From yaohway@gmail.com

Created by yaohway@gmail.com

There's a use-after-free bug in function Perl_sv_setpv_bufsize(), when the
buffer pointed by sv is freed.
complete ASAN output is as follows​:

=================================================================
[2/1824]
==9960==ERROR​: AddressSanitizer​: heap-use-after-free on address
0x602000000fb0 at pc 0x0000008159df bp 0x7fff92a6ff50 sp 0x7fff92a6ff48
WRITE of size 1 at 0x602000000fb0 thread T0
  #0 0x8159de in Perl_sv_setpv_bufsize
~/test_progs/perl_dir/perl-asan/sv.c​:4961​:17
  #1 0x947c4d in Perl_do_vop ~/test_progs/perl_dir/perl-asan/doop.c​:1031​:9
  #2 0x871462 in Perl_pp_bit_or
~/test_progs/perl_dir/perl-asan/pp.c​:2464​:2
  #3 0x74c6e9 in Perl_runops_debug
~/test_progs/perl_dir/perl-asan/dump.c​:2451​:23
  #4 0x5bd845 in S_run_body ~/test_progs/perl_dir/perl-asan/perl.c
  #5 0x5bd0e1 in perl_run ~/test_progs/perl_dir/perl-asan/perl.c​:2455​:2
  #6 0x543718 in main /test_progs/perl_dir/perl-asan/perlmain.c​:123​:9
  #7 0x7f0dd39baf44 in __libc_start_main
/build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c​:287
  #8 0x43655b in _start (/test_progs/perl_dir/perl-asan/perl+0x43655b)

0x602000000fb0 is located 0 bytes inside of 10-byte region
[0x602000000fb0,0x602000000fba)
freed by thread T0 here​:
  #0 0x50ef00 in __interceptor_free
/home/farshaq/softwares/llvm-latest/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc​:68
  #1 0x822e57 in Perl_sv_clear ~/test_progs/perl_dir/perl-asan/sv.c​:6771​:7
  #2 0x826bde in Perl_sv_free2 ~/test_progs/perl_dir/perl-asan/sv.c​:7073​:9

previously allocated by thread T0 here​:
  #0 0x50f266 in malloc
/home/farshaq/softwares/llvm-latest/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc​:88
  #1 0x74f690 in Perl_safesysmalloc
~/test_progs/perl_dir/perl-asan/util.c​:153​:21

SUMMARY​: AddressSanitizer​: heap-use-after-free
~/test_progs/perl_dir/perl-asan/sv.c​:4961​:17 in Perl_sv_setpv_bufsize
Shadow bytes around the buggy address​:
  0x0c047fff81a0​: fa fa fd fd fa fa fd fd fa fa 00 02 fa fa fd fd
  0x0c047fff81b0​: fa fa fd fa fa fa 00 02 fa fa fd fd fa fa fd fd
  0x0c047fff81c0​: fa fa 00 02 fa fa 02 fa fa fa fd fd fa fa fd fa
  0x0c047fff81d0​: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff81e0​: fa fa fd fd fa fa 02 fa fa fa fd fa fa fa 00 02
=>0x0c047fff81f0​: fa fa fd fd fa fa[fd]fd fa fa 00 02 fa fa 02 fa
  0x0c047fff8200​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8210​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8220​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8230​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8240​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes)​:
  Addressable​: 00
  Partially addressable​: 01 02 03 04 05 06 07
  Heap left redzone​: fa
  Freed heap region​: fd
  Stack left redzone​: f1
  Stack mid redzone​: f2
  Stack right redzone​: f3
  Stack after return​: f5
  Stack use after scope​: f8
  Global redzone​: f9
  Global init order​: f6
  Poisoned by user​: f7
  Container overflow​: fc
  Array cookie​: ac
  Intra object redzone​: bb
  ASan internal​: fe
  Left alloca redzone​: ca
  Right alloca redzone​: cb
==9960==ABORTING

Flags:
    category=core
    severity=high

Site configuration information for perl 5.26.2:

Configured by farshaq at Sat Jun  2 15:41:08 EDT 2018.

