develooper Front page | perl.perl5.porters | Postings from August 2016

[perl #129069] Fuzzer-detected use-after-free in Perl_yylex

Thread Next
From:
Father Chrysostomos via RT
Date:
August 24, 2016 22:20
Subject:
[perl #129069] Fuzzer-detected use-after-free in Perl_yylex
Message ID:
rt-4.0.24-16952-1472077243-1596.129069-15-0@perl.org
On Wed Aug 24 12:13:58 2016, dcollinsn@gmail.com wrote:
> Some diagnosis:
> 
> Perl_yylex maintains up to two pointers, `s` and `d`, into the parser
> buffer at PL_bufptr. It can call skipspace(), which can potentially
> grow (and realloc) its argument. This can leave the second pointer
> pointing at the old buffer. Under most cases it isn't visible, because
> the old buffer isn't reused or zeroed. However, under Valgrind or
> libdislocator, this memory management error becomes visible.
> 
> Ideally, these would both just be offsets relative to PL_bufptr rather
> than pointers, but I understand the desire have them be pointers for
> performance reasons. This would involve refactoring Perl_yylex as well
> as changing how skipspace is called (argument and retval would be an
> offset against PL_bufptr instead of a pointer into PL_bufptr).
> However, even just looking at skipspace, I don't understand this code
> well enough to do anything like that.
> 
> The simpler fix is to patch the holes by ensuring that the second
> pointer is always updated when we call skipspace, as in the attached.
> That fixes all of my testcases, not sure if Brian has any similar
> ones. This also `make test`s clean.

Both hunks look correct to me.  (I have a guilty feeling I may have written one of those bits of code.)  Could you add tests too, so that ‘make test.valgrind’ (or whatever it’s called) will catch any regressions?

-- 

Father Chrysostomos


---
via perlbug:  queue: perl5 status: open
https://rt.perl.org/Ticket/Display.html?id=129069

Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About