Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap Use After Free (READ of size 1) in Perl_yylex (toke.c:5137) #16130

Closed
p5pRT opened this issue Aug 29, 2017 · 8 comments
Closed

Heap Use After Free (READ of size 1) in Perl_yylex (toke.c:5137) #16130

p5pRT opened this issue Aug 29, 2017 · 8 comments

Comments

@p5pRT
Copy link

p5pRT commented Aug 29, 2017

Migrated from rt.perl.org#131987 (status was 'resolved')

Searchable as RT131987$

@p5pRT
Copy link
Author

p5pRT commented Aug 29, 2017

From @geeknik

Triggered while fuzzing Perl v5.27.2-150-g5c780defa5* on Fedora 26 x64.

./perl test079
Scalar found where operator expected at test079 line 1, near
"000000000000000$"
  (Missing operator before $?)

==25286==ERROR​: AddressSanitizer​: heap-use-after-free on address
0x606000000bd1 at pc 0x000000898f5b bp 0x7ffcfaccf670 sp 0x7ffcfaccf668
READ of size 1 at 0x606000000bd1 thread T0
  #0 0x898f5a in Perl_yylex /root/perl5/toke.c​:5137​:13
  #1 0xa74f4a in Perl_yyparse /root/perl5/perly.c​:340​:34
  #2 0x712157 in S_parse_body /root/perl5/perl.c​:2414​:9
  #3 0x6fe8c5 in perl_parse /root/perl5/perl.c​:1732​:2
  #4 0x525287 in main /root/perl5/perlmain.c​:121​:18
  #5 0x7fe1ad90e4d9 in __libc_start_main (/lib64/libc.so.6+0x204d9)
  #6 0x435b19 in _start (/root/perl5/perl+0x435b19)

0x606000000bd1 is located 17 bytes inside of 64-byte region
[0x606000000bc0,0x606000000c00)
freed by thread T0 here​:
  #0 0x4eb585 in realloc (/root/perl5/perl+0x4eb585)
  #1 0xdfab74 in Perl_safesysrealloc /root/perl5/util.c​:274​:18
  #2 0x110561e in Perl_sv_grow /root/perl5/sv.c​:1600​:17
  #3 0x121ffb0 in Perl_sv_catpvn_flags /root/perl5/sv.c​:5530​:12
  #4 0x86f49e in Perl_lex_next_chunk /root/perl5/toke.c​:1378​:6
  #5 0x877330 in Perl_lex_read_space /root/perl5/toke.c​:1587​:17
  #6 0x9c797c in S_skipspace_flags /root/perl5/toke.c​:1890​:2
  #7 0x97c962 in Perl_yylex /root/perl5/toke.c​:6215​:8
  #8 0xa74f4a in Perl_yyparse /root/perl5/perly.c​:340​:34
  #9 0x712157 in S_parse_body /root/perl5/perl.c​:2414​:9
  #10 0x6fe8c5 in perl_parse /root/perl5/perl.c​:1732​:2
  #11 0x525287 in main /root/perl5/perlmain.c​:121​:18
  #12 0x7fe1ad90e4d9 in __libc_start_main (/lib64/libc.so.6+0x204d9)

previously allocated by thread T0 here​:
  #0 0x4eb585 in realloc (/root/perl5/perl+0x4eb585)
  #1 0xdfab74 in Perl_safesysrealloc /root/perl5/util.c​:274​:18
  #2 0x110561e in Perl_sv_grow /root/perl5/sv.c​:1600​:17
  #3 0x1295e81 in Perl_sv_gets /root/perl5/sv.c​:8778​:2
  #4 0x86e038 in S_filter_gets /root/perl5/toke.c​:4577​:17
  #5 0x86e038 in Perl_lex_next_chunk /root/perl5/toke.c​:1352
  #6 0x8ad798 in Perl_yylex /root/perl5/toke.c​:5288​:11
  #7 0xa74f4a in Perl_yyparse /root/perl5/perly.c​:340​:34
  #8 0x712157 in S_parse_body /root/perl5/perl.c​:2414​:9
  #9 0x6fe8c5 in perl_parse /root/perl5/perl.c​:1732​:2
  #10 0x525287 in main /root/perl5/perlmain.c​:121​:18
  #11 0x7fe1ad90e4d9 in __libc_start_main (/lib64/libc.so.6+0x204d9)

SUMMARY​: AddressSanitizer​: heap-use-after-free /root/perl5/toke.c​:5137​:13
in Perl_yylex

@p5pRT
Copy link
Author

p5pRT commented Aug 29, 2017

From @geeknik

test079.gz

@p5pRT
Copy link
Author

p5pRT commented Aug 30, 2017

From @tonycoz

On Mon, 28 Aug 2017 22​:22​:53 -0700, brian.carpenter@​gmail.com wrote​:

Triggered while fuzzing Perl v5.27.2-150-g5c780defa5* on Fedora 26 x64.

./perl test079
Scalar found where operator expected at test079 line 1, near
"000000000000000$"
(Missing operator before $?)

==25286==ERROR​: AddressSanitizer​: heap-use-after-free on address
0x606000000bd1 at pc 0x000000898f5b bp 0x7ffcfaccf670 sp 0x7ffcfaccf668
READ of size 1 at 0x606000000bd1 thread T0
#0 0x898f5a in Perl_yylex /root/perl5/toke.c​:5137​:13

I think this was fixed by 3b8804a.

Tony

@p5pRT
Copy link
Author

p5pRT commented Aug 30, 2017

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Dec 6, 2017

From zefram@fysh.org

I concur that this has been fixed by the commit that Tony identified.

-zefram

@p5pRT
Copy link
Author

p5pRT commented Dec 7, 2017

@cpansprout - Status changed from 'open' to 'pending release'

@p5pRT
Copy link
Author

p5pRT commented Jun 23, 2018

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release yesterday of Perl 5.28.0, this and 185 other issues have been
resolved.

Perl 5.28.0 may be downloaded via​:
https://metacpan.org/release/XSAWYERX/perl-5.28.0

If you find that the problem persists, feel free to reopen this ticket.

@p5pRT
Copy link
Author

p5pRT commented Jun 23, 2018

@khwilliamson - Status changed from 'pending release' to 'resolved'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant