Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Null pointer dereference in Perl v5.31.2 #17115

Open
p5pRT opened this issue Jul 31, 2019 · 6 comments
Open

Null pointer dereference in Perl v5.31.2 #17115

p5pRT opened this issue Jul 31, 2019 · 6 comments

Comments

@p5pRT
Copy link

p5pRT commented Jul 31, 2019

Migrated from rt.perl.org#134322 (status was 'open')

Searchable as RT134322$
@p5pRT
Copy link
Author

p5pRT commented Jul 31, 2019

From nguyenmanhdung1710@gmail.com

Hi All,

I found a null pointer dereference bug in the latest release *v5.31.2* of
Perl . This bug also existed in the commit *a3c7756* on branch *blead*.
This bug causes Perl to crash. I use gcc v5.5.0 to compile Perl on Ubuntu
16.04 (64 bit) as follows​:

  ./Configure -des -Dusedevel -Dprefix=`pwd` -Dccflags="-g" -Dloclibpth='
'; make

I cannot create a new ticket on https://rt.perl.org/, thus I decided to
send you the bug report via email. If you think this is a valid bug, please
help me to create a new ticket on this website and cc me. Thanks.

Best regards,
Manh Dung

======================================
Details about the buggy version​:
*perl -v*
This is perl 5, version 31, subversion 3 (v5.31.3 (v5.31.2-37-ga3c7756))
built for x86_64-linux

- PoC is a crafted file that is generated by fuzzing as *$0**=*0 =*​:*

$ echo "\$0**=*0 =*​:" > PoC
$ cat PoC
*$0**=*0 =*​:*

- Command​: perl $PoC

ASAN says​:
==22404==ERROR​: AddressSanitizer​: SEGV on unknown address 0x000000000000
(pc 0x000000626ad6 bp 0x62100001c100 sp 0x7ffcda3efb90 T0)
  #0 0x626ad5 in do_clean_named_objs
/home/dungnguyen/gueb-testing/perl-head/sv.c​:557
  #1 0x620cf7 in S_visit /home/dungnguyen/gueb-testing/perl-head/sv.c​:477
  #2 0x6272f9 in Perl_sv_clean_objs
/home/dungnguyen/gueb-testing/perl-head/sv.c​:632
  #3 0x48460a in perl_destruct
/home/dungnguyen/gueb-testing/perl-head/perl.c​:920
  #4 0x42563d in main
/home/dungnguyen/gueb-testing/perl-head/perlmain.c​:138
  #5 0x7fe58725482f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
  #6 0x425be8 in _start
(/home/dungnguyen/PoCs/perl_82007f7/perl-asan+0x425be8)

Valgrind says​:
==23240== Invalid read of size 8
==23240== at 0x4D09C5​: do_clean_named_objs (sv.c​:557)
==23240== by 0x4CEB36​: S_visit (sv.c​:477)
==23240== by 0x4D0C5F​: Perl_sv_clean_objs (sv.c​:632)
==23240== by 0x44261B​: perl_destruct (perl.c​:920)
==23240== by 0x4217E3​: main (perlmain.c​:138)
==23240== Address 0x3ff0000000000000 is not stack'd, malloc'd or
(recently) free'd
==23240==
==23240==
==23240== Process terminating with default action of signal 11 (SIGSEGV)
==23240== General Protection Fault
==23240== at 0x4D09C5​: do_clean_named_objs (sv.c​:557)
==23240== by 0x4CEB36​: S_visit (sv.c​:477)
==23240== by 0x4D0C5F​: Perl_sv_clean_objs (sv.c​:632)
==23240== by 0x44261B​: perl_destruct (perl.c​:920)
==23240== by 0x4217E3​: main (perlmain.c​:138)

======================================

@p5pRT
Copy link
Author

p5pRT commented Jul 31, 2019

From @tonycoz

On Wed, 31 Jul 2019 01​:03​:50 -0700, nguyenmanhdung1710@​gmail.com wrote​:

Hi All,

I found a null pointer dereference bug in the latest release *v5.31.2* of
Perl . This bug also existed in the commit *a3c7756* on branch *blead*.
This bug causes Perl to crash. I use gcc v5.5.0 to compile Perl on Ubuntu
16.04 (64 bit) as follows​:

./Configure -des -Dusedevel -Dprefix=`pwd` -Dccflags="-g" -Dloclibpth='
'; make

I cannot create a new ticket on https://rt.perl.org/, thus I decided to
send you the bug report via email. If you think this is a valid bug, please
help me to create a new ticket on this website and cc me. Thanks.

You've just created a ticket, since you sent this to perlbug@​perl.org.

Details about the buggy version​:
*perl -v*
This is perl 5, version 31, subversion 3 (v5.31.3 (v5.31.2-37-ga3c7756))
built for x86_64-linux

- PoC is a crafted file that is generated by fuzzing as *$0**=*0 =*​:*

$ echo "\$0**=*0 =*​:" > PoC
$ cat PoC
*$0**=*0 =*​:*

This looks like a stack not refcounted issue.

Tony

@p5pRT
Copy link
Author

p5pRT commented Jul 31, 2019

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Aug 1, 2019

From nguyenmanhdung1710@gmail.com

On Wed, 31 Jul 2019 01​:24​:21 -0700, tonyc wrote​:

On Wed, 31 Jul 2019 01​:03​:50 -0700, nguyenmanhdung1710@​gmail.com
wrote​:

Hi All,

I found a null pointer dereference bug in the latest release
*v5.31.2* of
Perl . This bug also existed in the commit *a3c7756* on branch
*blead*.
This bug causes Perl to crash. I use gcc v5.5.0 to compile Perl on
Ubuntu
16.04 (64 bit) as follows​:

./Configure -des -Dusedevel -Dprefix=`pwd` -Dccflags="-g"
-Dloclibpth='
'; make

I cannot create a new ticket on https://rt.perl.org/, thus I decided
to
send you the bug report via email. If you think this is a valid bug,
please
help me to create a new ticket on this website and cc me. Thanks.

