develooper Front page | perl.perl5.porters | Postings from August 2016

[perl #128952] (possible) stack-buffer-overflow in S_missingterm(toke.c:580)

Thread Next
From:
Brian Carpenter
Date:
August 15, 2016 22:23
Subject:
[perl #128952] (possible) stack-buffer-overflow in S_missingterm(toke.c:580)
Message ID:
rt-4.0.24-16711-1471299798-727.128952-75-0@perl.org
# New Ticket Created by  Brian Carpenter 
# Please include the string:  [perl #128952]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/Ticket/Display.html?id=128952 >


The attached test case triggers a (possible) stack-buffer-overflow in S_missingterm (toke.c:580). I say possible because ASAN reports this may be a false positive and I'm not an Perl internals expert. This was found with AFL, ASAN and libdislocator.so and affects v5.25.4 (v5.25.3-245-g2e66fe9). Perl 5.20.2 doesn't return any sort of an error. 

==68681==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffeb3e392ad at pc 0x000000698806 bp 0x7ffeb3e39270 sp 0x7ffeb3e39268
WRITE of size 1 at 0x7ffeb3e392ad thread T0
    #0 0x698805 in S_missingterm /home/geeknik/perl/toke.c:580:7
    #1 0x664d67 in Perl_yylex /home/geeknik/perl/toke.c:7988:3
    #2 0x6ac741 in Perl_yyparse /home/geeknik/perl/perly.c:334:19
    #3 0xa79cba in S_doeval_compile /home/geeknik/perl/pp_ctl.c:3406:77
    #4 0xa76e83 in Perl_pp_entereval /home/geeknik/perl/pp_ctl.c:4258:9
    #5 0x7f11d3 in Perl_runops_debug /home/geeknik/perl/dump.c:2234:23
    #6 0x5a0c56 in S_run_body /home/geeknik/perl/perl.c:2524:2
    #7 0x5a0c56 in perl_run /home/geeknik/perl/perl.c:2447
    #8 0x4de7fd in main /home/geeknik/perl/perlmain.c:123:9
    #9 0x7f724fb10b44 in __libc_start_main /build/glibc-uPj9cH/glibc-2.19/csu/libc-start.c:287
    #10 0x4de46c in _start (/home/geeknik/perl/perl+0x4de46c)

Address 0x7ffeb3e392ad is located in stack of thread T0 at offset 45 in frame
    #0 0x69846f in S_missingterm /home/geeknik/perl/toke.c:556

  This frame has 1 object(s):
    [32, 45) 'tmpbuf' <== Memory access at offset 45 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/geeknik/perl/toke.c:580 S_missingterm
Shadow bytes around the buggy address:
  0x1000567bf200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000567bf210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000567bf220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000567bf230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000567bf240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000567bf250: f1 f1 f1 f1 00[05]f3 f3 00 00 00 00 00 00 00 00
  0x1000567bf260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000567bf270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000567bf280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000567bf290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000567bf2a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
==68681==ABORTING
Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About