develooper Front page | perl.perl5.porters | Postings from October 2012

[perl #115488] heredoc parser overflow

From:
rurban @ cpanel . net
Date:
October 26, 2012 14:41
Subject:
[perl #115488] heredoc parser overflow
Message ID:
rt-3.6.HEAD-11172-1351287647-1030.115488-75-0@perl.org
# New Ticket Created by  rurban@cpanel.net 
# Please include the string:  [perl #115488]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org:443/rt3/Ticket/Display.html?id=115488 >



This is a bug report for perl from rurban@cpanel.net,
generated with the help of perlbug 1.39 running under perl 5.17.6.


-----------------------------------------------------------------
Invalid cxstack_ix = -1 at toke.c:9829 in S_scan_heredoc()
detected by asan in t/base/lex.t with bufptr = " <<E2 ]}\nfoo\nE2\n" 

print <<E1 eq "foo\n\n" ? "ok 19\n" : "not ok 19\n";
@{[ <<E2 ]}
foo
E2
E1

heap-buffer-overflow READ of size 1 at 0x7ffff4151030
  0x7ffff4151030 is located 80 bytes to the left of 8080-byte region
  [0x7ffff4151080,0x7ffff4153010)

(gdb) l
9824			shared->re_eval_str =
9825			       newSVpvn(shared->re_eval_start,
9826					bufend - shared->re_eval_start);
9827		    shared->re_eval_start -= s-d;
9828		}
9829		if (CxTYPE(cx) == CXt_EVAL && CxOLD_OP_TYPE(cx) == OP_ENTEREVAL
9830		 && cx->blk_eval.cur_text == linestr) {
9831		    cx->blk_eval.cur_text = newSVsv(linestr);
9832		    SvSCREAM_on(cx->blk_eval.cur_text);
9833		}

(gdb)  p *cx
$1 = {cx_u = {cx_blk = {blku_type = 48 '0', blku_gimme = 16 '\020',
blku_u16 = 62485, blku_oldsp = 32767, blku_oldcop = 0x100004ef4d6b0f0, 
      blku_oldmarksp = -195744896, blku_oldscopesp = 32767, blku_oldpm =
0x7ffff4d6b6e0, blk_u = {blku_sub = {retop = 0x45e0360e, 
          cv = 0x5b01fff7c562f0, savearray = 0x7ffff5150082, argarray =
0x7ffff5150093, olddepth = -208327352, 
          oldcomppad = 0x7ffff5150082}, blku_format = {retop = 0x45e0360e,
cv = 0x5b01fff7c562f0, gv = 0x7ffff5150082, 
          dfoutgv = 0x7ffff5150093}, blku_eval = {retop = 0x45e0360e,
old_namesv = 0x5b01fff7c562f0, old_eval_root = 0x7ffff5150082, 
          cur_text = 0x7ffff5150093, cv = 0x7ffff3952d48, cur_top_env =
0x7ffff5150082}, blku_loop = {resetsp = 1172321806, 
          my_op = 0x5b01fff7c562f0, itervar_u = {svp = 0x7ffff5150082, gv =
0x7ffff5150082, oldcomppad = 0x7ffff5150082}, state_u = {ary = {
              ary = 0x7ffff5150093, ix = 140737280027976}, lazyiv = {cur =
140737305182355, end = 140737280027976}, lazysv = {
              cur = 0x7ffff5150093, end = 0x7ffff3952d48}}}, blku_givwhen =
{leave_op = 0x45e0360e}}}, cx_subst = {sbu_type = 48 '0', 
      sbu_rflags = 16 '\020', sbu_rxtainted = 62485, sbu_iters = 32767,
sbu_maxiters = -187256592, sbu_oldsave = 16777294, 
      sbu_orig = 0x7ffff4552b80 "\340\266\326\364\377\177", sbu_dstr =
0x7ffff4d6b6e0, sbu_targ = 0x45e0360e, 
      sbu_s = 0x5b01fff7c562f0 <Address 0x5b01fff7c562f0 out of bounds>,
sbu_m = 0x7ffff5150082 "[ <<E2 ]}\nfoo\nE2\n", 
      sbu_strend = 0x7ffff5150093 "", sbu_rxres = 0x7ffff3952d48, sbu_rx =
0x7ffff5150082}}}

=> cx_type = 0x30: CXt_NULL with CXp_MULTICALL and 0x20 ( CXp_REAL )?
I have no idea why a CXt_NULL would trigger this bug.

#define cx_type cx_u.cx_subst.sbu_type
cx is obviously uninitialized, because cxstack_ix is wrong.

(gdb) p *PL_curstackinfo
$4 = {si_stack = 0x7ffff4d550b0, si_cxstack = 0x7ffff4151080, si_prev = 0x0,
si_next = 0x0, si_cxix = -1, si_cxmax = 100, si_type = 1, 
  si_markoff = 0}

(gdb) p *linestr
$2 = {sv_any = 0x7ffff4d6b6e0, sv_refcnt = 4294839840, sv_flags = 32767,
sv_u = {svu_pv = 0x7ffffffe0de0 "\210", svu_iv = 140737488227808, 
    svu_uv = 140737488227808, svu_rv = 0x7ffffffe0de0, svu_array =
0x7ffffffe0de0, svu_hash = 0x7ffffffe0de0, svu_gp = 0x7ffffffe0de0, 
    svu_fp = 0x7ffffffe0de0}}

(gdb) p *shared->ls_linestr 
$3 = {sv_any = 0x0, sv_refcnt = 0, sv_flags = 0, sv_u = {svu_pv = 0x0,
svu_iv = 0, svu_uv = 0, svu_rv = 0x0, svu_array = 0x0, 
    svu_hash = 0x0, svu_gp = 0x0, svu_fp = 0x0}}
(gdb) p *PL_parser
$4 = {old_parser = 0x0, yylval = {ival = 79, pval = 0x7fff0000004f <Address
0x7fff0000004f out of bounds>, opval = 0x7fff0000004f, 
    gvval = 0x7fff0000004f, p_tkval = 0x7fff0000004f <Address 0x7fff0000004f
out of bounds>, i_tkval = 79}, yychar = -2, yyerrstatus = 0, 
  stack_size = 200, yylen = 0, stack = 0x7ffff4d6d080, ps = 0x7ffff4d6d280,
lex_brackets = 2, lex_casemods = 0, 
  lex_brackstack = 0x7ffff5150180 "", lex_casestack = 0x7ffff5150280 "",
lex_defer = 10 '\n', lex_dojoin = true, lex_expect = 1 '\001', 
  expect = 1 '\001', lex_formbrack = 0, lex_inpat = 0x0, lex_op = 0x0,
lex_repl = 0x0, lex_inwhat = 2, last_lop_op = 224, lex_starts = 1, 
  lex_stuff = 0x0, multi_start = 80, multi_end = 78, multi_open = 60 '<',
multi_close = 60 '<', preambled = true, lex_allbrackets = 3, 
  sublex_info = {super_state = 10 '\n', sub_inwhat = 2, sub_op = 0x0, repl =
0x0}, lex_shared = 0x7ffff5150380, linestr = 0x7ffff4d6b6e0, 
  bufptr = 0x7ffff5150083 " <<E2 ]}\nfoo\nE2\n", oldbufptr = 0x7ffff5150083
" <<E2 ]}\nfoo\nE2\n", 
  oldoldbufptr = 0x7ffff5150082 "[ <<E2 ]}\nfoo\nE2\n", bufend =
0x7ffff5150093 "", linestart = 0x7ffff5150080 "@{[ <<E2 ]}\nfoo\nE2\n", 
  last_uni = 0x0, last_lop = 0x0, copline = 78, in_my = 0, lex_state = 9
'\t', error_count = 0 '\000', in_my_stash = 0x0, 
  rsfp = 0x7ffff4954100, rsfp_filters = 0x0, form_lex_state = 0 '\000',
nextval = {{ival = 0, 
      pval = 0x7fff00000000 <Address 0x7fff00000000 out of bounds>, opval =
0x7fff00000000, gvval = 0x7fff00000000, 
      p_tkval = 0x7fff00000000 <Address 0x7fff00000000 out of bounds>,
i_tkval = 0}, {ival = -212518080, 
      pval = 0x7ffff3553b40 "@;U\363\377\177", opval = 0x7ffff3553b40, gvval
= 0x7ffff3553b40, p_tkval = 0x7ffff3553b40 "@;U\363\377\177", 
      i_tkval = -212518080}, {ival = 0, pval = 0x0, opval = 0x0, gvval =
0x0, p_tkval = 0x0, i_tkval = 0}, {ival = 0, pval = 0x0, 
      opval = 0x0, gvval = 0x0, p_tkval = 0x0, i_tkval = 0}, {ival = 146,
pval = 0x92 <Address 0x92 out of bounds>, opval = 0x92, 
      gvval = 0x92, p_tkval = 0x92 <Address 0x92 out of bounds>, i_tkval =
146}}, nexttype = {44, 264, 36, 33554472, 299}, nexttoke = 0, 
  saved_curcop = 0x7ffff7ddbd38, tokenbuf =
"\nE2\n\000\000\064\066\065\062", '\000' <repeats 245 times>, lex_fakeeof =
0 '\000', 
  lex_flags = 0 '\000', in_pod = 0, filtered = 0}


-----------------------------------------------------------------
---
Flags:
    category=core
    severity=high
---
Site configuration information for perl 5.17.6:

Configured by rurban at Fri Oct 26 10:05:54 CDT 2012.

