develooper Front page | perl.perl5.porters | Postings from August 2016

[perl #129069] Fuzzer-detected use-after-free in Perl_yylex

Thread Previous | Thread Next
Tony Cook via RT
August 25, 2016 01:14
[perl #129069] Fuzzer-detected use-after-free in Perl_yylex
Message ID:
On Wed Aug 24 17:44:41 2016, wrote:
> I tried to add tests by using fresh_perl_is() and adding the tests to
> t/op/lex.t. I can confirm that the tests are "right" because they fail
> without the patch and succeed with the patch when run under libdislocator,
> which causes the tests to segfault. However, valgrind doesn't catch any
> issues in either case - I don't think it follows child processes. The
> errors don't appear under eval, so that isn't an option either.

My patch on the security ticket (I don't think this is a security issue
but no-one responded on the security list) uses runperl() directly,
I couldn't get it to fail with fresh_perl_is(), which uses a file instead
of -e to run the script:

+    # RT #129021 - heap use after free
+    # caught by valgrind or with libdislocator
+    is(runperl(prog => 'do 00000', stderr => 1), "", "heap use after free");

For valgrind to detect it you need to get runperl() to use valgrind, so
you'd set:

  PERL_RUNPERL_DEBUG='valgrind -q'

before running the test, for my testing I was doing:

  PERL_RUNPERL_DEBUG='valgrind -q' ./perl op/do.t

I'm not sure basing the position off PL_bufptr is correct, skipspace()
doesn't necessarily preserve it relative to the start of PL_linestr:

	if (PL_linestart > PL_bufptr)
	    PL_bufptr = PL_linestart;

but FatherC would know better.


via perlbug:  queue: perl5 status: open

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About