Skip Menu |
Report information
Id: 132593
Status: pending release
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: sraums2498 [at] gmail.com
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: (no value)
Type: (no value)
Perl Version: (no value)
Fixed In: (no value)



To: perl5-security-report [...] perl.org
Date: Sun, 17 Dec 2017 15:46:04 +0530
Subject: PERL-5.26.1 heap_buffer_overflow READ of size 8
From: SRAUMS JN <sraums2498 [...] gmail.com>
 =================================================================
==33657==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000009678 at pc 0x000002519068 bp 0x7fffffffd950 sp 0x7fffffffd940
READ of size 8 at 0x619000009678 thread T0
    #0 0x2519067 in Perl_pp_backtick /home/asan_perl/Documents/perl-5.26.1/pp_sys.c:299
    #1 0x1b1bc2e in Perl_runops_standard /home/asan_perl/Documents/perl-5.26.1/run.c:41
    #2 0x9218a5 in S_run_body /home/asan_perl/Documents/perl-5.26.1/perl.c:2519
    #3 0x9218a5 in perl_run /home/asan_perl/Documents/perl-5.26.1/perl.c:2447
    #4 0x46b6a7 in main /home/asan_perl/Documents/perl-5.26.1/perlmain.c:123
    #5 0x7ffff615e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x46c888 in _start (/home/asan_perl/Documents/perl-5.26.1/perl+0x46c888)

0x619000009678 is located 8 bytes to the left of 1024-byte region [0x619000009680,0x619000009a80)
allocated by thread T0 here:
    #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x167dd81 in Perl_safesysmalloc /home/asan_perl/Documents/perl-5.26.1/util.c:153
    #2 0x1adf2d0 in Perl_av_extend_guts /home/asan_perl/Documents/perl-5.26.1/av.c:186
    #3 0x2272eb6 in Perl_new_stackinfo /home/asan_perl/Documents/perl-5.26.1/scope.c:74
    #4 0x8ab011 in Perl_init_stacks /home/asan_perl/Documents/perl-5.26.1/perl.c:4137
    #5 0x8af2e0 in perl_construct /home/asan_perl/Documents/perl-5.26.1/perl.c:274
    #6 0x46b033 in main /home/asan_perl/Documents/perl-5.26.1/perlmain.c:117
    #7 0x7ffff615e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/asan_perl/Documents/perl-5.26.1/pp_sys.c:299 Perl_pp_backtick
Shadow bytes around the buggy address:
  0x0c327fff9270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff9280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff9290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff92a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff92b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c327fff92c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c327fff92d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff92e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff92f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff9300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff9310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==33657==ABORTING


--
Regards,
SRAUMS
Subject: Re: [perl #132593] AutoReply: PERL-5.26.1 heap_buffer_overflow READ of size 8
From: SRAUMS JN <sraums2498 [...] gmail.com>
To: perl5-security-report-followup [...] perl.org
Date: Sun, 17 Dec 2017 15:48:21 +0530
Download (untitled) / with headers
text/plain 6.3k
Attaching input file

On Sun, Dec 17, 2017 at 3:47 PM, <perl5-security-report-followup@perl.org> wrote:
Show quoted text
Greetings,

This message has been automatically generated in response to the
creation of a perl security report regarding:
   "PERL-5.26.1 heap_buffer_overflow READ of size 8".

There is no need to reply to this message right now.  Your ticket has been
assigned an ID of [perl #132593].

Please include the string:

   [perl #132593]

in the subject line of all future correspondence about this issue. To do so,
you may reply to this message (please delete unnecessary quotes and text.)

