Skip Menu |
Report information
Id: 131955
Status: open
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: imdb95 [at] gmail.com
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: (no value)
Type: (no value)
Perl Version: (no value)
Fixed In: (no value)



To: perl5-security-report [...] perl.org
Date: Thu, 24 Aug 2017 12:15:53 +0700
From: Manh Nguyen <imdb95 [...] gmail.com>
Subject: heap-buffer-overflow in token.c:S_scan_formline()
Hello,
I found this bug when fuzzing perl5 with afl-fuzz.

**********Build Date & Hardware********** Version: Version: the dev version (https://perl5.git.perl.org/perl.git) manh@manh-VirtualBox:~/Fuzzing/afl/perl$ ./perl/perl -v

This is perl 5, version 27, subversion 4 (v5.27.4 (v5.27.3-14-gd2dccc0)) built for x86_64-linux

Copyright 1987-2017, Larry Wall

Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on
this system using "man perl" or "perldoc perl". If you have access to the
Internet, point your browser at http://www.perl.org/, the Perl Home Page.
--------------
OS: Ubuntu 16.04 Desktop
manh@manh-VirtualBox:~/Fuzzing/afl/perl$ uname -a
Linux manh-VirtualBox 4.4.0-92-generic #115-Ubuntu SMP Thu Aug 10 09:04:33 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
--------------
Compilation:
AFL_USE_ASAN=1 ./Configure -des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast -Doptimize=-O0\ -g && AFL_USE_ASAN=1 make

**********Reproduce**********
manh@manh-VirtualBox:~/Fuzzing/afl/perl$ ./perl/perl crash_heap_S_scan_formline
String found where operator expected at crash_heap_S_scan_formline line 476, near "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD"sidekick function called""
=================================================================
==24365==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000007108 at pc 0x00000044f1d5 bp 0x7fffffffc790 sp 0x7fffffffbf40
READ of size 30774 at 0x625000007108 thread T0
#0 0x44f1d4 in __interceptor_memchr /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:739:3
#1 0x650340 in S_scan_formline /home/manh/Fuzzing/afl/perl/perl/toke.c:11374:17
#2 0x650340 in Perl_yylex /home/manh/Fuzzing/afl/perl/perl/toke.c:5068
#3 0x6ed7c1 in Perl_yyparse /home/manh/Fuzzing/afl/perl/perl/perly.c:340:34
#4 0x5da9e9 in S_parse_body /home/manh/Fuzzing/afl/perl/perl/perl.c:2414:9
#5 0x5d0f38 in perl_parse /home/manh/Fuzzing/afl/perl/perl/perl.c:1732:2
#6 0x5093cc in main /home/manh/Fuzzing/afl/perl/perl/perlmain.c:121:18
#7 0x7ffff6caf82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#8 0x435928 in _start (/home/manh/Fuzzing/afl/perl/perl/perl+0x435928)

0x625000007108 is located 0 bytes to the right of 8200-byte region [0x625000005100,0x625000007108)
allocated by thread T0 here:
#0 0x4dc9de in realloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:79:3
#1 0x83f1b6 in Perl_safesysrealloc /home/manh/Fuzzing/afl/perl/perl/util.c:274:18

SUMMARY: AddressSanitizer: heap-buffer-overflow /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:739:3 in __interceptor_memchr
Shadow bytes around the buggy address:
0x0c4a7fff8dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a7fff8e20: 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==24365==ABORTING
**********Analysis**********
The heap-buffer-overflow occurs when memchr reads over the end of string s
eol = (char *) memchr(s,'\n',PL_bufend-s);
The memchr call that triggers the bug has s = 0x625000005158, (PL_bufend-s) = 0xffffffffffffffb2

(gdb) b /home/manh/Fuzzing/afl/perl/perl/toke.c:11374
Breakpoint 9 at 0x65030a: file toke.c, line 11374.
(gdb) ignore 9 346
Will ignore next 346 crossings of breakpoint 9.
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/manh/Fuzzing/afl/perl/perl/perl id:000034*
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
String found where operator expected at id:000034,sig:06,src:000048+001627,op:splice,rep:2 line 476, near "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD"sidekick function called""

Breakpoint 9, S_scan_formline (s=<optimized out>) at toke.c:11374
11374 eol = (char *) memchr(s,'\n',PL_bufend-s);
(gdb) b *memchr
Breakpoint 10 at 0x44ee80: file /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc, line 723.
(gdb) c
Continuing.

