Skip Menu |
Report information
Id: 132544
Status: pending release
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: brian.carpenter [at] gmail.com
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: (no value)
Type: (no value)
Perl Version: (no value)
Fixed In: (no value)

Attachments
0001-don-t-lose-mark-when-pp_reverse-extends-stack.patch



Date: Thu, 7 Dec 2017 22:20:53 -0600
To: perl5-security-report [...] perl.org
From: Brian Carpenter <brian.carpenter [...] gmail.com>
Subject: heap-buffer-overflow (WRITE of size 8) in Perl_pp_reverse
Download (untitled) / with headers
text/plain 2.3k
This bug is triggered in Perl v5.27.6-156-g5d4548b73b compiled with Clang 6.0.0-trunk and -fsanitize=address. I thought this was fixed back in June with #131555 (which is still marked private), so maybe this is a regression?

./perl -e 'for$0(0..1000){()=(0..$0,scalar reverse)}'

==16254==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000480 at pc 0x000000995f56 bp 0x7ffcd64a7470 sp 0x7ffcd64a7468
WRITE of size 8 at 0x619000000480 thread T0
    #0 0x995f55 in Perl_pp_reverse /root/perl/pp.c:5663:2
    #1 0x7b4868 in Perl_runops_debug /root/perl/dump.c:2495:23
    #2 0x5a68b1 in S_run_body /root/perl/perl.c
    #3 0x5a5efb in perl_run /root/perl/perl.c:2517:2
    #4 0x5035b7 in main /root/perl/perlmain.c:123:9
    #5 0x7fcd0f7233f0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x203f0)
    #6 0x436109 in _start (/root/perl/perl+0x436109)

0x619000000480 is located 0 bytes to the right of 1024-byte region [0x619000000080,0x619000000480)
freed by thread T0 here:
    #0 0x4d7242 in realloc /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:107:3
    #1 0x7b9ab4 in Perl_safesysrealloc /root/perl/util.c:271:18
    #2 0x847b36 in Perl_av_extend_guts /root/perl/av.c:163:3
    #3 0x9a9ef2 in Perl_stack_grow /root/perl/scope.c:57:5
    #4 0x995c29 in Perl_pp_reverse /root/perl/pp.c:5624:13
    #5 0x7b4868 in Perl_runops_debug /root/perl/dump.c:2495:23
    #6 0x5a68b1 in S_run_body /root/perl/perl.c
    #7 0x5a5efb in perl_run /root/perl/perl.c:2517:2
    #8 0x5035b7 in main /root/perl/perlmain.c:123:9
    #9 0x7fcd0f7233f0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x203f0)

previously allocated by thread T0 here:
    #0 0x4d6e43 in malloc /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x7b9538 in Perl_safesysmalloc /root/perl/util.c:153:21
    #2 0x8479ee in Perl_av_extend_guts /root/perl/av.c:186:3
    #3 0x9aa084 in Perl_new_stackinfo /root/perl/scope.c:78:5
    #4 0x59275f in Perl_init_stacks /root/perl/perl.c:4205:23
    #5 0x5909ca in perl_construct /root/perl/perl.c:271:5
    #6 0x50340e in main /root/perl/perlmain.c:117:2
    #7 0x7fcd0f7233f0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x203f0)

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/perl/pp.c:5663:2 in Perl_pp_reverse
From: Zefram <zefram [...] fysh.org>
Subject: Re: [perl #132544] heap-buffer-overflow (WRITE of size 8) in Perl_pp_reverse
Date: Fri, 8 Dec 2017 19:33:32 +0000
To: perl5-security-report [...] perl.org
Download (untitled) / with headers
text/plain 430b
Brian Carpenter wrote: Show quoted text
>./perl -e 'for$0(0..1000){()=(0..$0,scalar reverse)}'
Thanks. The stack reallocation logic in pp_reverse is faulty. Attached patch fixes. I'm not sure about whether this should be a security ticket. I wouldn't have thought to class it so if I'd discovered the bug myself, but there is some sense in so classifying it. I'm holding off from pushing the fix to blead, pending instructions here. -zefram

Message body is not shown because sender requested not to inline it.

