Skip Menu |
Report information
Id: 131987
Status: pending release
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: brian.carpenter [at] gmail.com
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: low
Type: unknown
Perl Version: (no value)
Fixed In: (no value)



To: perlbug [...] perl.org
Date: Tue, 29 Aug 2017 00:22:05 -0500
Subject: Heap Use After Free (READ of size 1) in Perl_yylex (toke.c:5137)
From: Brian Carpenter <brian.carpenter [...] gmail.com>
Download (untitled) / with headers
text/plain 2.5k
Triggered while fuzzing Perl v5.27.2-150-g5c780defa5* on Fedora 26 x64.

./perl test079
Scalar found where operator expected at test079 line 1, near "000000000000000$"
        (Missing operator before $?)
=================================================================
==25286==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000000bd1 at pc 0x000000898f5b bp 0x7ffcfaccf670 sp 0x7ffcfaccf668
READ of size 1 at 0x606000000bd1 thread T0
    #0 0x898f5a in Perl_yylex /root/perl5/toke.c:5137:13
    #1 0xa74f4a in Perl_yyparse /root/perl5/perly.c:340:34
    #2 0x712157 in S_parse_body /root/perl5/perl.c:2414:9
    #3 0x6fe8c5 in perl_parse /root/perl5/perl.c:1732:2
    #4 0x525287 in main /root/perl5/perlmain.c:121:18
    #5 0x7fe1ad90e4d9 in __libc_start_main (/lib64/libc.so.6+0x204d9)
    #6 0x435b19 in _start (/root/perl5/perl+0x435b19)

0x606000000bd1 is located 17 bytes inside of 64-byte region [0x606000000bc0,0x606000000c00)
freed by thread T0 here:
    #0 0x4eb585 in realloc (/root/perl5/perl+0x4eb585)
    #1 0xdfab74 in Perl_safesysrealloc /root/perl5/util.c:274:18
    #2 0x110561e in Perl_sv_grow /root/perl5/sv.c:1600:17
    #3 0x121ffb0 in Perl_sv_catpvn_flags /root/perl5/sv.c:5530:12
    #4 0x86f49e in Perl_lex_next_chunk /root/perl5/toke.c:1378:6
    #5 0x877330 in Perl_lex_read_space /root/perl5/toke.c:1587:17
    #6 0x9c797c in S_skipspace_flags /root/perl5/toke.c:1890:2
    #7 0x97c962 in Perl_yylex /root/perl5/toke.c:6215:8
    #8 0xa74f4a in Perl_yyparse /root/perl5/perly.c:340:34
    #9 0x712157 in S_parse_body /root/perl5/perl.c:2414:9
    #10 0x6fe8c5 in perl_parse /root/perl5/perl.c:1732:2
    #11 0x525287 in main /root/perl5/perlmain.c:121:18
    #12 0x7fe1ad90e4d9 in __libc_start_main (/lib64/libc.so.6+0x204d9)

previously allocated by thread T0 here:
    #0 0x4eb585 in realloc (/root/perl5/perl+0x4eb585)
    #1 0xdfab74 in Perl_safesysrealloc /root/perl5/util.c:274:18
    #2 0x110561e in Perl_sv_grow /root/perl5/sv.c:1600:17
    #3 0x1295e81 in Perl_sv_gets /root/perl5/sv.c:8778:2
    #4 0x86e038 in S_filter_gets /root/perl5/toke.c:4577:17
    #5 0x86e038 in Perl_lex_next_chunk /root/perl5/toke.c:1352
    #6 0x8ad798 in Perl_yylex /root/perl5/toke.c:5288:11
    #7 0xa74f4a in Perl_yyparse /root/perl5/perly.c:340:34
    #8 0x712157 in S_parse_body /root/perl5/perl.c:2414:9
    #9 0x6fe8c5 in perl_parse /root/perl5/perl.c:1732:2
    #10 0x525287 in main /root/perl5/perlmain.c:121:18
    #11 0x7fe1ad90e4d9 in __libc_start_main (/lib64/libc.so.6+0x204d9)

SUMMARY: AddressSanitizer: heap-use-after-free /root/perl5/toke.c:5137:13 in Perl_yylex
Download test079.gz
application/x-gzip 40b

Message body not shown because it is not plain text.

RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 673b
On Mon, 28 Aug 2017 22:22:53 -0700, brian.carpenter@gmail.com wrote: Show quoted text
> Triggered while fuzzing Perl v5.27.2-150-g5c780defa5* on Fedora 26 x64. > > ./perl test079 > Scalar found where operator expected at test079 line 1, near > "000000000000000$" > (Missing operator before $?) > ================================================================= > ==25286==ERROR: AddressSanitizer: heap-use-after-free on address > 0x606000000bd1 at pc 0x000000898f5b bp 0x7ffcfaccf670 sp 0x7ffcfaccf668 > READ of size 1 at 0x606000000bd1 thread T0 > #0 0x898f5a in Perl_yylex /root/perl5/toke.c:5137:13
I think this was fixed by 3b8804a4c2320ae4e7e713c5836d340eb210b6cd. Tony
Subject: Re: [perl #131987] Heap Use After Free (READ of size 1) in Perl_yylex (toke.c:5137)
From: Zefram <zefram [...] fysh.org>
Date: Wed, 6 Dec 2017 22:20:10 +0000
To: perl5-porters [...] perl.org
I concur that this has been fixed by the commit that Tony identified. -zefram


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org