develooper Front page | perl.perl5.porters | Postings from August 2016

[perl #129075] perl Perl_mess_sv() memory corruption

Thread Next
From:
riusksk
Date:
August 25, 2016 14:41
Subject:
[perl #129075] perl Perl_mess_sv() memory corruption
Message ID:
rt-4.0.24-1916-1472094617-1203.129075-75-0@perl.org
# New Ticket Created by  riusksk 
# Please include the string:  [perl #129075]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/Ticket/Display.html?id=129075 >


gdb-peda$ run poc.pl
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x2139 ('9!')
RBX: 0xc2a888 --> 0xc0c6a0 --> 0x3f ('?')
RCX: 0xbf8120 --> 0x40000000000
RDX: 0xbf8120 --> 0x40000000000
RSI: 0x0
RDI: 0x0
RBP: 0xc4
RSP: 0x7fffffffd9d0 --> 0x8ba6b2 ("free op at %p, recorded in slab %p")
RIP: 0x5e500f (<Perl_mess_sv+703>:      test   BYTE PTR [rdi+0x21],0x40)
R8 : 0x0
R9 : 0xc2be70 --> 0xc2bdf0 --> 0xc2bdd0 --> 0x0
R10: 0x20 (' ')
R11: 0xfffffffffffffffc
R12: 0xfffffffffffffffc
R13: 0xffffffffffffffff
R14: 0x8ba6b2 ("free op at %p, recorded in slab %p")
R15: 0xc2a888 --> 0xc0c6a0 --> 0x3f ('?')
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x5e4ffd <Perl_mess_sv+685>: mov    DWORD PTR fs:[r12],0x17f3
   0x5e5006 <Perl_mess_sv+694>: mov    rdi,QWORD PTR [rip+0x6127e3]        # 0xbf77f0 <PL_curcop>
   0x5e500d <Perl_mess_sv+701>: xor    esi,esi
=> 0x5e500f <Perl_mess_sv+703>: test   BYTE PTR [rdi+0x21],0x40
   0x5e5013 <Perl_mess_sv+707>: je     0x5e5037 <Perl_mess_sv+743>
   0x5e5015 <Perl_mess_sv+709>: movsxd rax,DWORD PTR fs:[r12]
   0x5e501a <Perl_mess_sv+714>: mov    rcx,QWORD PTR [rip+0x612297]        # 0xbf72b8 <__afl_area_ptr>
   0x5e5021 <Perl_mess_sv+721>: xor    rax,0xc2cf
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd9d0 --> 0x8ba6b2 ("free op at %p, recorded in slab %p")
0008| 0x7fffffffd9d8 --> 0xc2a888 --> 0xc0c6a0 --> 0x3f ('?')
0016| 0x7fffffffd9e0 --> 0x38931a43dc3a1100
0024| 0x7fffffffd9e8 --> 0xc2a888 --> 0xc0c6a0 --> 0x3f ('?')
0032| 0x7fffffffd9f0 --> 0xfffffffffffffffc
0040| 0x7fffffffd9f8 --> 0x8ba6b2 ("free op at %p, recorded in slab %p")
0048| 0x7fffffffda00 --> 0xc29f40 --> 0xc29fd0 --> 0xc2a010 --> 0xc2a058 --> 0xc2a0b8 --> 0xc2a0f8 --> 0xc2a138 --> 0x0
0056| 0x7fffffffda08 --> 0x5e490b (<Perl_mess+299>:     mov    rcx,QWORD PTR fs:0x28)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00000000005e500f in Perl_mess_sv (basemsg=<optimized out>, consume=<optimized out>) at util.c:1508
1508                closest_cop(PL_curcop, OpSIBLING(PL_curcop), PL_op, FALSE);
gdb-peda$ list
1503             * can try to find such a cop by searching through the optree starting
1504             * from the sibling of PL_curcop.
1505             */
1506
1507            const COP *cop =
1508                closest_cop(PL_curcop, OpSIBLING(PL_curcop), PL_op, FALSE);
1509            if (!cop)
1510                cop = PL_curcop;
1511
1512            if (CopLINE(cop))
gdb-peda$ exploitable
Undefined command: "exploitable".  Try "help".
gdb-peda$ source /usr/local/lib/python2.7/dist-packages/exploitable-1.32-py2.7.egg/exploitable/exploitable.py
gdb-peda$ exploitable
Description: Access violation near NULL on destination operand
Short description: DestAvNearNull (15/22)
Hash: 1a151c037389315db0b68bce2f05b76e.560e17b3b11ae333722a75a54229d3d5
Exploitability Classification: PROBABLY_EXPLOITABLE
Explanation: The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control write address and/or value. However, it there is a chance it could be a NULL dereference.
Other tags: AccessViolation (21/22)

root@Ubuntu:~/perl# valgrind perl poc.pl

==22051== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
==22051==
==22051== 1 errors in context 1 of 1:
==22051== Invalid read of size 1
==22051==    at 0x5E500F: Perl_mess_sv (util.c:1508)
==22051==    by 0x5E490A: Perl_vmess (util.c:1561)
==22051==    by 0x5E490A: Perl_mess (util.c:1391)
==22051==    by 0x42044A: Perl_Slab_Free (op.c:442)
==22051==    by 0x42192D: Perl_op_free (op.c:855)
==22051==    by 0x421679: Perl_op_free (op.c:837)
==22051==    by 0x731543: Perl_leave_scope (scope.c:1109)
==22051==    by 0x74EAA0: S_pop_eval_context_maybe_croak (pp_ctl.c:1605)
==22051==    by 0x74E55D: Perl_die_unwind (pp_ctl.c:1733)
==22051==    by 0x5E6558: Perl_vcroak (util.c:1791)
==22051==    by 0x5E6336: Perl_die (util.c:1722)
==22051==    by 0x760728: S_require_file (pp_ctl.c:4062)
==22051==    by 0x760728: Perl_pp_require (pp_ctl.c:4138)
==22051==    by 0x5DD02C: Perl_runops_debug (dump.c:2234)
==22051==  Address 0x21 is not stack'd, malloc'd or (recently) free'd
==22051==
==22051== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault
Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About