  Thank you,
  perl5-security-report-followup@perl.org

-------------------------------------------------------------------------
Content-Type: multipart/alternative; boundary="94eb2c079fb8de803905608687b7"
From perlmail@x6.develooper.com  Sun Dec 17 02:17:00 2017
To: perl5-security-report@perl.org
MIME-Version: 1.0
Date: Sun, 17 Dec 2017 15:46:04 +0530
X-Spam-Status: No, score=-2.0 required=6.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1
X-PMX-Spam: Gauge=IIIIIIII, Probability=8%, Report=' FROM_NAME_ALLCAPS 0.1, HTML_NO_HTTP 0.1, BODYTEXTH_SIZE_10000_LESS 0, BODYTEXTH_SIZE_3000_MORE 0, DKIM_SIGNATURE 0, NO_CTA_URI_FOUND 0, NO_URI_FOUND 0, NO_URI_HTTPS 0, SPF_PASS 0, WEBMAIL_SOURCE 0, __CT 0, __CTYPE_HAS_BOUNDARY 0, __CTYPE_MULTIPART 0, __CTYPE_MULTIPART_ALT 0, __DQ_NEG_HEUR 0, __DQ_NEG_IP 0, __FRAUD_BADTHINGS 0, __FRAUD_CONTACT_ADDY 0, __FRAUD_WEBMAIL 0, __FRAUD_WEBMAIL_FROM 0, __FROM_GMAIL 0, __HAS_FROM 0, __HAS_HTML 0, __HAS_MSGID 0, __HELO_GMAIL 0, __HEX28_LC_BOUNDARY 0, __HIGHBITS 0, __HTML_TAG_DIV 0, __MIME_HTML 0, __MIME_TEXT_H 0, __MIME_TEXT_H1 0, __MIME_TEXT_H2 0, __MIME_TEXT_P 0, __MIME_TEXT_P1 0, __MIME_TEXT_P2 0, __MIME_VERSION 0, __PHISH_SPEAR_HTTP_RECEIVED 0, __PHISH_SPEAR_STRUCTURE_1 0, __RDNS_GMAIL 0, __SANE_MSGID 0, __TO_MALFORMED_2 0, __TO_NO_NAME 0, __YOUTUBE_RCVD 0, __zen.spamhaus.org_ERROR '
X-Google-SMTP-Source: ACJfBouEIeLoNfuWdL3RaqMbdIC7hk7YJqBv/TeqmNqYBiR+InVWqsZhyVzpVAzzWL4Dhl6PatHFT7+jvKG7Rv+QR+M=
Delivered-To: rt-perl5-security@rtperl.dev
Delivered-To: perlmail-perl5-security-report@onion.perl.org
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2017.12.17.101216
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2017.12.17.101216
Return-Path: <perlmail@x6.develooper.com>
Subject: PERL-5.26.1 heap_buffer_overflow READ of size 8
X-Original-To: rt-perl5-security@rtperl.dev
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=CLZs+r/zqALiORX0A5Y0WpD3aOkBHNQ8GkOZihZWJtA=; b=og5CmRKxdMdB4k5NezTp58rjtuUzdCqplZivaJ8MOh6ruwbrxagz5PkaLzYoYJ+8Tk z68WuO+T/7x/TrX4abfQ7LWbrT/bo1b0ZGZlDTz4jW2/h4ia+DID7sMBITgAxlOax8mJ ZGsqESN5hHKozXIUHyi0ihavEtXG9tKSKq7l+7miVHxqW+jnmtq8yPfgKVVYO89+00j/ 3QqieB2O0bBG+0WYrFe7FbDWUcNVuzj5YdkI2zJPk0T2LKQwncoWNlmqk/UBUsFwzfVX z1zsTZkSYXr29KYtE4xcn3mNe2v05PYwIAfrK9BLT8JNtluiua+E0QaDyBrye6cJchT8 BE3Q==
Message-ID: <CAAbRt=p0DHjoUcwt9xqK71M6aSv=3FhxVQ5ksZw7RPi3K5TiwA@mail.gmail.com>
X-Received: by 10.46.95.28 with SMTP id t28mr8618424ljb.110.1513505804942; Sun, 17 Dec 2017 02:16:44 -0800 (PST)
From: SRAUMS JN <sraums2498@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mx3.develooper.com
