develooper Front page | perl.perl5.porters | Postings from September 2016

[perl #129090] Perl_pad_fixup_inner_anons Null reference Memorycorruption

From:
riusksk via RT
Date:
September 1, 2016 13:10
Subject:
[perl #129090] Perl_pad_fixup_inner_anons Null reference Memorycorruption
Message ID:
rt-4.0.24-29366-1472693840-1132.129090-15-0@perl.org
在2016-八月-26 06:01:53 星期五时,dcollinsn@gmail.com写到:
> dcollins@nightshade64:~/toolchain/perl$ afl-tmin -i poc.pl -o
> pocmin.pl -- ./perl -Ilib @@
> afl-tmin 2.32b by <lcamtuf@google.com>
> 
> [+] Read 5780 bytes from 'poc.pl'.
> [*] Performing dry run (mem limit = 50 MB, timeout = 1000 ms)...
> [+] Program exits with a signal, minimizing in crash mode.
> [*] Stage #0: One-time block normalization...
> [+] Block normalization complete, 4564 bytes replaced.
> [*] --- Pass #1 ---
> [*] Stage #1: Removing blocks of data...
>     Block length = 512, remaining size = 5780
>     Block length = 256, remaining size = 1536
>     Block length = 128, remaining size = 1280
>     Block length = 64, remaining size = 1024
>     Block length = 32, remaining size = 832
>     Block length = 16, remaining size = 576
>     Block length = 8, remaining size = 384
>     Block length = 4, remaining size = 232
>     Block length = 2, remaining size = 164
>     Block length = 1, remaining size = 104
> [+] Block removal complete, 5702 bytes deleted.
> [*] Stage #2: Minimizing symbols (24 code points)...
> [+] Symbol minimization finished, 5 symbols (15 bytes) replaced.
> [*] Stage #3: Character minimization...
> [+] Character minimization done, 3 bytes replaced.
> [*] --- Pass #2 ---
> [*] Stage #1: Removing blocks of data...
>     Block length = 4, remaining size = 78
>     Block length = 2, remaining size = 74
>     Block length = 1, remaining size = 70
> [+] Block removal complete, 9 bytes deleted.
> [*] Stage #2: Minimizing symbols (19 code points)...
> [+] Symbol minimization finished, 0 symbols (0 bytes) replaced.
> [*] Stage #3: Character minimization...
> [+] Character minimization done, 0 bytes replaced.
> [*] --- Pass #3 ---
> [*] Stage #1: Removing blocks of data...
>     Block length = 4, remaining size = 69
>     Block length = 2, remaining size = 69
>     Block length = 1, remaining size = 69
> [+] Block removal complete, 0 bytes deleted.
> 
> File size reduced by : 98.81% (to 69 bytes)
> Characters simplified : 6640.58%
> Number of execs done : 893
>      Fruitless execs : path=666 crash=0 hang=15
> 
> [*] Writing output to 'pocmin.pl'...
> [+] We're done here. Have a nice day!
> 
> dcollins@nightshade64:~/toolchain/perl$ cat pocmin.pl
> $0=s()0<$>;0;my sub i0i0;()=((%fi0s0));sub fi0s0{sub i0i0{}sub fi0s0}
> 
> Further minimized by hand to:
> 
> $ ./perl -Ilib -wle '$a="a$a";my sub b;%c;sub c{sub b;sub c}'
> Segmentation fault

thank dcollinsn for min poc, I run it with asan:

╭─riusksk@MacBook  ~/Downloads/perl ‹› ‹blead*›
╰─➤$ ./perl -Ilib -wle '$a="a$a";my sub b;%c;sub c{sub b;sub c}'
=================================================================
==3513==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000d378 at pc 0x0001056791e0 bp 0x7fff5a7cb250 sp 0x7fff5a7cb248
READ of size 8 at 0x60300000d378 thread T0
    #0 0x1056791df in Perl_pad_fixup_inner_anons pad.c:2382
    #1 0x105489f05 in Perl_newATTRSUB_x op.c:8711
    #2 0x105644f16 in Perl_yyparse perly.y:296
    #3 0x10553d087 in perl_parse perl.c:2373
    #4 0x1054347ee in main perlmain.c:121
    #5 0x7fff965865ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
    #6 0x3  (<unknown module>)

0x60300000d378 is located 0 bytes to the right of 24-byte region [0x60300000d360,0x60300000d378)
allocated by thread T0 here:
    #0 0x105f732f7 in wrap_realloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/7.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x432f7)
    #1 0x1057d438c in Perl_safesysrealloc util.c:274
    #2 0x1058ad808 in Perl_av_extend_guts av.c:163
    #3 0x1056646bb in Perl_pad_add_weakref pad.c:2665
    #4 0x10548cadc in Perl_newATTRSUB_x op.c:8846
    #5 0x105644f16 in Perl_yyparse perly.y:296
    #6 0x10553d087 in perl_parse perl.c:2373
    #7 0x1054347ee in main perlmain.c:121
    #8 0x7fff965865ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
    #9 0x3  (<unknown module>)


---
via perlbug:  queue: perl5 status: new
https://rt.perl.org/Ticket/Display.html?id=129090



nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About