Breakpoint 10, __interceptor_memchr ()
at /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:723
723 /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc: No such file or directory.
(gdb) printf "arg0: %p, arg1: %p, arg2: %p\n", $rdi, $rsi, $rdx
arg0: 0x625000005158, arg1: 0xa, arg2: 0xffffffffffffffb2
**********Additional Information**********
My default perl also crashes with the crafted file:
manh@manh-VirtualBox:~/Fuzzing/afl/perl$ perl -v

This is perl 5, version 22, subversion 1 (v5.22.1) built for x86_64-linux-gnu-thread-multi
(with 58 registered patches, see perl -V for more detail)

Copyright 1987-2015, Larry Wall

Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on
this system using "man perl" or "perldoc perl". If you have access to the
Internet, point your browser at http://www.perl.org/, the Perl Home Page.

manh@manh-VirtualBox:~/Fuzzing/afl/perl$ perl crash_heap_S_scan_formline
String found where operator expected at crash_heap_S_scan_formline line 476, near "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD"sidekick function called""
Attempt to free unreferenced scalar: SV 0x835678, Perl interpreter: 0x7d2010 at crash_heap_S_scan_formline line 497.
Attempt to free unreferenced scalar: SV 0x835678, Perl interpreter: 0x7d2010 at crash_heap_S_scan_formline line 497.
Segmentation fault (core dumped)

Best,
Manh
Download crash_heap_S_scan_formline
application/octet-stream 13.9k

Message body not shown because it is not plain text.

Subject: Re: [perl #131955] AutoReply: heap-buffer-overflow in token.c:S_scan_formline()
From: Manh Nguyen <imdb95 [...] gmail.com>
To: Tony Cook via RT <perl5-security-report [...] perl.org>
Date: Sun, 27 Aug 2017 15:05:50 +0700
Download (untitled) / with headers
text/plain 6.5k
Greetings,
Have you take a look at fixing this bug please?

On Thu, Aug 24, 2017 at 12:16 PM, <perl5-security-report@perl.org> wrote:
Show quoted text
Greetings,

This message has been automatically generated in response to the
creation of a perl security report regarding:
   "heap-buffer-overflow in token.c:S_scan_formline()".

There is no need to reply to this message right now.  Your ticket has been
assigned an ID of [perl #131955].

Please include the string:

   [perl #131955]

in the subject line of all future correspondence about this issue. To do so,
you may reply to this message (please delete unnecessary quotes and text.)