Received: from xx1.develooper.com (xx1.dev [10.0.100.115]) by rtperl.develooper.com (Postfix) with ESMTP id BE8F7141 for <rt-perl5-security@rtperl.dev>; Sun, 17 Dec 2017 02:17:00 -0800 (PST)
Received: from localhost (xx1.develooper.com [127.0.0.1]) by localhost (Postfix) with ESMTP id 917AB11DE77 for <rt-perl5-security@rtperl.dev>; Sun, 17 Dec 2017 02:17:00 -0800 (PST)
Received: from xx1.develooper.com (xx1.develooper.com [127.0.0.1]) by localhost (Postfix) with SMTP id C029111DEE6 for <rt-perl5-security@rtperl.dev>; Sun, 17 Dec 2017 02:16:58 -0800 (PST)
Received: from x6.develooper.com (x6.develooper.com [207.171.7.86]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by xx1.develooper.com (Postfix) with ESMTPS id 9B4B911DE77 for <rt-perl5-security@rt.perl.org>; Sun, 17 Dec 2017 02:16:58 -0800 (PST)
Received: by x6.develooper.com (Postfix, from userid 514) id 2B8002495; Sun, 17 Dec 2017 02:16:58 -0800 (PST)
Received: (qmail 10894 invoked from network); 17 Dec 2017 10:16:57 -0000
Received: from xx1.develooper.com (207.171.7.115) by x6.develooper.com with SMTP; 17 Dec 2017 10:16:57 -0000
Received: from localhost (xx1.develooper.com [127.0.0.1]) by localhost (Postfix) with ESMTP id 7E36811DE77 for <perlmail-perl5-security-report@onion.perl.org>; Sun, 17 Dec 2017 02:16:56 -0800 (PST)
Received: from xx1.develooper.com (xx1.develooper.com [127.0.0.1]) by localhost (Postfix) with SMTP id 0779811DEE6 for <perlmail-perl5-security-report@onion.perl.org>; Sun, 17 Dec 2017 02:16:54 -0800 (PST)
Received: from mail-lf0-f68.google.com (mail-lf0-f68.google.com [209.85.215.68]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by xx1.develooper.com (Postfix) with ESMTPS id 9417C11DE77 for <perl5-security-report@perl.org>; Sun, 17 Dec 2017 02:16:47 -0800 (PST)
Received: by mail-lf0-f68.google.com with SMTP id a12so14760879lfe.4 for <perl5-security-report@perl.org>; Sun, 17 Dec 2017 02:16:47 -0800 (PST)
Received: by 10.25.227.3 with HTTP; Sun, 17 Dec 2017 02:16:04 -0800 (PST)
X-GM-Message-State: AKGB3mJBvaq3pXGu5EwkH/x/IoZ5IzP1503K2tuT0+i0Qhlm6lGDm10z CXqr0Uq3pnjuVoROFFGjbH5dE677eeewSXbatlfPHyOn
X-RT-Mail-Extension: perl5-security
X-Google-Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=CLZs+r/zqALiORX0A5Y0WpD3aOkBHNQ8GkOZihZWJtA=; b=ZVU4PovSfYRc990OP1QFGzO421tEZQ6msmFM+5L+kOdzqjbJkk5nnzlqXfSb28kKDw bniPOqmP93Eo6QxjpIXVOAtYcTRQpkUTRnISvItWg8Edc1e+niNzJtloQhFaG9Ndgz1/ HuWP4+Ng7Qhvc5l9rTqt/y92U6Vgx8xzZ4C8qnzuczxkQmTm2wzMAHvB4VeSEqYVLpEH leVWMUzRmp0TdnzZkTbVK5fUXJ/dA94zpjfcMNEaPUJho+qKnZs5CDYzEw6v2GjiqKsd RFdIKWJoCSb0RDJUsmPUMz22yU9sLjTrp83nAeC11yVAGZLs3SdQssLEBidGLx57Zj8C IVmg==
X-RT-Interface: Email



