From @rurban

This is a bug report for perl from rurban@​cpanel.net,
generated with the help of perlbug 1.39 running under perl 5.15.7.

From 0ffb95f270b1e08e8ad99c36417f2ec48c4f9b05 Mon Sep 17 00​:00​:00 2001
From​: Reini Urban <rurban@​x-ray.at>
Date​: Tue, 6 Mar 2012 17​:07​:35 -0600
Subject​: [PATCH] Socket.xs heap-buffer-overflow with abstract AF_UNIX paths

AddressSanitizer heap-buffer-overflow on Socket.xs​:718 Copy(sun_ad, &addr, sizeof(addr), char);
on linux with cpan/Socket/t/Socket.t test 17 sockaddr_un can handle abstract AF_UNIX.

Avoid reading past sun_ad->pv size and zero the uninitialized data.

cpan/Socket/Socket.xs | 10 ++++++++--
1 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/cpan/Socket/Socket.xs b/cpan/Socket/Socket.xs
index 665553c..4e69cb8 100644
--- a/cpan/Socket/Socket.xs
+++ b/cpan/Socket/Socket.xs
@@ -713,9 +713,15 @@ unpack_sockaddr_un(sun_sv)
 	if (sockaddrlen != sizeof(addr))
 		croak("Bad arg length for %s, length is %"UVuf", should be %"UVuf,
 		      "Socket::unpack_sockaddr_un", (UV)sockaddrlen, (UV)sizeof(addr));
-#   endif
-
 	Copy(sun_ad, &addr, sizeof(addr), char);
+#   else
+	if (sockaddrlen < sizeof(addr)) {
+	  Copy(sun_ad, &addr, sockaddrlen, char);
+	  Zero(&addr+sockaddrlen, sizeof(addr)-sockaddrlen, char);
+	} else {
+	  Copy(sun_ad, &addr, sizeof(addr), char);
+	}
+#   endif
 
 	if (addr.sun_family != AF_UNIX)
 		croak("Bad address family for %s, got %d, should be %d",
-- 

Flags​:
  category=library
  severity=critical
  module=Socket

Site configuration information for perl 5.15.7​:

Configured by rurban at Sun Jan 22 12​:13​:34 CST 2012.

Summary of my perl5 (revision 5 version 15 subversion 7) configuration​:
 
  Platform​:
  osname=linux, osvers=3.0.0-1-amd64, archname=x86_64-linux
  uname='linux reini 3.0.0-1-amd64 #1 smp sun jul 24 02​:24​:44 utc 2011 x86_64 gnulinux '
  config_args='-de -Dusedevel -Dinstallman1dir=none -Dinstallman3dir=none -Dinstallsiteman1dir=none -Dinstallsiteman3dir=none -Uuseithreads -Accflags='-msse4.2' -Accflags='-march=corei7' -Dcf_email='rurban@​cpanel.net' -Dperladmin='rurban@​cpanel.net' -Duseshrplib'
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=undef, usemultiplicity=undef
  useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
  use64bitint=define, use64bitall=define, uselongdouble=undef
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='cc', ccflags ='-msse4.2 -march=corei7 -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
  optimize='-O2',
  cppflags='-msse4.2 -march=corei7 -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include'
  ccversion='', gccversion='4.6.1', gccosandvers=''
  intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
  ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
  alignbytes=8, prototype=define
  Linker and Libraries​:
  ld='cc', ldflags =' -fstack-protector -L/usr/local/lib'
  libpth=/usr/local/lib /lib /usr/lib /usr/lib/x86_64-linux-gnu /lib64 /usr/lib64
  libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc -lgdbm_compat
  perllibs=-lnsl -ldl -lm -lcrypt -lutil -lc
  libc=, so=so, useshrplib=true, libperl=libperl.so
  gnulibc_version='2.13'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E -Wl,-rpath,/usr/local/lib/perl5/5.15.7/x86_64-linux/CORE'
  cccdlflags='-fPIC', lddlflags='-shared -O2 -L/usr/local/lib -fstack-protector'

Locally applied patches​:
 

@​INC for perl 5.15.7​:
  /usr/local/lib/perl5/site_perl/5.15.7/x86_64-linux
  /usr/local/lib/perl5/site_perl/5.15.7
  /usr/local/lib/perl5/5.15.7/x86_64-linux
  /usr/local/lib/perl5/5.15.7
  /usr/local/lib/perl5/site_perl
  .

Environment for perl 5.15.7​:
  HOME=/home/rurban
  LANG=en_US.UTF-8
  LANGUAGE (unset)
  LD_LIBRARY_PATH=/usr/src/perl/build-5.15.8d-nt-asan
  LOGDIR (unset)
  PATH=/home/rurban/bin​:/usr/local/bin​:/usr/bin​:/bin​:/usr/local/games​:/usr/games
  PERL_BADLANG (unset)
  SHELL=/bin/bash

From @rurban

Re-attach patch
--
Reini Urban

From @rurban

From 0ffb95f270b1e08e8ad99c36417f2ec48c4f9b05 Mon Sep 17 00:00:00 2001
From: Reini Urban <rurban@x-ray.at>
Date: Tue, 6 Mar 2012 17:07:35 -0600
Subject: [PATCH] Socket.xs heap-buffer-overflow with abstract AF_UNIX paths

AddressSanitizer heap-buffer-overflow on Socket.xs:718 Copy(sun_ad, &addr, sizeof(addr), char);
on linux with cpan/Socket/t/Socket.t test 17 sockaddr_un can handle abstract AF_UNIX.

Avoid reading past sun_ad->pv size and zero the uninitialized data.
---
 cpan/Socket/Socket.xs |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/cpan/Socket/Socket.xs b/cpan/Socket/Socket.xs
index 665553c..4e69cb8 100644
--- a/cpan/Socket/Socket.xs
+++ b/cpan/Socket/Socket.xs
@@ -713,9 +713,15 @@ unpack_sockaddr_un(sun_sv)
 	if (sockaddrlen != sizeof(addr))
 		croak("Bad arg length for %s, length is %"UVuf", should be %"UVuf,
 		      "Socket::unpack_sockaddr_un", (UV)sockaddrlen, (UV)sizeof(addr));
-#   endif
-
 	Copy(sun_ad, &addr, sizeof(addr), char);
+#   else
+	if (sockaddrlen < sizeof(addr)) {
+	  Copy(sun_ad, &addr, sockaddrlen, char);
+	  Zero(&addr+sockaddrlen, sizeof(addr)-sockaddrlen, char);
+	} else {
+	  Copy(sun_ad, &addr, sizeof(addr), char);
+	}
+#   endif
 
 	if (addr.sun_family != AF_UNIX)
 		croak("Bad address family for %s, got %d, should be %d",
-- 
1.7.5.4

The RT System itself - Status changed from 'new' to 'open'

From @rjbs

This was fixed in Socket 2.000, imported to blead in
eabcd9c

From [Unknown Contact. See original ticket]

This was fixed in Socket 2.000, imported to blead in
eabcd9c

@rjbs - Status changed from 'open' to 'resolved'