  Thank you,
  perl5-security-report@perl.org

-------------------------------------------------------------------------
X-GM-Message-State: AHYfb5gYFqK4X9bQanqlIN28v4lvRQAhMyXAup1DxMqTNZSnESbQaaLL mQjNDAkAQ4aNGAToeR+gtpom2zEaFW/c
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=wLm4OS1LVS7bwMAkvsK/MUFfM2EeUMNUe8IYtdrl6hM=; b=an1SIzrcHiF5e0dSEbsqrIQ+JqtYjvrMb9838ejHZoNfCsnztu3l9oiWL5p0yKk4Qc pNWkfuaqHLOqB9/y6SaOWddD5bCb1n8Fmqm7d3OenSsyPDeFUrMe+4bSPbM+BwsRoXH2 J0kqtsefIItWFuYPprQnaIU6fqhcEkVbz9I4DVQfieB3bvrQzQffhRyOPC1Zi0aNP3u5 15JWF6AHy/j6i88RiLW0tyJ546HXdN3lSQfpm8O8ZI+SU9YJZzh1F2qu+FAvMgn2lcSe 9a8Wv1LaEg4LvWHc86qBmdx5ExB1Wq2VpBWqxPk8PB8Wb6jjKe+kH1UMubt18aA4ViE0 XBAQ==
MIME-Version: 1.0
X-RT-Mail-Extension: perl5-security
Received: from xx1.develooper.com (xx1.dev [10.0.100.115]) by rtperl.develooper.com (Postfix) with ESMTP id 3E4071FD for <rt-perl5-security@rtperl.dev>; Wed, 23 Aug 2017 22:16:10 -0700 (PDT)
Received: from localhost (xx1.develooper.com [127.0.0.1]) by localhost (Postfix) with ESMTP id 4161E11DED8 for <rt-perl5-security@rtperl.dev>; Wed, 23 Aug 2017 22:16:05 -0700 (PDT)
Received: from xx1.develooper.com (xx1.develooper.com [127.0.0.1]) by localhost (Postfix) with SMTP id F080E11DA46 for <rt-perl5-security@rtperl.dev>; Wed, 23 Aug 2017 22:16:01 -0700 (PDT)
Received: from x6.develooper.com (x6.develooper.com [207.171.7.86]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by xx1.develooper.com (Postfix) with ESMTPS id 9AD7911DA22 for <rt-perl5-security@rt.perl.org>; Wed, 23 Aug 2017 22:16:01 -0700 (PDT)
Received: by x6.develooper.com (Postfix, from userid 514) id 66D415B; Wed, 23 Aug 2017 22:16:01 -0700 (PDT)
Received: (qmail 22880 invoked from network); 24 Aug 2017 05:16:01 -0000
Received: from xx1.develooper.com (207.171.7.115) by x6.develooper.com with SMTP; 24 Aug 2017 05:16:01 -0000
Received: from localhost (xx1.develooper.com [127.0.0.1]) by localhost (Postfix) with ESMTP id BDCDC11DA22 for <perlmail-perl5-security-report@onion.perl.org>; Wed, 23 Aug 2017 22:16:00 -0700 (PDT)
Received: from xx1.develooper.com (xx1.develooper.com [127.0.0.1]) by localhost (Postfix) with SMTP id B8FBE11DA46 for <perlmail-perl5-security-report@onion.perl.org>; Wed, 23 Aug 2017 22:15:57 -0700 (PDT)
Received: from mail-io0-f173.google.com (mail-io0-f173.google.com [209.85.223.173]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by xx1.develooper.com (Postfix) with ESMTPS id 9363411DA22 for <perl5-security-report@perl.org>; Wed, 23 Aug 2017 22:15:55 -0700 (PDT)
Received: by mail-io0-f173.google.com with SMTP id j99so1243818ioo.1 for <perl5-security-report@perl.org>; Wed, 23 Aug 2017 22:15:55 -0700 (PDT)
Received: by 10.79.208.248 with HTTP; Wed, 23 Aug 2017 22:15:53 -0700 (PDT)
To: perl5-security-report@perl.org
Delivered-To: rt-perl5-security@rtperl.dev
Delivered-To: perlmail-perl5-security-report@onion.perl.org
Date: Thu, 24 Aug 2017 12:15:53 +0700
Content-Type: multipart/mixed; boundary="001a114441283a5834055778ecd3"