--
Regards,
SRAUMS
Download 617
application/octet-stream 637b

Message body not shown because it is not plain text.

Date: Mon, 18 Dec 2017 11:33:50 +0000
To: perl5-security-report [...] perl.org
From: Dave Mitchell <davem [...] iabyn.com>
Subject: Re: [perl #132593] PERL-5.26.1 heap_buffer_overflow READ of size 8
On Sun, Dec 17, 2017 at 02:17:02AM -0800, SRAUMS JN wrote: Show quoted text
> #0 0x2519067 in Perl_pp_backtick > /home/asan_perl/Documents/perl-5.26.1/pp_sys.c:299 > #1 0x1b1bc2e in Perl_runops_standard > /home/asan_perl/Documents/perl-5.26.1/run.c:41 > #2 0x9218a5 in S_run_body > /home/asan_perl/Documents/perl-5.26.1/perl.c:2519 > #3 0x9218a5 in perl_run > /home/asan_perl/Documents/perl-5.26.1/perl.c:2447 > #4 0x46b6a7 in main /home/asan_perl/Documents/perl-5.26.1/perlmain.c:123 > #5 0x7ffff615e82f in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) > #6 0x46c888 in _start > (/home/asan_perl/Documents/perl-5.26.1/perl+0x46c888) > > 0x619000009678 is located 8 bytes to the left of 1024-byte region > [0x619000009680,0x619000009a80) > allocated by thread T0 here: > #0 0x7ffff6f02602 in malloc > (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) > #1 0x167dd81 in Perl_safesysmalloc > /home/asan_perl/Documents/perl-5.26.1/util.c:153 > #2 0x1adf2d0 in Perl_av_extend_guts > /home/asan_perl/Documents/perl-5.26.1/av.c:186 > #3 0x2272eb6 in Perl_new_stackinfo > /home/asan_perl/Documents/perl-5.26.1/scope.c:74 > #4 0x8ab011 in Perl_init_stacks > /home/asan_perl/Documents/perl-5.26.1/perl.c:4137 > #5 0x8af2e0 in perl_construct > /home/asan_perl/Documents/perl-5.26.1/perl.c:274 > #6 0x46b033 in main /home/asan_perl/Documents/perl-5.26.1/perlmain.c:117 > #7 0x7ffff615e82f in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
A bisect shows this is fixed in blead by this commit 397baf232086e0a9ad6f881a9614d3dbaea853fc Author: Zefram <zefram@fysh.org> AuthorDate: Tue Dec 12 06:24:01 2017 +0000 Commit: Zefram <zefram@fysh.org> CommitDate: Tue Dec 12 06:24:01 2017 +0000 properly check readpipe()'s argument list readpipe() wasn't applying context to its argument list, resulting in readpipe()'s context leaking in, and broken stack discipline when a list expression was used. Fixes [perl #4574]. -- You live and learn (although usually you just live).
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 2.2k
On Mon, 18 Dec 2017 03:34:03 -0800, davem wrote: Show quoted text
> On Sun, Dec 17, 2017 at 02:17:02AM -0800, SRAUMS JN wrote:
> > #0 0x2519067 in Perl_pp_backtick > > /home/asan_perl/Documents/perl-5.26.1/pp_sys.c:299 > > #1 0x1b1bc2e in Perl_runops_standard > > /home/asan_perl/Documents/perl-5.26.1/run.c:41 > > #2 0x9218a5 in S_run_body > > /home/asan_perl/Documents/perl-5.26.1/perl.c:2519 > > #3 0x9218a5 in perl_run > > /home/asan_perl/Documents/perl-5.26.1/perl.c:2447 > > #4 0x46b6a7 in main /home/asan_perl/Documents/perl- > > 5.26.1/perlmain.c:123 > > #5 0x7ffff615e82f in __libc_start_main > > (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) > > #6 0x46c888 in _start > > (/home/asan_perl/Documents/perl-5.26.1/perl+0x46c888) > > > > 0x619000009678 is located 8 bytes to the left of 1024-byte region > > [0x619000009680,0x619000009a80) > > allocated by thread T0 here: > > #0 0x7ffff6f02602 in malloc > > (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) > > #1 0x167dd81 in Perl_safesysmalloc > > /home/asan_perl/Documents/perl-5.26.1/util.c:153 > > #2 0x1adf2d0 in Perl_av_extend_guts > > /home/asan_perl/Documents/perl-5.26.1/av.c:186 > > #3 0x2272eb6 in Perl_new_stackinfo > > /home/asan_perl/Documents/perl-5.26.1/scope.c:74 > > #4 0x8ab011 in Perl_init_stacks > > /home/asan_perl/Documents/perl-5.26.1/perl.c:4137 > > #5 0x8af2e0 in perl_construct > > /home/asan_perl/Documents/perl-5.26.1/perl.c:274 > > #6 0x46b033 in main /home/asan_perl/Documents/perl- > > 5.26.1/perlmain.c:117 > > #7 0x7ffff615e82f in __libc_start_main > > (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
