Skip Menu |
Report information
Id: 131987
Status: open
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: brian.carpenter [at] gmail.com
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: low
Type: unknown
Perl Version: (no value)
Fixed In: (no value)



To: perlbug [...] perl.org
Date: Tue, 29 Aug 2017 00:22:05 -0500
Subject: Heap Use After Free (READ of size 1) in Perl_yylex (toke.c:5137)
From: Brian Carpenter <brian.carpenter [...] gmail.com>
Download (untitled) / with headers
text/plain 2.5k
Triggered while fuzzing Perl v5.27.2-150-g5c780defa5* on Fedora 26 x64.

./perl test079
Scalar found where operator expected at test079 line 1, near "000000000000000$"
        (Missing operator before $?)
=================================================================
==25286==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000000bd1 at pc 0x000000898f5b bp 0x7ffcfaccf670 sp 0x7ffcfaccf668
READ of size 1 at 0x606000000bd1 thread T0
    #0 0x898f5a in Perl_yylex /root/perl5/toke.c:5137:13
    #1 0xa74f4a in Perl_yyparse /root/perl5/perly.c:340:34
    #2 0x712157 in S_parse_body /root/perl5/perl.c:2414:9
    #3 0x6fe8c5 in perl_parse /root/perl5/perl.c:1732:2
    #4 0x525287 in main /root/perl5/perlmain.c:121:18
    #5 0x7fe1ad90e4d9 in __libc_start_main (/lib64/libc.so.6+0x204d9)
    #6 0x435b19 in _start (/root/perl5/perl+0x435b19)

0x606000000bd1 is located 17 bytes inside of 64-byte region [0x606000000bc0,0x606000000c00)
freed by thread T0 here:
    #0 0x4eb585 in realloc (/root/perl5/perl+0x4eb585)
    #1 0xdfab74 in Perl_safesysrealloc /root/perl5/util.c:274:18
    #2 0x110561e in Perl_sv_grow /root/perl5/sv.c:1600:17
    #3 0x121ffb0 in Perl_sv_catpvn_flags /root/perl5/sv.c:5530:12
    #4 0x86f49e in Perl_lex_next_chunk /root/perl5/toke.c:1378:6
    #5 0x877330 in Perl_lex_read_space /root/perl5/toke.c:1587:17
    #6 0x9c797c in S_skipspace_flags /root/perl5/toke.c:1890:2
    #7 0x97c962 in Perl_yylex /root/perl5/toke.c:6215:8
    #8 0xa74f4a in Perl_yyparse /root/perl5/perly.c:340:34
    #9 0x712157 in S_parse_body /root/perl5/perl.c:2414:9
    #10 0x6fe8c5 in perl_parse /root/perl5/perl.c:1732:2
    #11 0x525287 in main /root/perl5/perlmain.c:121:18
    #12 0x7fe1ad90e4d9 in __libc_start_main (/lib64/libc.so.6+0x204d9)

previously allocated by thread T0 here:
    #0 0x4eb585 in realloc (/root/perl5/perl+0x4eb585)
    #1 0xdfab74 in Perl_safesysrealloc /root/perl5/util.c:274:18
    #2 0x110561e in Perl_sv_grow /root/perl5/sv.c:1600:17
    #3 0x1295e81 in Perl_sv_gets /root/perl5/sv.c:8778:2
    #4 0x86e038 in S_filter_gets /root/perl5/toke.c:4577:17
    #5 0x86e038 in Perl_lex_next_chunk /root/perl5/toke.c:1352
    #6 0x8ad798 in Perl_yylex /root/perl5/toke.c:5288:11
    #7 0xa74f4a in Perl_yyparse /root/perl5/perly.c:340:34
    #8 0x712157 in S_parse_body /root/perl5/perl.c:2414:9
    #9 0x6fe8c5 in perl_parse /root/perl5/perl.c:1732:2
    #10 0x525287 in main /root/perl5/perlmain.c:121:18
    #11 0x7fe1ad90e4d9 in __libc_start_main (/lib64/libc.so.6+0x204d9)

SUMMARY: AddressSanitizer: heap-use-after-free /root/perl5/toke.c:5137:13 in Perl_yylex
Download test079.gz
application/x-gzip 40b

Message body not shown because it is not plain text.

RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 673b
On Mon, 28 Aug 2017 22:22:53 -0700, brian.carpenter@gmail.com wrote: Show quoted text
> Triggered while fuzzing Perl v5.27.2-150-g5c780defa5* on Fedora 26 x64. > > ./perl test079 > Scalar found where operator expected at test079 line 1, near > "000000000000000$" > (Missing operator before $?) > ================================================================= > ==25286==ERROR: AddressSanitizer: heap-use-after-free on address > 0x606000000bd1 at pc 0x000000898f5b bp 0x7ffcfaccf670 sp 0x7ffcfaccf668 > READ of size 1 at 0x606000000bd1 thread T0 > #0 0x898f5a in Perl_yylex /root/perl5/toke.c:5137:13
I think this was fixed by 3b8804a4c2320ae4e7e713c5836d340eb210b6cd. Tony


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org