X-PMX-Spam: Gauge=IIIIIIII, Probability=8%, Report=' BODYTEXTH_SIZE_10000_LESS 0, BODYTEXTH_SIZE_3000_MORE 0, BODY_SIZE_10000_PLUS 0, DKIM_SIGNATURE 0, SPF_PASS 0, WEBMAIL_SOURCE 0, __ANY_URI 0, __ATTACHMENT_SIZE_10_25K 0, __CP_URI_IN_BODY 0, __CT 0, __CTYPE_HAS_BOUNDARY 0, __CTYPE_MULTIPART 0, __CTYPE_MULTIPART_MIXED 0, __DQ_NEG_HEUR 0, __DQ_NEG_IP 0, __FRAUD_BADTHINGS 0, __FRAUD_CONTACT_ADDY 0, __FRAUD_MONEY_CURRENCY 0, __FRAUD_MONEY_CURRENCY_DOLLAR 0, __FRAUD_WEBMAIL 0, __FRAUD_WEBMAIL_FROM 0, __FROM_GMAIL 0, __HAS_ATTACHMENT 0, __HAS_ATTACHMENT1 0, __HAS_ATTACHMENT2 0, __HAS_FROM 0, __HAS_HTML 0, __HAS_MSGID 0, __HELO_GMAIL 0, __HEX28_LC_BOUNDARY 0, __HTML_AHREF_TAG 0, __HTML_TAG_DIV 0, __HTTPS_URI 0, __INT_PROD_COMP 0, __MIME_HTML 0, __MIME_TEXT_H 0, __MIME_TEXT_H1 0, __MIME_TEXT_H2 0, __MIME_TEXT_P 0, __MIME_TEXT_P1 0, __MIME_TEXT_P2 0, __MIME_VERSION 0, __MULTIPLE_URI_HTML 0, __MULTIPLE_URI_TEXT 0, __PHISH_SPEAR_HTTP_RECEIVED 0, __PHISH_SPEAR_STRUCTURE_1 0, __RDNS_GMAI
 L 0, __SANE_MSGID 0, __SUBJ_ALPHA_START 0, __TO_MALFORMED_2 0, __TO_NO_NAME 0, __URI_IN_BODY 0, __URI_NOT_IMG 0, __URI_NO_MAILTO 0, __URI_NS , __URI_WITHOUT_PATH 0, __URI_WITH_PATH 0, __YOUTUBE_RCVD 0, __zen.spamhaus.org_ERROR '
Return-Path: <perlmail@x6.develooper.com>
Message-ID: <CAMmf60gR68FgVtGkCEHJjyNZUhL5mxcuSOdZY0Ba2jicz0n+KA@mail.gmail.com>
From: Manh Nguyen <imdb95@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mx3.develooper.com
X-Original-To: rt-perl5-security@rtperl.dev
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2017.8.24.50316
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2017.8.24.50316
X-Spam-Status: No, score=-1.5 required=6.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_SORBS_SPAM autolearn=no version=3.3.1
Subject: heap-buffer-overflow in token.c:S_scan_formline()
X-Received: by 10.107.48.21 with SMTP id w21mr5010448iow.12.1503551754478; Wed, 23 Aug 2017 22:15:54 -0700 (PDT)
X-Google-Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=wLm4OS1LVS7bwMAkvsK/MUFfM2EeUMNUe8IYtdrl6hM=; b=VJGDQqCDnZBGSskJmXJ/aDhGxKdVn4Eo2kdySH9Xl9wve3JMnSVwbyemghzzbaUyOs CG+e6sUgaS2RKBOY9j5GRVWdE5shBxfe63eNgbNR2zsY89trwcS4vhIYVFiYIWvZVoyN LF2U9hyz/m8v3YYzpjS4OZccM9m0yUttmPQvymNTcDZyo1pC9pLxkgHlmYBAc3yqWjoP LCnCC3cS0EHgu4DgdFk8AS6BupnoNcNEEv6RRPsLFnlQiCOXm81FMEY/of7+kawWN5Tr gR7zr7ZQatwGnwwZxeGP7VclFfEmAKQXUMZzRNc9+k74eIWRrySoJ5swBIWFwEfGLVGw +UwA==
From perlmail@x6.develooper.com  Wed Aug 23 22:16:10 2017
X-RT-Interface: Email

RT-Send-CC: rt-deliver-to-perl5-security-report [...] rt.perl.org
Download (untitled) / with headers
text/plain 324b
On Sun, 27 Aug 2017 01:10:04 -0700, imdb95@gmail.com wrote: Show quoted text
> Greetings, > Have you take a look at fixing this bug please?
I expect to take a close look at it tomorrow (or maybe later today). Just from the backtrace it doesn't appear to be a security issue, but I won't be sure of that until I take that close look. Tony
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 618b
On Sun, 27 Aug 2017 17:10:40 -0700, tonyc wrote: Show quoted text
> On Sun, 27 Aug 2017 01:10:04 -0700, imdb95@gmail.com wrote:
> > Greetings, > > Have you take a look at fixing this bug please?
> > I expect to take a close look at it tomorrow (or maybe later today). > > Just from the backtrace it doesn't appear to be a security issue, but > I won't be sure of that until I take that close look.
This requires feeding code to the parser and isn't a security issue. scan_formline() is being entered with PL_bufptr == PL_bufend+1 and things go downhill from there. I haven't tracked down exactly why that's happening though. Tony


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org