develooper Front page | perl.perl5.porters | Postings from June 2018

[perl #133241] Reporting a use-after-free vulnerability in functionPerl_sv_setpv_bufsize

Thread Next
From:
Yaohui Chen
Date:
June 4, 2018 13:24
Subject:
[perl #133241] Reporting a use-after-free vulnerability in functionPerl_sv_setpv_bufsize
Message ID:
rt-4.0.24-27153-1527972980-1208.133241-75-0@perl.org
# New Ticket Created by  Yaohui Chen 
# Please include the string:  [perl #133241]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/Ticket/Display.html?id=133241 >


Hi,

This is a bug report for perl from yaohway@gmail.com,
generated with the help of perlbug 1.40 running under perl 5.26.2.


The POC is attached in this mail. Simply run perl compiled with ASAN on the
POC file will recreate the problem.

If possible could you also help apply for a CVE.


-----------------------------------------------------------------
[Please describe your issue here]
There's a use-after-free bug in function Perl_sv_setpv_bufsize(), when the
buffer pointed by sv is freed.
complete ASAN output is as follows:

=================================================================
 [2/1824]
==9960==ERROR: AddressSanitizer: heap-use-after-free on address
0x602000000fb0 at pc 0x0000008159df bp 0x7fff92a6ff50 sp 0x7fff92a6ff48
WRITE of size 1 at 0x602000000fb0 thread T0
    #0 0x8159de in Perl_sv_setpv_bufsize
~/test_progs/perl_dir/perl-asan/sv.c:4961:17
    #1 0x947c4d in Perl_do_vop ~/test_progs/perl_dir/perl-asan/doop.c:1031:9
    #2 0x871462 in Perl_pp_bit_or
~/test_progs/perl_dir/perl-asan/pp.c:2464:2
    #3 0x74c6e9 in Perl_runops_debug
~/test_progs/perl_dir/perl-asan/dump.c:2451:23
    #4 0x5bd845 in S_run_body ~/test_progs/perl_dir/perl-asan/perl.c
    #5 0x5bd0e1 in perl_run ~/test_progs/perl_dir/perl-asan/perl.c:2455:2
    #6 0x543718 in main ~/test_progs/perl_dir/perl-asan/perlmain.c:123:9
    #7 0x7f0dd39baf44 in __libc_start_main
/build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
    #8 0x43655b in _start (~/test_progs/perl_dir/perl-asan/perl+0x43655b)

0x602000000fb0 is located 0 bytes inside of 10-byte region
[0x602000000fb0,0x602000000fba)
freed by thread T0 here:
    #0 0x50ef00 in __interceptor_free
/home/farshaq/softwares/llvm-latest/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68
    #1 0x822e57 in Perl_sv_clear ~/test_progs/perl_dir/perl-asan/sv.c:6771:7
    #2 0x826bde in Perl_sv_free2 ~/test_progs/perl_dir/perl-asan/sv.c:7073:9

previously allocated by thread T0 here:
    #0 0x50f266 in malloc
/home/farshaq/softwares/llvm-latest/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88
    #1 0x74f690 in Perl_safesysmalloc
~/test_progs/perl_dir/perl-asan/util.c:153:21

SUMMARY: AddressSanitizer: heap-use-after-free
~/test_progs/perl_dir/perl-asan/sv.c:4961:17 in Perl_sv_setpv_bufsize
Shadow bytes around the buggy address:
  0x0c047fff81a0: fa fa fd fd fa fa fd fd fa fa 00 02 fa fa fd fd
  0x0c047fff81b0: fa fa fd fa fa fa 00 02 fa fa fd fd fa fa fd fd
  0x0c047fff81c0: fa fa 00 02 fa fa 02 fa fa fa fd fd fa fa fd fa
  0x0c047fff81d0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff81e0: fa fa fd fd fa fa 02 fa fa fa fd fa fa fa 00 02
=>0x0c047fff81f0: fa fa fd fd fa fa[fd]fd fa fa 00 02 fa fa 02 fa
  0x0c047fff8200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:   fa
  Freed heap region:   fd
  Stack left redzone:   f1
  Stack mid redzone:   f2
  Stack right redzone:   f3
  Stack after return:   f5
  Stack use after scope:   f8
  Global redzone:   f9
  Global init order:   f6
  Poisoned by user:   f7
  Container overflow:   fc
  Array cookie:   ac
  Intra object redzone:    bb
  ASan internal:   fe
  Left alloca redzone:   ca
  Right alloca redzone:    cb
==9960==ABORTING



[Please do not change anything below this line]
-----------------------------------------------------------------
---
Flags:
    category=core
    severity=high
---
Site configuration information for perl 5.26.2:

Configured by farshaq at Sat Jun  2 15:41:08 EDT 2018.

Summary of my perl5 (revision 5 version 26 subversion 2) configuration:

  Platform:
    osname=linux
    osvers=4.4.0-57-generic
    archname=x86_64-linux
    uname='linux farshaq-terminator 4.4.0-57-generic #78~14.04.1-ubuntu smp
sat dec 10 00:14:47 utc 2016 x86_64 x86_64 x86_64 gnulinux '
    config_args='-de -Dusedevel -DEBUGGING -Doptimize=-g -O2 -Dcc=clang
-Accflags=-fsanitize=address -Aldflags=-fsanitize=address'
    hint=recommended
    useposix=true
    d_sigaction=define
    useithreads=undef
    usemultiplicity=undef
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    default_inc_excludes_dot=define
    bincompat5005=undef
  Compiler:
    cc='clang'
    ccflags ='-fsanitize=address -DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2'
    optimize='-g -O2'
    cppflags='-fsanitize=address -DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include'
    ccversion=''
    gccversion='4.2.1 Compatible Clang 6.0.0 (trunk 310803)'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='clang'
    ldflags =' -fsanitize=address -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/local/lib/clang/6.0.0/lib
/usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib
/usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
    libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    libc=libc-2.19.so
    so=so
    useshrplib=false
    libperl=libperl.a
    gnulibc_version='2.19'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=so
    d_dlsymun=undef
    ccdlflags='-Wl,-E'
    cccdlflags='-fPIC'
    lddlflags='-shared -g -O2 -L/usr/local/lib -fstack-protector-strong'


---
@INC for perl 5.26.2:
    /usr/local/lib/perl5/site_perl/5.26.2/x86_64-linux
    /usr/local/lib/perl5/site_perl/5.26.2
    /usr/local/lib/perl5/5.26.2/x86_64-linux
    /usr/local/lib/perl5/5.26.2

---
Environment for perl 5.26.2:
    HOME=/home/farshaq
    LANG=en_US.UTF-8
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)

PATH=/home/farshaq/work/VulSniper/umet_aosp_6.0.1_r8/prebuilts/gcc/linux-x86/aarch64/aarch64-linux-android-4.9/bin:/home/farshaq/Android/Sdk/platform-tools:/home/farshaq/Android/Sdk/tools:/home/farshaq/work/VulSniper/umet_aosp_6.0.1_r8/prebuilts/gcc/linux-x86/aarch64/aarch64-linux-android-4.9/bin:/home/farshaq/Android/Sdk/platform-tools:/home/farshaq/Android/Sdk/tools:/home/farshaq/work/VulSniper/umet_aosp_6.0.1_r8/prebuilts/gcc/linux-x86/aarch64/aarch64-linux-android-4.9/bin:/home/farshaq/Android/Sdk/platform-tools:/home/farshaq/Android/Sdk/tools:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
    PERL_BADLANG (unset)
    SHELL=/usr/local/bin/fish

Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About