Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-buffer-overflow in Perl_pp_uc #16858

Closed
p5pRT opened this issue Mar 2, 2019 · 5 comments
Closed

heap-buffer-overflow in Perl_pp_uc #16858

p5pRT opened this issue Mar 2, 2019 · 5 comments
Labels
type-core

Comments

@p5pRT
Copy link

p5pRT commented Mar 2, 2019

Migrated from rt.perl.org#133876 (status was 'resolved')

Searchable as RT133876$
@p5pRT
Copy link
Author

p5pRT commented Mar 2, 2019

From @dur-randir

Created by @dur-randir

While fuzzing perl v5.29.8-21-gde59f38ed9 built with afl and run
under libdislocator, I found the following program (also attached to
this message)

00000000 75 73 65 20 35 2e 30 32 36 3b 6d 2e 5c 55 30 30 |use 5.026;m.\U00|
00000010 ff ff 30 30 30 30 2e |..0000.|

to cause a heap-buffer-overflow write. This is a regression in blead,
so not a security issue, bisect points to​:

commit 2f8f985
Author​: Karl Williamson <khw@​cpan.org>
Date​: Wed Jan 30 11​:24​:12 2019 -0700

  pp.c​: Don't assume worst case memory needs

  Since 5.28, there has been a function that will calculate the expansion
  of a string when converted into UTF-8, using per-word operations. This
  means it runs 8 times faster than doing this count previously would have
  taken.

ASAN trace is following​:

==6160==ERROR​: AddressSanitizer​: heap-buffer-overflow on address
0x60200000dafa at pc 0x000000adc959 bp 0x7ffcd26c09d0 sp
0x7ffcd26c09c8
WRITE of size 1 at 0x60200000dafa thread T0
  #0 0xadc958 in Perl_pp_uc /home/afl/afl-asan/pp.c​:4344​:9
  #1 0x88f844 in Perl_runops_debug /home/afl/afl-asan/dump.c​:2537​:23
  #2 0x5d1a94 in S_fold_constants_eval /home/afl/afl-asan/op.c​:5527​:2
  #3 0x54f509 in S_fold_constants /home/afl/afl-asan/op.c​:5657​:11
  #4 0x54e19d in Perl_op_convert_list /home/afl/afl-asan/op.c​:5997​:12
  #5 0x70ca11 in Perl_yyparse /home/afl/afl-asan/perly.y​:903​:23
  #6 0x5eba6a in S_parse_body /home/afl/afl-asan/perl.c​:2507​:9
  #7 0x5e1e23 in perl_parse /home/afl/afl-asan/perl.c​:1798​:2
  #8 0x50b5de in main /home/afl/afl-asan/perlmain.c​:126​:10
  #9 0x7f2f085a509a in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
  #10 0x43bdc9 in _start (/home/afl/afl-asan/perl+0x43bdc9)

0x60200000dafa is located 0 bytes to the right of 10-byte region
[0x60200000daf0,0x60200000dafa)
allocated by thread T0 here​:
  #0 0x4da398 in malloc (/home/afl/afl-asan/perl+0x4da398)
  #1 0x89580e in Perl_safesysmalloc /home/afl/afl-asan/util.c​:153​:21
  #2 0x9bb6e9 in Perl_sv_grow /home/afl/afl-asan/sv.c​:1599​:17
  #3 0xad8b80 in Perl_pp_uc /home/afl/afl-asan/pp.c​:4082​:11
  #4 0x88f844 in Perl_runops_debug /home/afl/afl-asan/dump.c​:2537​:23
  #5 0x5d1a94 in S_fold_constants_eval /home/afl/afl-asan/op.c​:5527​:2
  #6 0x54f509 in S_fold_constants /home/afl/afl-asan/op.c​:5657​:11
  #7 0x54e19d in Perl_op_convert_list /home/afl/afl-asan/op.c​:5997​:12
  #8 0x70ca11 in Perl_yyparse /home/afl/afl-asan/perly.y​:903​:23
  #9 0x5eba6a in S_parse_body /home/afl/afl-asan/perl.c​:2507​:9
  #10 0x5e1e23 in perl_parse /home/afl/afl-asan/perl.c​:1798​:2
  #11 0x50b5de in main /home/afl/afl-asan/perlmain.c​:126​:10
  #12 0x7f2f085a509a in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

Perl Info 

Flags:
    category=core
    severity=high

Site configuration information for perl 5.29.9:

Configured by dur-randir at Wed Feb 27 14:51:01 MSK 2019.

