From mtowalski@pentest.net.pl

Hello,

I've attached the poc and the asan log.
Tested on git version of perl.

Configure options​:

“./Configure -des -Dusedevel -DDEBUGGING -Dcc=clang -Doptimize=-O2 -Accflags="-fsanitize=address -fsanitize-coverage=edge" -Aldflags="-fsanitize=address -fsanitize-coverage=edge" -Alddlflags=-shared"

Information about configuration​:

Distributor ID​: Ubuntu
Description​: Ubuntu 16.10
Release​: 16.10
Codename​: yakkety
Arch​: x86_64

Best Regards,
Marcin T.

From mtowalski@pentest.net.pl

new-attempting-ef0-950-7d2

From mtowalski@pentest.net.pl

/usr/bin/llvm-symbolizer
perl​: warning​: Setting locale failed.
perl​: warning​: Please check that your locale settings​:
  LANGUAGE = (unset),
  LC_ALL = (unset),
  LC_CTYPE = "UTF-8",
  LANG = "en_US.UTF-8"
  are supported and installed on your system.
perl​: warning​: Falling back to a fallback locale ("en_US.UTF-8").
Wide character in print at ./new-attempting-ef0-950-7d2 line 1.

==11739==ERROR​: AddressSanitizer​: attempting free on address which was not malloc()-ed​: 0x62100000ebe8 in thread T0
  #0 0x4eaef0 in __interceptor_cfree.localalias.1 (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x4eaef0)
  #1 0x8a1950 in Perl_vivify_ref /home/mtowalski/Fuzzing/Programs/perl-git/pp_hot.c​:4368​:2
  #2 0x8c07d2 in Perl_pp_multideref /home/mtowalski/Fuzzing/Programs/perl-git/pp_hot.c​:2513​:18
  #3 0x7fbc44 in Perl_runops_debug /home/mtowalski/Fuzzing/Programs/perl-git/dump.c​:2451​:23
  #4 0x5e7bb3 in perl_run /home/mtowalski/Fuzzing/Programs/perl-git/perl.c
  #5 0x524302 in main /home/mtowalski/Fuzzing/Programs/perl-git/perlmain.c​:123​:9
  #6 0x7f68cf3073f0 in __libc_start_main /build/glibc-jxM2Ev/glibc-2.24/csu/../csu/libc-start.c​:291
  #7 0x4356f9 in _start (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x4356f9)

0x62100000ebe8 is located 3816 bytes inside of 4080-byte region [0x62100000dd00,0x62100000ecf0)
allocated by thread T0 here​:
  #0 0x4eb0a8 in malloc (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x4eb0a8)
  #1 0x80087e in Perl_safesysmalloc /home/mtowalski/Fuzzing/Programs/perl-git/util.c​:153​:21
  #2 0x86fef8 in Perl_hv_common_key_len /home/mtowalski/Fuzzing/Programs/perl-git/hv.c​:333​:12

SUMMARY​: AddressSanitizer​: bad-free (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x4eaef0) in __interceptor_cfree.localalias.1
==11739==ABORTING

From @iabyn

On Mon, Mar 06, 2017 at 08​:25​:48AM -0800, via RT wrote​:

I've attached the poc and the asan log.
Tested on git version of perl.

Reduces to

  map $a[0][0], @​a = 0, @​a = 1;

which is another stack-not-refcounted-issue.
In a few days time I'll move the ticket to the public queue and link it
to the meta-ticket.

--
A problem shared is a problem doubled.

The RT System itself - Status changed from 'new' to 'open'

From @iabyn

On Wed, Mar 08, 2017 at 10​:04​:38AM +0000, Dave Mitchell wrote​:

On Mon, Mar 06, 2017 at 08​:25​:48AM -0800, via RT wrote​:

I've attached the poc and the asan log.
Tested on git version of perl.

Reduces to

map $a\[0\]\[0\]\, @​a = 0\, @​a = 1;

which is another stack-not-refcounted-issue.
In a few days time I'll move the ticket to the public queue and link it
to the meta-ticket.

Now moving to the public queue.

--
This email is confidential, and now that you have read it you are legally
obliged to shoot yourself. Or shoot a lawyer, if you prefer. If you have
received this email in error, place it in its original wrapping and return
for a full refund. By opening this email, you accept that Elvis lives.