develooper Front page | perl.perl5.porters | Postings from August 2016

[perl #129069] Fuzzer-detected use-after-free in Perl_yylex

Thread Previous | Thread Next
From:
Tony Cook via RT
Date:
August 25, 2016 01:14
Subject:
[perl #129069] Fuzzer-detected use-after-free in Perl_yylex
Message ID:
rt-4.0.24-8014-1472087632-719.129069-15-0@perl.org
On Wed Aug 24 17:44:41 2016, dcollinsn@gmail.com wrote:
> I tried to add tests by using fresh_perl_is() and adding the tests to
> t/op/lex.t. I can confirm that the tests are "right" because they fail
> without the patch and succeed with the patch when run under libdislocator,
> which causes the tests to segfault. However, valgrind doesn't catch any
> issues in either case - I don't think it follows child processes. The
> errors don't appear under eval, so that isn't an option either.

My patch on the security ticket (I don't think this is a security issue
but no-one responded on the security list) uses runperl() directly,
I couldn't get it to fail with fresh_perl_is(), which uses a file instead
of -e to run the script:

+{
+    # RT #129021 - heap use after free
+    # caught by valgrind or with libdislocator
+    is(runperl(prog => 'do 00000', stderr => 1), "", "heap use after free");
+}

For valgrind to detect it you need to get runperl() to use valgrind, so
you'd set:

  PERL_RUNPERL_DEBUG='valgrind -q'

before running the test, for my testing I was doing:

  PERL_RUNPERL_DEBUG='valgrind -q' ./perl op/do.t

I'm not sure basing the position off PL_bufptr is correct, skipspace()
doesn't necessarily preserve it relative to the start of PL_linestr:

	if (PL_linestart > PL_bufptr)
	    PL_bufptr = PL_linestart;

but FatherC would know better.

Tony


---
via perlbug:  queue: perl5 status: open
https://rt.perl.org/Ticket/Display.html?id=129069

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About