develooper Front page | perl.perl5.porters | Postings from February 2018

[perl #132593] PERL-5.26.1 heap_buffer_overflow READ of size 8

Thread Next
From:
Tony Cook via RT
Date:
February 7, 2018 03:17
Subject:
[perl #132593] PERL-5.26.1 heap_buffer_overflow READ of size 8
Message ID:
rt-4.0.24-614-1517973463-1652.132593-15-0@perl.org
On Mon, 18 Dec 2017 03:34:03 -0800, davem wrote:
> On Sun, Dec 17, 2017 at 02:17:02AM -0800, SRAUMS JN wrote:
> > #0 0x2519067 in Perl_pp_backtick
> > /home/asan_perl/Documents/perl-5.26.1/pp_sys.c:299
> > #1 0x1b1bc2e in Perl_runops_standard
> > /home/asan_perl/Documents/perl-5.26.1/run.c:41
> > #2 0x9218a5 in S_run_body
> > /home/asan_perl/Documents/perl-5.26.1/perl.c:2519
> > #3 0x9218a5 in perl_run
> > /home/asan_perl/Documents/perl-5.26.1/perl.c:2447
> > #4 0x46b6a7 in main /home/asan_perl/Documents/perl-
> > 5.26.1/perlmain.c:123
> > #5 0x7ffff615e82f in __libc_start_main
> > (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
> > #6 0x46c888 in _start
> > (/home/asan_perl/Documents/perl-5.26.1/perl+0x46c888)
> >
> > 0x619000009678 is located 8 bytes to the left of 1024-byte region
> > [0x619000009680,0x619000009a80)
> > allocated by thread T0 here:
> >     #0 0x7ffff6f02602 in malloc
> > (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
> >     #1 0x167dd81 in Perl_safesysmalloc
> > /home/asan_perl/Documents/perl-5.26.1/util.c:153
> >     #2 0x1adf2d0 in Perl_av_extend_guts
> > /home/asan_perl/Documents/perl-5.26.1/av.c:186
> >     #3 0x2272eb6 in Perl_new_stackinfo
> > /home/asan_perl/Documents/perl-5.26.1/scope.c:74
> >     #4 0x8ab011 in Perl_init_stacks
> > /home/asan_perl/Documents/perl-5.26.1/perl.c:4137
> >     #5 0x8af2e0 in perl_construct
> > /home/asan_perl/Documents/perl-5.26.1/perl.c:274
> >     #6 0x46b033 in main /home/asan_perl/Documents/perl-
> > 5.26.1/perlmain.c:117
> >     #7 0x7ffff615e82f in __libc_start_main
> > (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
> 
> A bisect shows this is fixed in blead by this
> 
> commit 397baf232086e0a9ad6f881a9614d3dbaea853fc
> Author:     Zefram <zefram@fysh.org>
> AuthorDate: Tue Dec 12 06:24:01 2017 +0000
> Commit:     Zefram <zefram@fysh.org>
> CommitDate: Tue Dec 12 06:24:01 2017 +0000
> 
> properly check readpipe()'s argument list
> 
> readpipe() wasn't applying context to its argument list, resulting in
> readpipe()'s context leaking in, and broken stack discipline when a
> list
> expression was used.  Fixes [perl #4574].

It also depends on feeding code to the interpreter.

Since it's fixed I'm closing it.

I've also added it to the 5.24 and 5.26 votes files.

Tony


---
via perlbug:  queue: perl5 status: open
https://rt.perl.org/Ticket/Display.html?id=132593

Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About