develooper Front page | perl.perl5.porters | Postings from February 2015

[perl #123717] Segfault in multiple versions of Perl5

Thread Previous
From:
Brian Carpenter
Date:
February 2, 2015 16:26
Subject:
[perl #123717] Segfault in multiple versions of Perl5
Message ID:
rt-4.0.18-16051-1422894353-1756.123717-75-0@perl.org
# New Ticket Created by  Brian Carpenter 
# Please include the string:  [perl #123717]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/Ticket/Display.html?id=123717 >


I'm still attacking Perl5 with american fuzzy lop (
http://lcamtuf.coredump.cx/afl/).

CC=/path/to/afl-gcc ./Configure
AFL_HARDEN=1 make

This is perl 5, version 21, subversion 9 (v5.21.9 (v5.21.8-79-g4932eec))
built for x86_64-linux

Perl was compiled using all defaults (except adding -g to the CFLAGS).

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x2
RCX: 0x1
RDX: 0x2
RSI: 0x12
RDI: 0x0
RBP: 0x2
RSP: 0x7fffffffdcb0 --> 0x100
RIP: 0x6e5a1c (<Perl_repeatcpy+2180>: movzx  edx,BYTE PTR [r9])
R8 : 0x0
R9 : 0x0
R10: 0x2
R11: 0x0
R12: 0x2
R13: 0x101
R14: 0x0
R15: 0x4
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
   0x6e5a0b <Perl_repeatcpy+2163>: mov    rax,QWORD PTR [rsp+0x10]
   0x6e5a10 <Perl_repeatcpy+2168>: lea    rsp,[rsp+0x98]
   0x6e5a18 <Perl_repeatcpy+2176>: lea    rcx,[rbp-0x1]
=> 0x6e5a1c <Perl_repeatcpy+2180>: movzx  edx,BYTE PTR [r9]
   0x6e5a20 <Perl_repeatcpy+2184>: lea    rax,[r9+0x1]
   0x6e5a24 <Perl_repeatcpy+2188>: mov    rsi,rcx
   0x6e5a27 <Perl_repeatcpy+2191>: and    esi,0x7
   0x6e5a2a <Perl_repeatcpy+2194>: test   rcx,rcx
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdcb0 --> 0x100
0008| 0x7fffffffdcb8 --> 0x7ffffffffffffffe
0016| 0x7fffffffdcc0 --> 0x0
0024| 0x7fffffffdcc8 --> 0x2
0032| 0x7fffffffdcd0 --> 0x10
0040| 0x7fffffffdcd8 --> 0x2
0048| 0x7fffffffdce0 --> 0xe4cfe8 --> 0xe4cfd8 --> 0x440300000001
0056| 0x7fffffffdce8 --> 0x603d63bf155a1200
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00000000006e5a1c in Perl_repeatcpy (to=0x2 <Address 0x2 out of bounds>,
from=0x0, len=0x2, count=0x7ffffffffffffffe) at util.c:3086
3086 *p++ = *q++;

gdb-peda$ bt
#0  0x00000000006e5a1c in Perl_repeatcpy (to=0x2 <Address 0x2 out of
bounds>, from=0x0, len=0x2, count=0x7ffffffffffffffe) at util.c:3086
#1  0x0000000000854eac in Perl_pp_repeat () at pp.c:1768
#2  0x0000000000782f7b in Perl_runops_standard () at run.c:41
#3  0x000000000046012e in S_fold_constants (o=0xe58420) at op.c:4332
#4  0x00000000005c94f9 in Perl_yyparse (gramtype=<optimized out>) at
perly.y:797
#5  0x00000000004f2615 in S_parse_body (xsinit=0x42a850 <xs_init>, env=0x0)
at perl.c:2273
#6  perl_parse (my_perl=<optimized out>, xsinit=0x42a850 <xs_init>,
argc=<optimized out>, argv=<optimized out>, env=0x0) at perl.c:1607
#7  0x000000000042a45c in main (argc=0x2, argv=0x7fffffffe398,
env=0x7fffffffe3b0) at perlmain.c:114
#8  0x00007ffff6f97ead in __libc_start_main (main=<optimized out>,
argc=<optimized out>, ubp_av=<optimized out>, init=<optimized out>,
fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe388)
at libc-start.c:244
#9  0x000000000042a775 in _start ()

gdb-peda$ exploit
Description: Access violation near NULL on source operand
Short description: SourceAvNearNull (16/22)
Hash: 000c219cf66df9b6d330542118bb3e1e.8e1055cedb39ef6cf4cbc49a4c29dd29
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Explanation: The target crashed on an access violation at an address
matching the source operand of the current instruction. This likely
indicates a read access violation, which may mean the application crashed
on a simple NULL dereference to data structure that has no immediate effect
on control of the processor.
Other tags: AccessViolation (21/22)

I noticed that this same test case crashes Perl 5.21.7 as well
(v5.21.6-602-ge9d2bd8) but with a little different backtrace:

#0  __memcpy_ssse3_back () at
../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:1664
#1  0x00000000006d8d0b in memcpy (__len=0x20000, __src=0xe46432,
__dest=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/string3.h:52
#2  Perl_repeatcpy (to=0xe46432 '6' <repeats 200 times>..., from=0xe46430
'6' <repeats 200 times>..., len=0x2, count=0x7ffffffffffffffe) at
util.c:3092
#3  0x000000000084742c in Perl_pp_repeat () at pp.c:1749
#4  0x0000000000775a6b in Perl_runops_standard () at run.c:41
#5  0x000000000045a3ee in S_fold_constants (o=0xe46320) at op.c:4337
#6  0x00000000005c7321 in Perl_yyparse (gramtype=<optimized out>) at
perly.y:769
#7  0x00000000004f0875 in S_parse_body (xsinit=0x42ac70 <xs_init>, env=0x0)
at perl.c:2271
#8  perl_parse (my_perl=<optimized out>, xsinit=0x42ac70 <xs_init>,
argc=<optimized out>, argv=<optimized out>, env=0x0) at perl.c:1605
#9  0x000000000042a87c in main (argc=0x2, argv=0x7fffffffe398,
env=0x7fffffffe3b0) at perlmain.c:114
#10 0x00007ffff6f97ead in __libc_start_main (main=<optimized out>,
argc=<optimized out>, ubp_av=<optimized out>, init=<optimized out>,
fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe388)
at libc-start.c:244
#11 0x000000000042ab95 in _start ()

The test case is a bit similar to the one in #123551, but the gdb output is
a bit different.

Thread Previous


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About