develooper Front page | perl.perl5.porters | Postings from August 2016

[perl #129069] Fuzzer-detected use-after-free in Perl_yylex

Thread Previous | Thread Next
From:
Dan Collins via RT
Date:
August 24, 2016 19:14
Subject:
[perl #129069] Fuzzer-detected use-after-free in Perl_yylex
Message ID:
rt-4.0.24-16952-1472066038-1834.129069-14-0@perl.org
Some diagnosis:

Perl_yylex maintains up to two pointers, `s` and `d`, into the parser buffer at PL_bufptr. It can call skipspace(), which can potentially grow (and realloc) its argument. This can leave the second pointer pointing at the old buffer. Under most cases it isn't visible, because the old buffer isn't reused or zeroed. However, under Valgrind or libdislocator, this memory management error becomes visible.

Ideally, these would both just be offsets relative to PL_bufptr rather than pointers, but I understand the desire have them be pointers for performance reasons. This would involve refactoring Perl_yylex as well as changing how skipspace is called (argument and retval would be an offset against PL_bufptr instead of a pointer into PL_bufptr). However, even just looking at skipspace, I don't understand this code well enough to do anything like that.

The simpler fix is to patch the holes by ensuring that the second pointer is always updated when we call skipspace, as in the attached. That fixes all of my testcases, not sure if Brian has any similar ones. This also `make test`s clean.

-- 
Respectfully,
Dan Collins

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About