Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

global-buffer-overflow S_finalize_op (op.c:2634) #15560

Closed
p5pRT opened this issue Aug 27, 2016 · 6 comments
Closed

global-buffer-overflow S_finalize_op (op.c:2634) #15560

p5pRT opened this issue Aug 27, 2016 · 6 comments

Comments

@p5pRT
Copy link

p5pRT commented Aug 27, 2016

Migrated from rt.perl.org#129099 (status was 'resolved')

Searchable as RT129099$

@p5pRT
Copy link
Author

p5pRT commented Aug 27, 2016

From @geeknik

Perl v5.25.4-20-gc2f7c0b, + AFL + ASAN + libdislocator

./perl -e 'BEGIN()​:y()'

Prototype mismatch​: sub main​::BEGIN () vs none at over6 line 1.

==23205==ERROR​: AddressSanitizer​: global-buffer-overflow on address
0x000000ed72b4 at pc 0x0000004f1e35 bp 0x7fff9e4cca50 sp 0x7fff9e4cca48
READ of size 4 at 0x000000ed72b4 thread T0
  #0 0x4f1e34 in S_finalize_op /root/perl/op.c​:2634​:9
  #1 0x4f1b05 in S_finalize_op /root/perl/op.c​:2671​:6
  #2 0x4f1b05 in S_finalize_op /root/perl/op.c​:2671​:6
  #3 0x4f1b05 in S_finalize_op /root/perl/op.c​:2671​:6
  #4 0x4f09ed in Perl_finalize_optree /root/perl/op.c​:2473​:5
  #5 0x51c9ea in Perl_newATTRSUB_x /root/perl/op.c​:8784​:5
  #6 0x5239d2 in Perl_utilize /root/perl/op.c​:6205​:5
  #7 0x524d42 in Perl_vload_module /root/perl/op.c​:6352​:5
  #8 0x4f9fa9 in Perl_load_module /root/perl/op.c​:6295​:5
  #9 0x51cdd2 in Perl_newATTRSUB_x /root/perl/op.c​:8798​:2
  #10 0x6afc50 in Perl_yyparse /root/perl/perly.y​:296​:12
  #11 0x59c4e1 in S_parse_body /root/perl/perl.c​:2373​:9
  #12 0x59287c in perl_parse /root/perl/perl.c​:1689​:2
  #13 0x4de815 in main /root/perl/perlmain.c​:121​:18
  #14 0x7fe24eb19b44 in __libc_start_main
/build/glibc-uPj9cH/glibc-2.19/csu/libc-start.c​:287
  #15 0x4de4ac in _start (/root/perl/perl+0x4de4ac)

0x000000ed72b4 is located 0 bytes to the right of global variable
'PL_opargs' defined in './opcode.h​:1796​:14' (0xed6c80) of size 1588
SUMMARY​: AddressSanitizer​: global-buffer-overflow /root/perl/op.c​:2634
S_finalize_op
Shadow bytes around the buggy address​:
  0x0000801d2e00​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801d2e10​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801d2e20​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801d2e30​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801d2e40​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000801d2e50​: 00 00 00 00 00 00[04]f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000801d2e60​: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000801d2e70​: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000801d2e80​: f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0000801d2e90​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801d2ea0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes)​:
  Addressable​: 00
  Partially addressable​: 01 02 03 04 05 06 07
  Heap left redzone​: fa
  Heap right redzone​: fb
  Freed heap region​: fd
  Stack left redzone​: f1
  Stack mid redzone​: f2
  Stack right redzone​: f3
  Stack partial redzone​: f4
  Stack after return​: f5
  Stack use after scope​: f8
  Global redzone​: f9
  Global init order​: f6
  Poisoned by user​: f7
  Container overflow​: fc
  ASan internal​: fe
==23205==ABORTING

@p5pRT
Copy link
Author

p5pRT commented Sep 5, 2016

From @iabyn

On Fri, Aug 26, 2016 at 06​:54​:52PM -0700, Brian Carpenter wrote​:

./perl -e 'BEGIN()​:y()'

This can only occur for the unusual (some might say bizarre) action of
applying an attribute to a sub called BEGIN. The attribute application
causes BEGIN { require attrributes; ... } to be compiled, which causes
problems with BEGIN being re-defined while BEGIN is still being defined.

So its not a security issue.

I've fixed it with the following commit. I've also added som asserts with
v5.25.4-75-g68d1ee8 to better spot things like this in future.

I'll move this ticket to public queue and close it in a few days unless
anyone objects.

commit d1da364
Author​: David Mitchell <davem@​iabyn.com>
AuthorDate​: Mon Sep 5 11​:52​:23 2016 +0100
Commit​: David Mitchell <davem@​iabyn.com>
CommitDate​: Mon Sep 5 12​:55​:57 2016 +0100

  avoid using freed ops on BEGIN :attr {}
 
  If a BEGIN sub has a code attribute applied (no idea why you would want to
  do such a thing, but it's not illegal) then part of applying the attribute
  is to do 'use attributes', which compiles
 
  BEGIN { require "attributes"; attributes->import(AAA) }
 
  so we end up compiling a BEGIN while in the middle of compiling a BEGIN.
  The part of Perl_newATTRSUB_x() that under some circumstances copies
  the body of the newly-compiled CV to the old CV which occupies the name
  slot, kicks in here.
 
  Since the ops that make up the AAA above were allocated from the old
  BEGIN's op slabs, they get prematurely freed when the old BEGIN's
  ops are discarded by the SvREFCNT_dec(PL_compcv).
 
  The simplest fix is to just avoid the copy if we're compiling a BEGIN.

--
Music lesson​: a symbiotic relationship whereby a pupil's embellishments
concerning the amount of practice performed since the last lesson are
rewarded with embellishments from the teacher concerning the pupil's
progress over the corresponding period.

@p5pRT
Copy link
Author

p5pRT commented Sep 5, 2016

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Sep 8, 2016

@iabyn - Status changed from 'open' to 'pending release'

@p5pRT
Copy link
Author

p5pRT commented May 30, 2017

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release today of Perl 5.26.0, this and 210 other issues have been
resolved.

Perl 5.26.0 may be downloaded via​:
https://metacpan.org/release/XSAWYERX/perl-5.26.0

If you find that the problem persists, feel free to reopen this ticket.

@p5pRT
Copy link
Author

p5pRT commented May 30, 2017

@khwilliamson - Status changed from 'pending release' to 'resolved'

@p5pRT p5pRT closed this as completed May 30, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant