develooper Front page | perl.perl5.porters | Postings from September 2016

[perl #129069] Fuzzer-detected use-after-free in Perl_yylex

Thread Previous
From:
Brian Carpenter via RT
Date:
September 9, 2016 00:16
Subject:
[perl #129069] Fuzzer-detected use-after-free in Perl_yylex
Message ID:
rt-4.0.24-18928-1473380203-1458.129069-15-0@perl.org
On Sun Aug 28 23:33:26 2016, tonyc wrote:
> Thanks, applied as 3781748131a087d117c33ad25b5211eb3c33afff.

I think we should re-open this bug.

v5.25.5 (v5.25.4-104-g49fc490)

od -tx1 test00
0000000 6f 70 65 6e 20 6d 30 30 24
0000011

./perl test00
=================================================================
==8619==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200000e278 at pc 0x0000006595de bp 0x7ffcba0d6490 sp 0x7ffcba0d6488
READ of size 1 at 0x60200000e278 thread T0
    #0 0x6595dd in Perl_yylex /root/perl/toke.c:4880:5
    #1 0x6ade9e in Perl_yyparse /root/perl/perly.c:334:19
    #2 0x59c6c1 in S_parse_body /root/perl/perl.c:2373:9
    #3 0x592a5c in perl_parse /root/perl/perl.c:1689:2
    #4 0x4de745 in main /root/perl/perlmain.c:121:18
    #5 0x7fe5dafa5b44 in __libc_start_main /build/glibc-uPj9cH/glibc-2.19/csu/libc-start.c:287
    #6 0x4de3dc in _start (/root/perl/perl+0x4de3dc)

0x60200000e278 is located 8 bytes inside of 10-byte region [0x60200000e270,0x60200000e27a)
freed by thread T0 here:
    #0 0x4c104e in realloc (/root/perl/perl+0x4c104e)
    #1 0x7f8b46 in Perl_safesysrealloc /root/perl/util.c:274:18

previously allocated by thread T0 here:
    #0 0x4c0d5b in malloc (/root/perl/perl+0x4c0d5b)
    #1 0x7f8457 in Perl_safesysmalloc /root/perl/util.c:153:21

SUMMARY: AddressSanitizer: heap-use-after-free /root/perl/toke.c:4880 Perl_yylex
Shadow bytes around the buggy address:
  0x0c047fff9bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9c40: fa fa fa fa fa fa 00 02 fa fa 00 02 fa fa fd[fd]
  0x0c047fff9c50: fa fa 00 04 fa fa 02 fa fa fa 00 02 fa fa 00 07
  0x0c047fff9c60: fa fa 00 fa fa fa 00 02 fa fa 05 fa fa fa 00 02
  0x0c047fff9c70: fa fa 06 fa fa fa 00 02 fa fa 05 fa fa fa 00 05
  0x0c047fff9c80: fa fa 04 fa fa fa 05 fa fa fa 05 fa fa fa 00 00
  0x0c047fff9c90: fa fa 00 02 fa fa 05 fa fa fa 00 02 fa fa 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
==8619==ABORTING

---
via perlbug:  queue: perl5 status: pending release
https://rt.perl.org/Ticket/Display.html?id=129069

Thread Previous


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About