Summary of my perl5 (revision 5 version 29 subversion 9) configuration:
  Commit id: c1e47bad34ce1d9c84ed57c9b8978bcbd5a02e98
  Platform:
    osname=darwin
    osvers=13.4.0
    archname=darwin-thread-multi-2level
    uname='darwin isengard.local 13.4.0 darwin kernel version 13.4.0:
mon jan 11 18:17:34 pst 2016; root:xnu-2422.115.15~1release_x86_64
x86_64 '
    config_args='-de -Dusedevel -DDEBUGGING -Dusethreads'
    hint=recommended
    useposix=true
    d_sigaction=define
    useithreads=define
    usemultiplicity=define
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    default_inc_excludes_dot=define
    bincompat5005=undef
  Compiler:
    cc='cc'
    ccflags ='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9
-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector
-I/usr/local/include -DPERL_USE_SAFE_PUTENV'
    optimize='-O3 -g'
    cppflags='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9
-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector
-I/usr/local/include'
    ccversion=''
    gccversion='4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.56)'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='cc'
    ldflags =' -mmacosx-version-min=10.9 -fstack-protector -L/usr/local/lib'
    libpth=/usr/local/lib
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/../lib/clang/6.0/lib
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib
/usr/lib
    libs=-lpthread -lgdbm -ldbm -ldl -lm -lutil -lc
    perllibs=-lpthread -ldl -lm -lutil -lc
    libc=
    so=dylib
    useshrplib=false
    libperl=libperl.a
    gnulibc_version=''
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=bundle
    d_dlsymun=undef
    ccdlflags=' '
    cccdlflags=' '
    lddlflags=' -mmacosx-version-min=10.9 -bundle -undefined
dynamic_lookup -L/usr/local/lib -fstack-protector'



@INC for perl 5.29.9:
    lib
    /usr/local/lib/perl5/site_perl/5.29.9/darwin-thread-multi-2level
    /usr/local/lib/perl5/site_perl/5.29.9
    /usr/local/lib/perl5/5.29.9/darwin-thread-multi-2level
    /usr/local/lib/perl5/5.29.9


Environment for perl 5.29.9:
    DYLD_LIBRARY_PATH (unset)
    HOME=/Users/dur-randir
    LANG=en_US.UTF-8
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.22.1/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/texbin
    PERLBREW_HOME=/Users/dur-randir/.perlbrew
    PERLBREW_MANPATH=/Users/dur-randir/perlbrew/perls/perl-5.22.1/man
    PERLBREW_PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.22.1/bin
    PERLBREW_PERL=perl-5.22.1
    PERLBREW_ROOT=/Users/dur-randir/perlbrew
    PERLBREW_SHELLRC_VERSION=0.84
    PERLBREW_VERSION=0.84
    PERL_BADLANG (unset)
    SHELL=/usr/local/bin/zsh

@p5pRT
Copy link
Author

p5pRT commented Mar 2, 2019

From @dur-randir

0097_1

@p5pRT
Copy link
Author

p5pRT commented Mar 8, 2019

@khwilliamson - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Mar 8, 2019

From @khwilliamson

Fixed by

commit 56e36cb
Author​: Karl Williamson <khw@​cpan.org>
Date​: Fri Mar 8 10​:01​:48 2019 -0700

  PATCH​: [perl #133876] Write out of bounds
 
  This was caused by a lapse on my part about the inputs to this function
  that grows memory. I was thinking the trailing NUL was included, but
  it's not. This patch adds space for that to all calls of
  sv_utf8_upgrade_flags_grow() in the file.
 
  But it occurs to me that maybe the function itself should just add one
  instead of having the caller do it. If you think so, let me know.
--
Karl Williamson

@p5pRT
Copy link
Author

p5pRT commented Mar 8, 2019

@khwilliamson - Status changed from 'open' to 'resolved'

@p5pRT p5pRT closed this as completed Mar 8, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type-core
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@p5pRT