You've just created a ticket, since you sent this to perlbug@​perl.org.

Details about the buggy version​:
*perl -v*
This is perl 5, version 31, subversion 3 (v5.31.3 (v5.31.2-37-
ga3c7756))
built for x86_64-linux

- PoC is a crafted file that is generated by fuzzing as *$0**=*0 =*​:*

$ echo "\$0**=*0 =*​:" > PoC
$ cat PoC
*$0**=*0 =*​:*

This looks like a stack not refcounted issue.

Tony

As requested by James E Keenan, I add the binaries of Perl (commit 45f8e7b on the branch blead)​:
- Perl​: https://github.com/strongcourage/PoCs/blob/master/perl_45f8e7b/perl
- Perl with ASAN​: https://github.com/strongcourage/PoCs/blob/master/perl_45f8e7b/perl-asan

@p5pRT
Copy link
Author

p5pRT commented Aug 1, 2019

From @tonycoz

On Thu, 01 Aug 2019 12​:16​:40 -0700, nguyenmanhdung1710@​gmail.com wrote​:

On Wed, 31 Jul 2019 01​:24​:21 -0700, tonyc wrote​:

On Wed, 31 Jul 2019 01​:03​:50 -0700, nguyenmanhdung1710@​gmail.com
wrote​:

Hi All,

I found a null pointer dereference bug in the latest release
*v5.31.2* of
Perl . This bug also existed in the commit *a3c7756* on branch
*blead*.
This bug causes Perl to crash. I use gcc v5.5.0 to compile Perl on
Ubuntu
16.04 (64 bit) as follows​:

./Configure -des -Dusedevel -Dprefix=`pwd` -Dccflags="-g"
-Dloclibpth='
'; make

I cannot create a new ticket on https://rt.perl.org/, thus I
decided
to
send you the bug report via email. If you think this is a valid
bug,
please
help me to create a new ticket on this website and cc me. Thanks.

You've just created a ticket, since you sent this to
perlbug@​perl.org.

Details about the buggy version​:
*perl -v*
This is perl 5, version 31, subversion 3 (v5.31.3 (v5.31.2-37-
ga3c7756))
built for x86_64-linux

- PoC is a crafted file that is generated by fuzzing as *$0**=*0
=*​:*

$ echo "\$0**=*0 =*​:" > PoC
$ cat PoC
*$0**=*0 =*​:*

This looks like a stack not refcounted issue.

Tony

As requested by James E Keenan, I add the binaries of Perl (commit
45f8e7b on the branch blead)​:
- Perl​:
https://github.com/strongcourage/PoCs/blob/master/perl_45f8e7b/perl
- Perl with ASAN​:
https://github.com/strongcourage/PoCs/blob/master/perl_45f8e7b/perl-
asan

He was asking that the PoC code be attached, which isn't needed for this ticket, but would be useful for the others.

Tony

@p5pRT
Copy link
Author

p5pRT commented Aug 2, 2019

From nguyenmanhdung1710@gmail.com

On Thu, 01 Aug 2019 16​:46​:08 -0700, tonyc wrote​:

On Thu, 01 Aug 2019 12​:16​:40 -0700, nguyenmanhdung1710@​gmail.com
wrote​:

On Wed, 31 Jul 2019 01​:24​:21 -0700, tonyc wrote​:

On Wed, 31 Jul 2019 01​:03​:50 -0700, nguyenmanhdung1710@​gmail.com
wrote​:

Hi All,

I found a null pointer dereference bug in the latest release
*v5.31.2* of
Perl . This bug also existed in the commit *a3c7756* on branch
*blead*.
This bug causes Perl to crash. I use gcc v5.5.0 to compile Perl
on
Ubuntu
16.04 (64 bit) as follows​:

./Configure -des -Dusedevel -Dprefix=`pwd` -Dccflags="-g"
-Dloclibpth='
'; make

I cannot create a new ticket on https://rt.perl.org/, thus I
decided
to
send you the bug report via email. If you think this is a valid
bug,
please
help me to create a new ticket on this website and cc me. Thanks.

You've just created a ticket, since you sent this to
perlbug@​perl.org.

Details about the buggy version​:
*perl -v*
This is perl 5, version 31, subversion 3 (v5.31.3 (v5.31.2-37-
ga3c7756))
built for x86_64-linux

- PoC is a crafted file that is generated by fuzzing as *$0**=*0
=*​:*

$ echo "\$0**=*0 =*​:" > PoC
$ cat PoC
*$0**=*0 =*​:*

This looks like a stack not refcounted issue.

Tony

As requested by James E Keenan, I add the binaries of Perl (commit
45f8e7b on the branch blead)​:
- Perl​:
https://github.com/strongcourage/PoCs/blob/master/perl_45f8e7b/perl
- Perl with ASAN​:
https://github.com/strongcourage/PoCs/blob/master/perl_45f8e7b/perl-
asan

He was asking that the PoC code be attached, which isn't needed for
this ticket, but would be useful for the others.

Tony

Thanks, Tony. I misunderstood the question.

@toddr toddr removed the khw label Oct 25, 2019
@xenu xenu removed the Severity Low label Dec 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@toddr @xenu @p5pRT