develooper Front page | perl.perl5.porters | Postings from February 2015

[perl #123802] Segfault in Perl_yyparse with minimized test case from #123801

Thread Previous
Brian Carpenter
February 11, 2015 19:31
[perl #123802] Segfault in Perl_yyparse with minimized test case from #123801
Message ID:
# New Ticket Created by  Brian Carpenter 
# Please include the string:  [perl #123802]
# in the subject line of all future correspondence about this issue. 
# <URL: >

Built v5.21.9 (v5.21.8-286-g534577b) using the following command line:

./Configure -des -Dusedevel -DDEBUGGING -Dcc=afl-gcc -Doptimize=-O2\ -g && AFL_HARDEN=1 make -j6 test-prep

Bug found with AFL ( I used afl-tmin to minimize the test case from #123801, which caused this segfault to happen instead of aborting.

Program received signal SIGSEGV, Segmentation fault.
RAX: 0x0 
RBX: 0x1221d20 --> 0x0 
RCX: 0x1205d10 --> 0x1 
RDX: 0x4000 ('')
RSI: 0x12134af --> 0x3334317473657400 ('')
RDI: 0x696d2d3334317473 ('st143-mi')
RBP: 0x726f ('or')
RSP: 0x7fffffffdfc0 --> 0x640121a020 
RIP: 0x668bd8 (<Perl_yyparse+6008>:	mov    esi,DWORD PTR [rdi+0x8])
R8 : 0x60 ('`')
R9 : 0x0 
R10: 0x1 
R11: 0x1221d20 --> 0x0 
R12: 0x0 
R13: 0x1222120 ("ntax error at test143-min line 1, near \"/$0{}/\"\n")
R14: 0x65 ('e')
R15: 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
   0x668bc6 <Perl_yyparse+5990>:	mov    rcx,QWORD PTR [rsp+0x8]
   0x668bcb <Perl_yyparse+5995>:	mov    rax,QWORD PTR [rsp+0x10]
   0x668bd0 <Perl_yyparse+6000>:	lea    rsp,[rsp+0x98]
=> 0x668bd8 <Perl_yyparse+6008>:	mov    esi,DWORD PTR [rdi+0x8]
   0x668bdb <Perl_yyparse+6011>:	cmp    esi,0x1
   0x668bde <Perl_yyparse+6014>:	jbe    0x669050 <Perl_yyparse+7152>
   0x668be4 <Perl_yyparse+6020>:	nop    DWORD PTR [rax+0x0]
   0x668be8 <Perl_yyparse+6024>:	lea    rsp,[rsp-0x98]
0000| 0x7fffffffdfc0 --> 0x640121a020 
0008| 0x7fffffffdfc8 --> 0x1221d40 --> 0x0 
0016| 0x7fffffffdfd0 --> 0x1221d48 --> 0x1222120 ("ntax error at test143-min line 1, near \"/$0{}/\"\n")
0024| 0x7fffffffdfd8 --> 0x3c ('<')
0032| 0x7fffffffdfe0 --> 0x4 
0040| 0x7fffffffdfe8 --> 0x633a3424c350f300 
0048| 0x7fffffffdff0 --> 0x7fffffffe3c0 --> 0x7fffffffe63d ("test143-min")
0056| 0x7fffffffdff8 --> 0x1 
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000000000668bd8 in Perl_yyparse ()
gdb-peda$ exploit
Description: Access violation
Short description: AccessViolation (21/22)
Hash: d9722ba607412bb0b0027e58bf5e08e2.d9722ba607412bb0b0027e58bf5e08e2
Exploitability Classification: UNKNOWN
Explanation: The target crashed due to an access violation but there is not enough additional information available to determine exploitability.

Test case hexdump:
0000000 242f 7b30 2f7d                         

Debian 7, Kernel 3.2.65-1+deb7u1 x86_64, libc 3.2.65-1+deb7u1 x86_6, gcc 4.9.2
Thread Previous Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About