Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

stack overflow in Perl_push_scope () #16006

Open
p5pRT opened this issue Jun 8, 2017 · 5 comments
Open

stack overflow in Perl_push_scope () #16006

p5pRT opened this issue Jun 8, 2017 · 5 comments

Comments

@p5pRT
Copy link

p5pRT commented Jun 8, 2017

Migrated from rt.perl.org#131537 (status was 'open')

Searchable as RT131537$

@p5pRT
Copy link
Author

p5pRT commented Jun 8, 2017

From @Mipu94

I have found a bug that triggered stack-buffer-overflow. this bug
affect on perl v5.22.1.

Please find POC attached bellow to check.

some info about this bug with GDB and ASAN.

[GDB]

[----------------------------------registers-----------------------------------]
RAX​: 0x2d ('-')
RBX​: 0x0
RCX​: 0x2decfb0 --> 0x0
RDX​: 0x0
RSI​: 0x2d ('-')
RDI​: 0xeb5b98 --> 0xeb40f8 --> 0x0
RBP​: 0x2e10b00 --> 0x2e1e430 --> 0xeb5c10 --> 0xea0ee0 --> 0x0
RSP​: 0x7fffff7fefd0
RIP​: 0x8ced88 (<Perl_push_scope+8>​: mov QWORD PTR [rsp],rdx)
R8 : 0x0
R9 : 0x2decfb0 --> 0x0
R10​: 0x0
R11​: 0x2e10b48 --> 0x2decfb0 --> 0x0
R12​: 0xeb5b98 --> 0xeb40f8 --> 0x0
R13​: 0x1
R14​: 0x2e10b30 --> 0x2e10b20 --> 0xff00000000
R15​: 0xeb5b98 --> 0xeb40f8 --> 0x0
EFLAGS​: 0x10202 (carry parity adjust zero sign trap INTERRUPT
direction overflow)
[-------------------------------------code-------------------------------------]
  0x8ced78 <Perl_cxinc+328>​: call 0x8ce900 <S_croak_memory_wrap>
  0x8ced7d​: nop DWORD PTR [rax]
  0x8ced80 <Perl_push_scope>​: lea rsp,[rsp-0x98]
=> 0x8ced88 <Perl_push_scope+8>​: mov QWORD PTR [rsp],rdx
  0x8ced8c <Perl_push_scope+12>​: mov QWORD PTR [rsp+0x8],rcx
  0x8ced91 <Perl_push_scope+17>​: mov QWORD PTR [rsp+0x10],rax
  0x8ced96 <Perl_push_scope+22>​: mov rcx,0x67e
  0x8ced9d <Perl_push_scope+29>​: call 0x8d95c0 <__afl_maybe_log>
[------------------------------------stack-------------------------------------]
Invalid $SP address​: 0x7fffff7fefd0
[------------------------------------------------------------------------------]
blue
Legend​: code, data, rodata, value
Stopped reason​: SIGSEGV
0x00000000008ced88 in Perl_push_scope () at scope.c​:105

[ASAN]

  #246 0x5dc819 (/home/mipu94/fuzz/fuzzperl/perl-asan+0x5dc819)
  #247 0x5dbd29 (/home/mipu94/fuzz/fuzzperl/perl-asan+0x5dbd29)
  #248 0x5dca19 (/home/mipu94/fuzz/fuzzperl/perl-asan+0x5dca19)
  #249 0x5fc1ae (/home/mipu94/fuzz/fuzzperl/perl-asan+0x5fc1ae)
  #250 0x548ee0 (/home/mipu94/fuzz/fuzzperl/perl-asan+0x548ee0)

SUMMARY​: AddressSanitizer​: stack-overflow
(/home/mipu94/fuzz/fuzzperl/perl-asan+0x4b91b5)
==24209==ABORTING

--
Ta Dinh Sung,

@p5pRT
Copy link
Author

p5pRT commented Jun 8, 2017

From @Mipu94

poc

@p5pRT
Copy link
Author

p5pRT commented Jun 9, 2017

From @iabyn

On Thu, Jun 08, 2017 at 07​:26​:11AM -0700, sung wrote​:

I have found a bug that triggered stack-buffer-overflow. this bug
affect on perl v5.22.1.

This is one of a class of perl bugs which can cause the C stack to
overflow. As well as your recursive DESTROY example, you can create
similar effects with tied variable handlers, overload handlers etc.

I don't see that that it's a security issue though.

--
Never work with children, animals, or actors.

@p5pRT
Copy link
Author

p5pRT commented Jun 9, 2017

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Aug 23, 2017

From @tonycoz

On Fri, 09 Jun 2017 03​:30​:56 -0700, davem wrote​:

On Thu, Jun 08, 2017 at 07​:26​:11AM -0700, sung wrote​:

I have found a bug that triggered stack-buffer-overflow. this bug
affect on perl v5.22.1.

This is one of a class of perl bugs which can cause the C stack to
overflow. As well as your recursive DESTROY example, you can create
similar effects with tied variable handlers, overload handlers etc.

I don't see that that it's a security issue though.

Yes, this isn't a security issue, and is now public.

If we treat it as a bug, I'm not sure how we could fix it without breaking other things (eg. time of destruction might change.)

Tony

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant