heap-use-after-free Perl_yyerror_pvn (toke.c:11015) #15527
Comments
From @geeknikThe attached test case triggers a heap-use-after-free in Perl_yyerror_pvn geeknik@debian:~/perl-tmp/out/2/crashes$ ./perl test01
|
From @tonycozOn Thu Aug 18 13:17:17 2016, brian.carpenter@gmail.com wrote:
I don't think this is a security issue. It requires feeding code to perl, at which point an attacker has control The attached fixes it for me. Tony |
From @tonycoz0001-perl-128988-preserve-PL_oldoldbufptr-is-preserved-in.patchFrom f6abce1cfb2cb88aea8bef8ca46d7fa159eb29da Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Mon, 22 Aug 2016 13:56:26 +1000
Subject: [PATCH] (perl #128988) preserve PL_oldoldbufptr is preserved in
scan_heredoc()
In some cases this is used in building error messages.
---
t/op/heredoc.t | 11 ++++++++++-
toke.c | 4 ++++
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/t/op/heredoc.t b/t/op/heredoc.t
index 90ba606..f47f7ce 100644
--- a/t/op/heredoc.t
+++ b/t/op/heredoc.t
@@ -7,7 +7,7 @@ BEGIN {
}
use strict;
-plan(tests => 41);
+plan(tests => 42);
# heredoc without newline (#65838)
@@ -99,6 +99,15 @@ HEREDOC
"don't use an invalid oldoldbufptr"
);
+ # also read freed memory, but got an invalid oldoldbufptr in a different way
+ fresh_perl_like(
+ qq(<<\n\$ \n),
+ # valgrind and asan reports an error between these two lines
+ qr/^Use of bare << to mean <<"" is deprecated at - line 1\.\s+Final \$/,
+ {},
+ "don't use an invalid oldoldbufptr (some more)"
+ );
+
# [perl #125540] this asserted or crashed
fresh_perl_like(
q(map d$#<<<<),
diff --git a/toke.c b/toke.c
index 2da8366..7d2a289 100644
--- a/toke.c
+++ b/toke.c
@@ -9721,6 +9721,7 @@ S_scan_heredoc(pTHX_ char *s)
{
SV *linestr_save;
char *oldbufptr_save;
+ char **oldoldbufptr_save;
streaming:
sv_setpvs(tmpstr,""); /* avoid "uninitialized" warning */
term = PL_tokenbuf[1];
@@ -9728,6 +9729,7 @@ S_scan_heredoc(pTHX_ char *s)
linestr_save = PL_linestr; /* must restore this afterwards */
d = s; /* and this */
oldbufptr_save = PL_oldbufptr;
+ oldoldbufptr_save = PL_oldoldbufptr;
PL_linestr = newSVpvs("");
PL_bufend = SvPVX(PL_linestr);
while (1) {
@@ -9745,6 +9747,7 @@ S_scan_heredoc(pTHX_ char *s)
SvREFCNT_dec_NN(PL_linestr);
PL_linestr = linestr_save;
PL_oldbufptr = oldbufptr_save;
+ PL_oldoldbufptr = oldoldbufptr_save;
goto interminable;
}
CopLINE_set(PL_curcop, origline);
@@ -9780,6 +9783,7 @@ S_scan_heredoc(pTHX_ char *s)
PL_linestart = SvPVX(linestr_save);
PL_bufend = SvPVX(PL_linestr) + SvCUR(PL_linestr);
PL_oldbufptr = oldbufptr_save;
+ PL_oldoldbufptr = oldoldbufptr_save;
s = d;
break;
}
--
2.1.4
|
|
The RT System itself - Status changed from 'new' to 'open' |
From @geekniklgtm On Sun, Aug 21, 2016 at 10:58 PM, Tony Cook via RT <
|
From @iabynOn Sun, Aug 21, 2016 at 08:58:15PM -0700, Tony Cook via RT wrote:
Agreed. -- |
From @tonycozOn Sun Aug 21 21:11:02 2016, brian.carpenter@gmail.com wrote:
Applied as 382450a. On Thu Aug 25 08:46:42 2016, davem wrote:
Making the ticket public. Tony |
|
@tonycoz - Status changed from 'open' to 'pending release' |
From @khwilliamsonThank you for filing this report. You have helped make Perl better. With the release today of Perl 5.26.0, this and 210 other issues have been Perl 5.26.0 may be downloaded via: If you find that the problem persists, feel free to reopen this ticket. |
|
@khwilliamson - Status changed from 'pending release' to 'resolved' |
Migrated from rt.perl.org#128988 (status was 'resolved')
Searchable as RT128988$
The text was updated successfully, but these errors were encountered: