develooper Front page | perl.perl5.porters | Postings from August 2016

[perl #128951] heap-buffer-overflow in Perl_sv_vcatpvfn_flags(sv.c:12897)

Thread Next
From:
Brian Carpenter
Date:
August 15, 2016 22:15
Subject:
[perl #128951] heap-buffer-overflow in Perl_sv_vcatpvfn_flags(sv.c:12897)
Message ID:
rt-4.0.24-15647-1471299302-1061.128951-75-0@perl.org
# New Ticket Created by  Brian Carpenter 
# Please include the string:  [perl #128951]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/Ticket/Display.html?id=128951 >


The attached test case triggers a heap-buffer-overflow in Perl_sv_vcatpvfn_flags (sv.c:12897). This was found with AFL, ASAN and libdislocator.so and affects v5.25.4 (v5.25.3-245-g2e66fe9). Perl 5.20.2 returns an error that says `Unrecognized character \xD7; marked by <-- HERE after !@{<-- HERE near column -1 at test00 line 1.`

==13440==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000dea8 at pc 0x0000004a9880 bp 0x7ffd00eeac90 sp 0x7ffd00eea450
READ of size 10 at 0x60200000dea8 thread T0
    #0 0x4a987f in __asan_memcpy (/home/geeknik/perl/perl+0x4a987f)
    #1 0x980d45 in Perl_sv_vcatpvfn_flags /home/geeknik/perl/sv.c:12897:6
    #2 0x963bc6 in Perl_sv_vsetpvfn /home/geeknik/perl/sv.c:10815:5
    #3 0x7fef42 in Perl_vmess /home/geeknik/perl/util.c:1560:5
    #4 0x7fef42 in Perl_vcroak /home/geeknik/perl/util.c:1789
    #5 0x7f53ac in Perl_croak /home/geeknik/perl/util.c:1836:5
    #6 0x66c3f0 in Perl_yylex /home/geeknik/perl/toke.c:4901:9
    #7 0x6ac741 in Perl_yyparse /home/geeknik/perl/perly.c:334:19
    #8 0x59bf12 in S_parse_body /home/geeknik/perl/perl.c:2372:9
    #9 0x59225c in perl_parse /home/geeknik/perl/perl.c:1688:2
    #10 0x4de7d5 in main /home/geeknik/perl/perlmain.c:121:18
    #11 0x7fcba632cb44 in __libc_start_main /build/glibc-uPj9cH/glibc-2.19/csu/libc-start.c:287
    #12 0x4de46c in _start (/home/geeknik/perl/perl+0x4de46c)

0x60200000dea8 is located 8 bytes to the left of 10-byte region [0x60200000deb0,0x60200000deba)
allocated by thread T0 here:
    #0 0x4c0deb in malloc (/home/geeknik/perl/perl+0x4c0deb)
    #1 0x7f5007 in Perl_safesysmalloc /home/geeknik/perl/util.c:153:21

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
  0x0c047fff9b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9bc0: fa fa fa fa fa fa fd fd fa fa 00 02 fa fa 00 02
=>0x0c047fff9bd0: fa fa 00 02 fa[fa]00 02 fa fa 00 04 fa fa 02 fa
  0x0c047fff9be0: fa fa 00 02 fa fa 00 03 fa fa 00 02 fa fa 00 00
  0x0c047fff9bf0: fa fa 00 02 fa fa 00 02 fa fa 00 fa fa fa 00 02
  0x0c047fff9c00: fa fa 00 00 fa fa 00 00 fa fa 00 06 fa fa 00 fa
  0x0c047fff9c10: fa fa 00 02 fa fa 05 fa fa fa 00 07 fa fa 00 01
  0x0c047fff9c20: fa fa 00 02 fa fa 06 fa fa fa 00 02 fa fa 00 03
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
==13440==ABORTING
Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About