Summary of my perl5 (revision 5 version 26 subversion 2) configuration:

  Platform:
    osname=linux
    osvers=4.4.0-57-generic
    archname=x86_64-linux
    uname='linux farshaq-terminator 4.4.0-57-generic #78~14.04.1-ubuntu smp
sat dec 10 00:14:47 utc 2016 x86_64 x86_64 x86_64 gnulinux '
    config_args='-de -Dusedevel -DEBUGGING -Doptimize=-g -O2 -Dcc=clang
-Accflags=-fsanitize=address -Aldflags=-fsanitize=address'
    hint=recommended
    useposix=true
    d_sigaction=define
    useithreads=undef
    usemultiplicity=undef
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    default_inc_excludes_dot=define
    bincompat5005=undef
  Compiler:
    cc='clang'
    ccflags ='-fsanitize=address -DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2'
    optimize='-g -O2'
    cppflags='-fsanitize=address -DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include'
    ccversion=''
    gccversion='4.2.1 Compatible Clang 6.0.0 (trunk 310803)'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='clang'
    ldflags =' -fsanitize=address -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/local/lib/clang/6.0.0/lib
/usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib
/usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
    libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    libc=libc-2.19.so
    so=so
    useshrplib=false
    libperl=libperl.a
    gnulibc_version='2.19'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=so
    d_dlsymun=undef
    ccdlflags='-Wl,-E'
    cccdlflags='-fPIC'
    lddlflags='-shared -g -O2 -L/usr/local/lib -fstack-protector-strong'



@INC for perl 5.26.2:
    /usr/local/lib/perl5/site_perl/5.26.2/x86_64-linux
    /usr/local/lib/perl5/site_perl/5.26.2
    /usr/local/lib/perl5/5.26.2/x86_64-linux
    /usr/local/lib/perl5/5.26.2


Environment for perl 5.26.2:
    HOME=/home/farshaq
    LANG=en_US.UTF-8
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)

PATH=/home/farshaq/work/VulSniper/umet_aosp_6.0.1_r8/prebuilts/gcc/linux-x86/aarch64/aarch64-linux-android-4.9/bin:/home/farshaq/Android/Sdk/platform-tools:/home/farshaq/Android/Sdk/tools:/home/farshaq/work/VulSniper/umet_aosp_6.0.1_r8/prebuilts/gcc/linux-x86/aarch64/aarch64-linux-android-4.9/bin:/home/farshaq/Android/Sdk/platform-tools:/home/farshaq/Android/Sdk/tools:/home/farshaq/work/VulSniper/umet_aosp_6.0.1_r8/prebuilts/gcc/linux-x86/aarch64/aarch64-linux-android-4.9/bin:/home/farshaq/Android/Sdk/platform-tools:/home/farshaq/Android/Sdk/tools:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
    PERL_BADLANG (unset)
    SHELL=/usr/local/bin/fish

From yaohway@gmail.com

poc

From @iabyn

On Sat, Jun 02, 2018 at 01​:56​:20PM -0700, Yaohui Chen (via RT) wrote​:

This is a bug report for perl from yaohway@​gmail.com,
generated with the help of perlbug 1.40 running under perl 5.26.2.

The POC is attached in this mail. Simply run perl compiled with ASAN on the
POC file will recreate the problem.

It can be reduced to this​:

$~ |= *~ = $~;

It looks like like a stack-not-refcounted issue.

If possible could you also help apply for a CVE.

Since you've posted it to the public bug address, the issue is already
public, so a bit late for a CVE!

However, it doesn't look like a realistic security issue. Real code isn't
going to be doing *~ = $~ (which triggers the premature free), then
doing bit ops on the stringified result.

--
The crew of the Enterprise encounter an alien life form which is
surprisingly neither humanoid nor made from pure energy.
  -- Things That Never Happen in "Star Trek" #22

The RT System itself - Status changed from 'new' to 'open'

From geeknik@protonmail.ch

This is likely a duplicate of #130256.