develooper Front page | perl.perl5.porters | Postings from January 2019

[perl #133778] SUMMARY: AddressSanitizer: heap-use-after-free

From:
Ryan Black
Date:
January 19, 2019 03:39
Subject:
[perl #133778] SUMMARY: AddressSanitizer: heap-use-after-free
Message ID:
rt-4.0.24-21269-1547868830-495.133778-75-0@perl.org
# New Ticket Created by  Ryan Black 
# Please include the string:  [perl #133778]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/Ticket/Display.html?id=133778 >


Triggered fuzzing Perl 5.29.2

=================================================================
==85931==ERROR: AddressSanitizer: heap-use-after-free on address
0x61900000a478 at pc 0x000000d3d00b bp 0x7ffeb92c0670 sp 0x7ffeb92c0668
WRITE of size 8 at 0x61900000a478 thread T0
    #0 0xd3d00a  (/usr/local/bin/perl5.29.2+0xd3d00a)
    #1 0xa11b68  (/usr/local/bin/perl5.29.2+0xa11b68)
    #2 0x669ed5  (/usr/local/bin/perl5.29.2+0x669ed5)
    #3 0x506dfb  (/usr/local/bin/perl5.29.2+0x506dfb)
    #4 0x7f42fc1d182f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #5 0x435388  (/usr/local/bin/perl5.29.2+0x435388)

0x61900000a478 is located 1016 bytes inside of 1024-byte region
[0x61900000a080,0x61900000a480)
freed by thread T0 here:
    #0 0x4d5838  (/usr/local/bin/perl5.29.2+0x4d5838)
    #1 0xa1b940  (/usr/local/bin/perl5.29.2+0xa1b940)

previously allocated by thread T0 here:
    #0 0x4d54b8  (/usr/local/bin/perl5.29.2+0x4d54b8)
    #1 0xa1ac48  (/usr/local/bin/perl5.29.2+0xa1ac48)

SUMMARY: AddressSanitizer: heap-use-after-free
(/usr/local/bin/perl5.29.2+0xd3d00a)
Shadow bytes around the buggy address:
  0x0c327fff9430: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff9440: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff9450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff9460: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff9470: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c327fff9480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]
  0x0c327fff9490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff94a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff94b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff94c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff94d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==85931==ABORTING



Summary of my perl5 (revision 5 version 29 subversion 2) configuration:
  Commit id: 50749d5e9a1fa736cbeded953c9b285514742026
  Platform:
    osname=linux
    osvers=4.4.0-128-generic
    archname=x86_64-linux
    uname='linux ubuntu 4.4.0-128-generic #154-ubuntu smp fri may 25
14:15:18 utc 2018 x86_64 x86_64 x86_64 gnulinux '
    config_args='-des -Dusedevel -DDEBUGGING -Dcc=afl-clang -Doptimize=-O2
-g'
    hint=recommended
    useposix=true
    d_sigaction=define
    useithreads=undef
    usemultiplicity=undef
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    default_inc_excludes_dot=define
    bincompat5005=undef
  Compiler:
    cc='afl-clang'
    ccflags ='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2'
    optimize='-O2 -g'
    cppflags='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include'
    ccversion=''
    gccversion='4.2.1 Compatible Clang 3.8.0 (tags/RELEASE_380/final)'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='afl-clang'
    ldflags =' -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/lib/llvm-3.8/bin/../lib/clang/3.8.0/lib
/usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib
/usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
    libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    libc=libc-2.23.so
    so=so
    useshrplib=false
    libperl=libperl.a
    gnulibc_version='2.23'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=so
    d_dlsymun=undef
    ccdlflags='-Wl,-E'
    cccdlflags='-fPIC'
    lddlflags='-shared -O2 -g -L/usr/local/lib -fstack-protector-strong'


Characteristics of this binary (from libperl):
  Compile-time options:
    DEBUGGING
    HAS_TIMES
    PERLIO_LAYERS
    PERL_COPY_ON_WRITE
    PERL_DONT_CREATE_GVSV
    PERL_MALLOC_WRAP
    PERL_OP_PARENT
    PERL_PRESERVE_IVUV
    PERL_USE_DEVEL
    USE_64_BIT_ALL
    USE_64_BIT_INT
    USE_LARGE_FILES
    USE_LOCALE
    USE_LOCALE_COLLATE
    USE_LOCALE_CTYPE
    USE_LOCALE_NUMERIC
    USE_LOCALE_TIME
    USE_PERLIO
    USE_PERL_ATOF
  Built under linux
  Compiled at Aug  1 2018 10:59:47
  @INC:
    /usr/local/lib/perl5/site_perl/5.29.2/x86_64-linux
    /usr/local/lib/perl5/site_perl/5.29.2
    /usr/local/lib/perl5/5.29.2/x86_64-linux
    /usr/local/lib/perl5/5.29.2



nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About