Date: Wed, 13 Dec 2017 20:17:18 +0000
To: perl5-security-report [...] perl.org
From: Zefram <zefram [...] fysh.org>
Subject: Re: [perl #132544] heap-buffer-overflow (WRITE of size 8) in Perl_pp_reverse
Download (untitled) / with headers
text/plain 309b
I wrote: Show quoted text
>I'm not sure about whether this should be a security ticket. I wouldn't >have thought to class it so if I'd discovered the bug myself, but there >is some sense in so classifying it. I'm holding off from pushing the >fix to blead, pending instructions here.
Prod. Anyone got an opinion? -zefram
RT-Send-CC: perl5-security-report [...] perl.org
Download (untitled) / with headers
text/plain 881b
On Wed, 13 Dec 2017 12:17:26 -0800, zefram@fysh.org wrote: Show quoted text
> I wrote:
> >I'm not sure about whether this should be a security ticket. I wouldn't > >have thought to class it so if I'd discovered the bug myself, but there > >is some sense in so classifying it. I'm holding off from pushing the > >fix to blead, pending instructions here.
> > Prod. Anyone got an opinion?
We don't really have a fixed policy for this stuff. As a heap buffer overflow it could corrupt the heap, possibly leading to denial of service attacks on some platform, iff an attacker can cause reverse() to execute under right conditions. An attacker has little to no control over the value written to the buffer (an SV pointer). In general I don't think we've treated such overflows as security issues, see #131555 for example. Based on past practice we shouldn't treat this as a security issue. Tony
RT-Send-CC: perl5-security-report [...] perl.org
Download (untitled) / with headers
text/plain 612b
On Thu, 07 Dec 2017 20:21:58 -0800, brian.carpenter@gmail.com wrote: Show quoted text
> This bug is triggered in Perl v5.27.6-156-g5d4548b73b compiled with > Clang > 6.0.0-trunk and -fsanitize=address. I thought this was fixed back in > June > with #131555 (which is still marked private), so maybe this is a > regression?
#131555 is now public. The difference is #131555 it was a simple buffer overflow. In this case we're writing past the end of a buffer that has already been freed - the bug was introduced by the fix for #131555. I had a quick look over the other #131555 fixes, but didn't see any similar problems. Tony
To: Tony Cook via RT <perl5-security-report-followup [...] perl.org>
CC: perl5-security-report [...] perl.org
Date: Thu, 14 Dec 2017 11:28:56 +0000
From: Dave Mitchell <davem [...] iabyn.com>
Subject: Re: [perl #132544] heap-buffer-overflow (WRITE of size 8) in Perl_pp_reverse
Download (untitled) / with headers
text/plain 859b
On Wed, Dec 13, 2017 at 02:44:45PM -0800, Tony Cook via RT wrote: Show quoted text
> On Thu, 07 Dec 2017 20:21:58 -0800, brian.carpenter@gmail.com wrote:
> > This bug is triggered in Perl v5.27.6-156-g5d4548b73b compiled with > > Clang > > 6.0.0-trunk and -fsanitize=address. I thought this was fixed back in > > June > > with #131555 (which is still marked private), so maybe this is a > > regression?
> > #131555 is now public. > > The difference is #131555 it was a simple buffer overflow. > > In this case we're writing past the end of a buffer that has already been freed - the bug was introduced by the fix for #131555. >
In which case the new bug hasn't appeared in a production release, so it should be safe to just push the fix and make the ticket public. -- But Pity stayed his hand. "It's a pity I've run out of bullets", he thought. -- "Bored of the Rings"
Subject: Re: [perl #132544] heap-buffer-overflow (WRITE of size 8) in Perl_pp_reverse
From: Zefram <zefram [...] fysh.org>
Date: Thu, 14 Dec 2017 19:43:46 +0000
To: perl5-security-report [...] perl.org
Download (untitled) / with headers
text/plain 248b
Dave Mitchell wrote: Show quoted text
>In which case the new bug hasn't appeared in a production release, so it >should be safe to just push the fix and make the ticket public.
OK. Fix applied to blead as commit 47836a13cc4c999c9b3589c6797d6769b52c37fd. -zefram
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 374b
On Thu, 14 Dec 2017 11:43:57 -0800, zefram@fysh.org wrote: Show quoted text
> Dave Mitchell wrote:
> >In which case the new bug hasn't appeared in a production release, so it > >should be safe to just push the fix and make the ticket public.
True, I've moved it to the public queue. Show quoted text
> > OK. Fix applied to blead as commit > 47836a13cc4c999c9b3589c6797d6769b52c37fd.
And closed it. Tony


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org