bufsize
From: GwanYeong Kim <gy741.kim [...] gmail.com>
Date: Wed, 9 Aug 2017 16:28:10 +0900
To: perl5-security-report [...] perl.org
Download (untitled) / with headers
text/plain 1.2k

Hi.

I found a Null Pointer Dereference bug in perl.

Please confirm.

Thanks.

Version: This is perl 5, version 27, subversion 2 (v5.27.2) built for i686-linux
OS: Ubuntu 16.04.2 32bit
Steps to reproduce:
 1.Download the PoC files.
 2.Compile the source code with ASan.
 3.Execute the following command
   : ./perl $PoC 

```
ASAN:DEADLYSIGNAL
=================================================================
==22852==ERROR: AddressSanitizer: SEGV on unknown address 0xbebebebe (pc 0x0865ec98 bp 0x16ba0f87 sp 0xbf95b2d0 T0)
    #0 0x865ec97 in Perl_sv_setpv_bufsize /root/karas/perl5-blead/sv.c:4958:17
    #1 0x85b15bf in Perl_pp_concat /root/karas/perl5-blead/pp_hot.c:292:13
    #2 0x84debdc in Perl_runops_debug /root/karas/perl5-blead/dump.c:2483:23
    #3 0x823aaf3 in S_run_body /root/karas/perl5-blead/perl.c:2553:2
    #4 0x823aaf3 in perl_run /root/karas/perl5-blead/perl.c:2476
    #5 0x81494d4 in main /root/karas/perl5-blead/perlmain.c:123:9
    #6 0xb74b4636 in __libc_start_main /build/glibc-KM3i_a/glibc-2.23/csu/../csu/libc-start.c:291
    #7 0x8075847 in _start (/root/karas/perl5-blead/perl+0x8075847)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/karas/perl5-blead/sv.c:4958:17 in Perl_sv_setpv_bufsize
==22852==ABORTING
```
Download 021_Perl_sv_setpv_bufsize_PoC
application/octet-stream 251b

Message body not shown because it is not plain text.

RT-Send-CC: rt-deliver-to-perl5-security-report [...] rt.perl.org
Download (untitled) / with headers
text/plain 1000b
On Wed, 09 Aug 2017 00:28:24 -0700, gy741.kim@gmail.com wrote: Show quoted text
> Hi. > > I found a Null Pointer Dereference bug in perl. > > Please confirm. > Thanks. > > Version: This is perl 5, version 27, subversion 2 (v5.27.2) built for > i686-linux > OS: Ubuntu 16.04.2 32bit > Steps to reproduce: > 1.Download the PoC files. > 2.Compile the source code with ASan. > 3.Execute the following command > : ./perl $PoC > > ``` > ASAN:DEADLYSIGNAL > ================================================================= > ==22852==ERROR: AddressSanitizer: SEGV on unknown address 0xbebebebe (pc > 0x0865ec98 bp 0x16ba0f87 sp 0xbf95b2d0 T0) > #0 0x865ec97 in Perl_sv_setpv_bufsize > /root/karas/perl5-blead/sv.c:4958:17 > #1 0x85b15bf in Perl_pp_concat /root/karas/perl5-
This simplifies down to: $_.=*_='x'; and is a stack-not-refcounted bug. This isn't a security issue - it depends on the code executed destroying an SV as it's assigned to, which is only under the control of an attacker. Tony
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 361b
On Wed, 09 Aug 2017 17:52:11 -0700, tonyc wrote: Show quoted text
> This simplifies down to: > > $_.=*_='x'; > > and is a stack-not-refcounted bug. > > This isn't a security issue - it depends on the code executed > destroying an SV as it's assigned to, which is only under the control > of an attacker.
Now public and linked to the stack-not-refcounted meta ticket. Tony


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org