From gy741.kim@gmail.com

Hi.

I found a heap-use-after-free bug in perl.

Please confirm.

Thanks.

Version​: This is perl 5, version 27, subversion 3 (v5.27.3) built for
x86_64-linux
OS​: Ubuntu 16.04.2 64bit
Steps to reproduce​:
1.Download the PoC files.
2.Compile the source code with ASan.
3.Execute the following command
  : ./perl $PoC

```

==8441==ERROR​: AddressSanitizer​: heap-use-after-free on address
0x602000000e70 at pc 0x0000009d60d7 bp 0x7ffe47d9fe50 sp 0x7ffe47d9fe48
WRITE of size 1 at 0x602000000e70 thread T0
  #0 0x9d60d6 in Perl_sv_setpv_bufsize
/root/karas/perl5-64bit-0815/sv.c​:4958​:17
  #1 0xbdcac6 in Perl_do_vop /root/karas/perl5-64bit-0815/doop.c​:1045​:9
  #2 0xa7278d in Perl_pp_bit_or /root/karas/perl5-64bit-0815/pp.c​:2405​:2
  #3 0x87a1ec in Perl_runops_debug
/root/karas/perl5-64bit-0815/dump.c​:2483​:23
  #4 0x5fc915 in S_run_body /root/karas/perl5-64bit-0815/perl.c
  #5 0x5fc915 in perl_run /root/karas/perl5-64bit-0815/perl.c​:2484
  #6 0x52797a in main /root/karas/perl5-64bit-0815/perlmain.c​:123​:9
  #7 0x7f486393682f in __libc_start_main
/build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c​:291
  #8 0x435a98 in _start (/root/karas/perl5-64bit-0815/perl+0x435a98)

0x602000000e70 is located 0 bytes inside of 10-byte region
[0x602000000e70,0x602000000e7a)
freed by thread T0 here​:
  #0 0x4edf60 in __interceptor_cfree.localalias.0
(/root/karas/perl5-64bit-0815/perl+0x4edf60)
  #1 0x880607 in Perl_safesysfree
/root/karas/perl5-64bit-0815/util.c​:388​:2
  #2 0x9f4c2e in Perl_sv_free2 /root/karas/perl5-64bit-0815/sv.c​:7090​:9

previously allocated by thread T0 here​:
  #0 0x4ee118 in malloc (/root/karas/perl5-64bit-0815/perl+0x4ee118)
  #1 0x87f80b in Perl_safesysmalloc
/root/karas/perl5-64bit-0815/util.c​:153​:21

SUMMARY​: AddressSanitizer​: heap-use-after-free
/root/karas/perl5-64bit-0815/sv.c​:4958​:17 in Perl_sv_setpv_bufsize
Shadow bytes around the buggy address​:
  0x0c047fff8170​: fa fa 05 fa fa fa 00 02 fa fa 00 fa fa fa 00 07
  0x0c047fff8180​: fa fa 00 01 fa fa 00 05 fa fa 00 00 fa fa 00 02
  0x0c047fff8190​: fa fa 00 04 fa fa 02 fa fa fa fd fd fa fa fd fd
  0x0c047fff81a0​: fa fa 00 02 fa fa fd fd fa fa fd fa fa fa fd fa
  0x0c047fff81b0​: fa fa 00 02 fa fa fd fd fa fa fd fd fa fa 00 02
=>0x0c047fff81c0​: fa fa 02 fa fa fa fd fd fa fa fd fd fa fa[fd]fd
  0x0c047fff81d0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff81e0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff81f0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8200​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8210​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes)​:
  Addressable​: 00
  Partially addressable​: 01 02 03 04 05 06 07
  Heap left redzone​: fa
  Freed heap region​: fd
  Stack left redzone​: f1
  Stack mid redzone​: f2
  Stack right redzone​: f3
  Stack after return​: f5
  Stack use after scope​: f8
  Global redzone​: f9
  Global init order​: f6
  Poisoned by user​: f7
  Container overflow​: fc
  Array cookie​: ac
  Intra object redzone​: bb
  ASan internal​: fe
  Left alloca redzone​: ca
  Right alloca redzone​: cb
==8441==ABORTING
```

From gy741.kim@gmail.com

073_PoC

From @tonycoz

On Sat, 19 Aug 2017 18​:27​:54 -0700, gy741.kim@​gmail.com wrote​:

Hi.

I found a heap-use-after-free bug in perl.

Simplifies to​:

$|=*='a';

which is a stack-not-refcounted bug, and not a security issue.

Tony

The RT System itself - Status changed from 'new' to 'open'

From geeknik@protonmail.ch

This is likely a duplicate of #130256.

From @tonycoz

On Wed, 16 Jan 2019 08​:10​:01 -0800, geeknik@​protonmail.ch wrote​:

This is likely a duplicate of #130256.

Thanks for the reminder, linked to the stack-not-refcounted meta ticket.

Tony