Summary of my perl5 (revision 5 version 17 subversion 6) configuration:
  Commit id: 6b54ddc5f039cda5c3fd0fa36516955199bdb957
  Platform:
    osname=linux, osvers=3.2.0-2-amd64, archname=x86_64-linux-debug@6b54ddc5
    uname='linux reini 3.2.0-2-amd64 #1 smp mon may 21 17:45:41 utc 2012 x86_64 gnulinux '
    config_args='-de -Dusedevel -Uversiononly -Dinstallman1dir=none -Dinstallman3dir=none -Dinstallsiteman1dir=none -Dinstallsiteman3dir=none -DEBUGGING -Doptimize=-g3 -Uuseithreads -D'cc=clang' -D'ld=clang' -Accflags='-msse4.2' -Accflags='-march=corei7' -Dcf_email='rurban@cpanel.net' -Dperladmin='rurban@cpanel.net' -Duseshrplib -Accflags=-Wno-unused-value'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=undef, usemultiplicity=undef
    useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
    use64bitint=define, use64bitall=define, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='clang', ccflags ='-msse4.2 -march=corei7 -Wno-unused-value -DDEBUGGING -fno-strict-aliasing -pipe  -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-g3',
    cppflags='-msse4.2 -march=corei7 -Wno-unused-value -DDEBUGGING -fno-strict-aliasing -pipe  -I/usr/local/include'
    ccversion='', gccversion='4.2.1 Compatible Clang 3.2 (trunk)', gccosandvers=''
    intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
    ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='clang', ldflags ='  -L/usr/local/lib'
    libpth=/usr/local/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib /usr/lib
    libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc -lgdbm_compat
    perllibs=-lnsl -ldl -lm -lcrypt -lutil -lc
    libc=, so=so, useshrplib=true, libperl=libperl.so
    gnulibc_version='2.13'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E -Wl,-rpath,/usr/local/lib/perl5/5.17.6/x86_64-linux-debug@6b54ddc5/CORE'
    cccdlflags='-fPIC', lddlflags='-shared -g3 -L/usr/local/lib '

Locally applied patches:
    

---
@INC for perl 5.17.6:
    /usr/local/lib/perl5/site_perl/5.17.6/x86_64-linux-debug@6b54ddc5
    /usr/local/lib/perl5/site_perl/5.17.6
    /usr/local/lib/perl5/5.17.6/x86_64-linux-debug@6b54ddc5
    /usr/local/lib/perl5/5.17.6
    /usr/local/lib/perl5/site_perl/5.17.5
    /usr/local/lib/perl5/site_perl/5.17.4
    /usr/local/lib/perl5/site_perl/5.17.3
    /usr/local/lib/perl5/site_perl/5.17.2
    /usr/local/lib/perl5/site_perl/5.17.1
    /usr/local/lib/perl5/site_perl/5.17.0
    /usr/local/lib/perl5/site_perl/5.17
    /usr/local/lib/perl5/site_perl/5.16.1
    /usr/local/lib/perl5/site_perl/5.16.0
    /usr/local/lib/perl5/site_perl/5.15.9
    /usr/local/lib/perl5/site_perl/5.15.8
    /usr/local/lib/perl5/site_perl/5.15.7
    /usr/local/lib/perl5/site_perl/5.15.6
    /usr/local/lib/perl5/site_perl/5.15.5
    /usr/local/lib/perl5/site_perl/5.15.4
    /usr/local/lib/perl5/site_perl/5.14.3
    /usr/local/lib/perl5/site_perl/5.14.2
    /usr/local/lib/perl5/site_perl/5.14.1
    /usr/local/lib/perl5/site_perl/5.12.4
    /usr/local/lib/perl5/site_perl/5.10.1
    /usr/local/lib/perl5/site_perl/5.8.9
    /usr/local/lib/perl5/site_perl/5.8.8
    /usr/local/lib/perl5/site_perl/5.8.7
    /usr/local/lib/perl5/site_perl/5.8.6
    /usr/local/lib/perl5/site_perl/5.8.5
    /usr/local/lib/perl5/site_perl/5.8.4
    /usr/local/lib/perl5/site_perl/5.8.3
    /usr/local/lib/perl5/site_perl/5.8.2
    /usr/local/lib/perl5/site_perl/5.8.1
    /usr/local/lib/perl5/site_perl/5.6.2
    /usr/local/lib/perl5/site_perl
    .

---
Environment for perl 5.17.6:
    HOME=/home/rurban
    LANG=en_US.UTF-8
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/rurban/bin:/home/rurban/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
    PERL_BADLANG (unset)
    SHELL=/bin/bash




nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About