> > A bisect shows this is fixed in blead by this > > commit 397baf232086e0a9ad6f881a9614d3dbaea853fc > Author: Zefram <zefram@fysh.org> > AuthorDate: Tue Dec 12 06:24:01 2017 +0000 > Commit: Zefram <zefram@fysh.org> > CommitDate: Tue Dec 12 06:24:01 2017 +0000 > > properly check readpipe()'s argument list > > readpipe() wasn't applying context to its argument list, resulting in > readpipe()'s context leaking in, and broken stack discipline when a > list > expression was used. Fixes [perl #4574].
It also depends on feeding code to the interpreter. Since it's fixed I'm closing it. I've also added it to the 5.24 and 5.26 votes files. Tony
From: Sawyer X <xsawyerx [...] gmail.com>
Subject: Re: [perl #132593] PERL-5.26.1 heap_buffer_overflow READ of size 8
Date: Thu, 8 Feb 2018 12:57:27 +0200
To: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 2.2k
On 02/07/2018 05:17 AM, Tony Cook via RT wrote: Show quoted text
> On Mon, 18 Dec 2017 03:34:03 -0800, davem wrote:
>> On Sun, Dec 17, 2017 at 02:17:02AM -0800, SRAUMS JN wrote:
>>> #0 0x2519067 in Perl_pp_backtick >>> /home/asan_perl/Documents/perl-5.26.1/pp_sys.c:299 >>> #1 0x1b1bc2e in Perl_runops_standard >>> /home/asan_perl/Documents/perl-5.26.1/run.c:41 >>> #2 0x9218a5 in S_run_body >>> /home/asan_perl/Documents/perl-5.26.1/perl.c:2519 >>> #3 0x9218a5 in perl_run >>> /home/asan_perl/Documents/perl-5.26.1/perl.c:2447 >>> #4 0x46b6a7 in main /home/asan_perl/Documents/perl- >>> 5.26.1/perlmain.c:123 >>> #5 0x7ffff615e82f in __libc_start_main >>> (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) >>> #6 0x46c888 in _start >>> (/home/asan_perl/Documents/perl-5.26.1/perl+0x46c888) >>> >>> 0x619000009678 is located 8 bytes to the left of 1024-byte region >>> [0x619000009680,0x619000009a80) >>> allocated by thread T0 here: >>> #0 0x7ffff6f02602 in malloc >>> (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) >>> #1 0x167dd81 in Perl_safesysmalloc >>> /home/asan_perl/Documents/perl-5.26.1/util.c:153 >>> #2 0x1adf2d0 in Perl_av_extend_guts >>> /home/asan_perl/Documents/perl-5.26.1/av.c:186 >>> #3 0x2272eb6 in Perl_new_stackinfo >>> /home/asan_perl/Documents/perl-5.26.1/scope.c:74 >>> #4 0x8ab011 in Perl_init_stacks >>> /home/asan_perl/Documents/perl-5.26.1/perl.c:4137 >>> #5 0x8af2e0 in perl_construct >>> /home/asan_perl/Documents/perl-5.26.1/perl.c:274 >>> #6 0x46b033 in main /home/asan_perl/Documents/perl- >>> 5.26.1/perlmain.c:117 >>> #7 0x7ffff615e82f in __libc_start_main >>> (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
>> A bisect shows this is fixed in blead by this >> >> commit 397baf232086e0a9ad6f881a9614d3dbaea853fc >> Author: Zefram <zefram@fysh.org> >> AuthorDate: Tue Dec 12 06:24:01 2017 +0000 >> Commit: Zefram <zefram@fysh.org> >> CommitDate: Tue Dec 12 06:24:01 2017 +0000 >> >> properly check readpipe()'s argument list >> >> readpipe() wasn't applying context to its argument list, resulting in >> readpipe()'s context leaking in, and broken stack discipline when a >> list >> expression was used. Fixes [perl #4574].
> It also depends on feeding code to the interpreter. > > Since it's fixed I'm closing it. > > I've also added it to the 5.24 and 5.26 votes files.
Voted in favor of both.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org