From @geeknik

Triggered in Perl v5.25.5 (v5.25.4-110-g95c0a76) with AFL+ASAN.

Two issues here; first, orig107 triggers the heap-buffer-overflow​:

./perl orig107
Bareword found where operator expected at orig107 line 1, near "qq{@​k
[(A..Z)=*_=sub{prin11V0003]=~m[..]g]]}}b"
$ never introduced at id​:000107,sig​:06,src​:020156,op​:havoc,rep​:2 line 1.
$ never introduced at id​:000107,sig​:06,src​:020156,op​:havoc,rep​:2 line 1.
syntax error at id​:000107,sig​:06,src​:020156,op​:havoc,rep​:2 line 1, near
"prin11V0003]"
syntax error at id​:000107,sig​:06,src​:020156,op​:havoc,rep​:2 line 1, near
"prin11V0003]"
Unrecognized character \x1E; marked by <-- HERE after e/​::(.*)/}<-- HERE
near column 96 at id​:000107,sig​:06,src​:020156,op​:havoc,rep​:2 line 1.

==21302==ERROR​: AddressSanitizer​: heap-buffer-overflow on address
0x60300000edc0 at pc 0x0000006cbaea bp 0x7fff56e71a80 sp 0x7fff56e71a78
READ of size 8 at 0x60300000edc0 thread T0
  #0 0x6cbae9 in Perl_pad_free /root/perl/pad.c​:1792​:5
  #1 0x4e3efe in Perl_op_clear /root/perl/op.c​:1165​:2
  #2 0x4e20c5 in Perl_op_free /root/perl/op.c​:854​:9
  #3 0x4e1d15 in Perl_op_free /root/perl/op.c​:837​:21
  #4 0x6bbbae in S_clear_yystack /root/perl/perly.c​:233​:6
  #5 0xa28dd0 in Perl_leave_scope /root/perl/scope.c​:1256​:6
  #6 0x5a6a52 in S_my_exit_jump /root/perl/perl.c​:5197​:5
  #7 0x5b46db in Perl_my_failure_exit /root/perl/perl.c​:5181​:5
  #8 0xa5e07a in Perl_die_unwind /root/perl/pp_ctl.c​:1745​:5
  #9 0x8028bf in Perl_vcroak /root/perl/util.c​:1817​:5
  #10 0x7f877c in Perl_croak /root/perl/util.c​:1862​:5
  #11 0x62ca40 in Perl_yylex /root/perl/toke.c​:4910​:9
  #12 0x6add7e in Perl_yyparse /root/perl/perly.c​:334​:19
  #13 0x59c451 in S_parse_body /root/perl/perl.c​:2373​:9
  #14 0x5927fc in perl_parse /root/perl/perl.c​:1689​:2
  #15 0x4de5d5 in main /root/perl/perlmain.c​:121​:18
  #16 0x7f767a920b44 in __libc_start_main
/build/glibc-uPj9cH/glibc-2.19/csu/libc-start.c​:287
  #17 0x4de26c in _start (/root/perl/perl+0x4de26c)

0x60300000edc0 is located 0 bytes to the right of 32-byte region
[0x60300000eda0,0x60300000edc0)
allocated by thread T0 here​:
  #0 0x4c0beb in malloc (/root/perl/perl+0x4c0beb)
  #1 0x7f83d7 in Perl_safesysmalloc /root/perl/util.c​:153​:21

SUMMARY​: AddressSanitizer​: heap-buffer-overflow /root/perl/pad.c​:1792
Perl_pad_free
Shadow bytes around the buggy address​:
  0x0c067fff9d60​: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fff9d70​: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c067fff9d80​: 00 00 fa fa 00 00 00 00 fa fa fd fd fd fd fa fa
  0x0c067fff9d90​: 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd fd fd
  0x0c067fff9da0​: fa fa fd fd fd fd fa fa 00 00 00 00 fa fa 00 00
=>0x0c067fff9db0​: 00 00 fa fa 00 00 00 00[fa]fa 00 00 00 fa fa fa
  0x0c067fff9dc0​: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 05
  0x0c067fff9dd0​: fa fa fd fd fd fd fa fa 00 00 01 fa fa fa fd fd
  0x0c067fff9de0​: fd fd fa fa 00 00 01 fa fa fa 00 00 00 07 fa fa
  0x0c067fff9df0​: 00 00 04 fa fa fa 00 00 03 fa fa fa 00 00 00 02
  0x0c067fff9e00​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes)​:
  Addressable​: 00
  Partially addressable​: 01 02 03 04 05 06 07
  Heap left redzone​: fa
  Heap right redzone​: fb
  Freed heap region​: fd
  Stack left redzone​: f1
  Stack mid redzone​: f2
  Stack right redzone​: f3
  Stack partial redzone​: f4
  Stack after return​: f5
  Stack use after scope​: f8
  Global redzone​: f9
  Global init order​: f6
  Poisoned by user​: f7
  Container overflow​: fc
  ASan internal​: fe
==21302==ABORTING

Second, minimizing orig107 with afl-tmin produces this code and an
assertion failure​:

./perl -e '0=sub{qq{@​0[0=sub{]]}}}}'
perl​: pad.c​:827​: PADOFFSET Perl_pad_add_anon(CV *, I32)​: Assertion
`!(((XPVCV*)({ void *_p = ((func)->sv_any); _p; }))->xcv_flags & 0x0010)'
failed.
Aborted

From @geeknik

orig107.gz

From @tonycoz

On Sat, 17 Sep 2016 11​:11​:34 -0700, brian.carpenter@​gmail.com wrote​:

Triggered in Perl v5.25.5 (v5.25.4-110-g95c0a76) with AFL+ASAN.

Two issues here; first, orig107 triggers the heap-buffer-overflow​:

Simplified version attached, it's​:

qq{@​k[sub{py]*{;qq{@​k[(A..B)=sub{px]]]}}sub{/(.*)/}XXX}}}

where XXX is a \x1E character.

Tony

From @tonycoz

129292b.pl.gz

The RT System itself - Status changed from 'new' to 'open'

From @tonycoz

On Sat, 17 Sep 2016 11​:11​:34 -0700, brian.carpenter@​gmail.com wrote​:

Triggered in Perl v5.25.5 (v5.25.4-110-g95c0a76) with AFL+ASAN.

Two issues here; first, orig107 triggers the heap-buffer-overflow​:

./perl orig107
Bareword found where operator expected at orig107 line 1, near "qq{@​k
[(A..Z)=*_=sub{prin11V0003]=~m[..]g]]}}b"
..
Second, minimizing orig107 with afl-tmin produces this code and an
assertion failure​:

./perl -e '0=sub{qq{@​0[0=sub{]]}}}}'
perl​: pad.c​:827​: PADOFFSET Perl_pad_add_anon(CV *, I32)​: Assertion
`!(((XPVCV*)({ void *_p = ((func)->sv_any); _p; }))->xcv_flags & 0x0010)'
failed.
Aborted

These both require feeding code to the interpreter, so aren't security issues.

Making this public.

Tony

I note that with latest blead I don't see any access violation in @tonycoz's short version (assuming I've correctly unmangled what happened to it in the transition to github), but I do still see an access violation from the code in orig107.

I see the same.

IIRC the problem was PL_compcv being restored (from the save stack) before the shift-reduce stack is cleared, so the pad entry was being freed from the wrong CV.

I don't see a simple fix.