develooper Front page | perl.perl5.porters | Postings from April 2019

[perl #134067] heap-buffer-overflow in S_scan_const (toke.c:4103)

Thread Previous | Thread Next
From:
Sergey Aleynikov
Date:
April 27, 2019 16:29
Subject:
[perl #134067] heap-buffer-overflow in S_scan_const (toke.c:4103)
Message ID:
rt-4.0.24-32030-1556382539-968.134067-75-0@perl.org
# New Ticket Created by  Sergey Aleynikov 
# Please include the string:  [perl #134067]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/Ticket/Display.html?id=134067 >


This is a bug report for perl from sergey.aleynikov@gmail.com,
generated with the help of perlbug 1.41 running under perl 5.29.9.


-----------------------------------------------------------------
[Please describe your issue here]

While fuzzing perl v5.29.10-23-g7c0d7520a3 built with afl and run
under libdislocator, I found the following program (also attached to
this message)

00000000  79 20 6f 5c 78 7b 31 30  30 7d c4 8c ff ff 80 80  |y o\x{100}......|
00000010  2d ff 6f 6f                                       |-.oo|

To trigger heap-buffer-overflow write ASAN diagnostics:

WRITE of size 1 at 0x603000000c21 thread T0
    #0 0x71a17b in S_scan_const /home/afl/afl-asan/toke.c:4103:8
    #1 0x6975e4 in Perl_yylex /home/afl/afl-asan/toke.c:5096:10
    #2 0x748e6d in Perl_yyparse /home/afl/afl-asan/perly.c:340:34
    #3 0x6102bc in S_parse_body /home/afl/afl-asan/perl.c:2531:9
    #4 0x6060d6 in perl_parse /home/afl/afl-asan/perl.c:1822:2
    #5 0x5382cd in main /home/afl/afl-asan/perlmain.c:132:18
    #6 0x7f1bea68909a in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #7 0x43fcc9 in _start (/home/afl/afl-asan/perl+0x43fcc9)

0x603000000c21 is located 0 bytes to the right of 17-byte region
[0x603000000c10,0x603000000c21)
allocated by thread T0 here:
    #0 0x504aa0 in malloc (/home/afl/afl-asan/perl+0x504aa0)
    #1 0x8cfb30 in Perl_safesysmalloc /home/afl/afl-asan/util.c:153:21
    #2 0x9f11fe in Perl_sv_grow /home/afl/afl-asan/sv.c:1599:17
    #3 0xa424cc in Perl_newSV /home/afl/afl-asan/sv.c:5653:2
    #4 0x70c15c in S_scan_const /home/afl/afl-asan/toke.c:2905:14
    #5 0x6975e4 in Perl_yylex /home/afl/afl-asan/toke.c:5096:10
    #6 0x748e6d in Perl_yyparse /home/afl/afl-asan/perly.c:340:34
    #7 0x6102bc in S_parse_body /home/afl/afl-asan/perl.c:2531:9
    #8 0x6060d6 in perl_parse /home/afl/afl-asan/perl.c:1822:2
    #9 0x5382cd in main /home/afl/afl-asan/perlmain.c:132:18
    #10 0x7f1bea68909a in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

This is a regression in blead, bisect points to the following commit,
and I feel this is a different issue from
https://rt.perl.org/Ticket/Display.html?id=134064

commit 7d6e74d636b95acb75fa67ff364e97ab1c8ef795
Author: Karl Williamson <khw@cpan.org>
Date:   Sat Apr 6 14:05:29 2019 -0600

    toke.c: Streamline a case

    When we are parsing a constant, and the source and destination differ in
    UTF-8ness, I realized, in single stepping through the code, that it's
    simpler and more efficient to split these into two cases, rather than
    try to do one case with some conditionals in the middle.

[Please do not change anything below this line]
-----------------------------------------------------------------
---
Flags:
    category=core
    severity=high
---
Site configuration information for perl 5.29.9:

Configured by dur-randir at Wed Feb 27 14:51:01 MSK 2019.

Summary of my perl5 (revision 5 version 29 subversion 9) configuration:
  Commit id: c1e47bad34ce1d9c84ed57c9b8978bcbd5a02e98
  Platform:
    osname=darwin
    osvers=13.4.0
    archname=darwin-thread-multi-2level
    uname='darwin isengard.local 13.4.0 darwin kernel version 13.4.0:
mon jan 11 18:17:34 pst 2016; root:xnu-2422.115.15~1release_x86_64
x86_64 '
    config_args='-de -Dusedevel -DDEBUGGING -Dusethreads'
    hint=recommended
    useposix=true
    d_sigaction=define
    useithreads=define
    usemultiplicity=define
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    default_inc_excludes_dot=define
    bincompat5005=undef
  Compiler:
    cc='cc'
    ccflags ='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9
-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector
-I/usr/local/include -DPERL_USE_SAFE_PUTENV'
    optimize='-O3 -g'
    cppflags='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9
-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector
-I/usr/local/include'
    ccversion=''
    gccversion='4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.56)'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='cc'
    ldflags =' -mmacosx-version-min=10.9 -fstack-protector -L/usr/local/lib'
    libpth=/usr/local/lib
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/../lib/clang/6.0/lib
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib
/usr/lib
    libs=-lpthread -lgdbm -ldbm -ldl -lm -lutil -lc
    perllibs=-lpthread -ldl -lm -lutil -lc
    libc=
    so=dylib
    useshrplib=false
    libperl=libperl.a
    gnulibc_version=''
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=bundle
    d_dlsymun=undef
    ccdlflags=' '
    cccdlflags=' '
    lddlflags=' -mmacosx-version-min=10.9 -bundle -undefined
dynamic_lookup -L/usr/local/lib -fstack-protector'


---
@INC for perl 5.29.9:
    lib
    /usr/local/lib/perl5/site_perl/5.29.9/darwin-thread-multi-2level
    /usr/local/lib/perl5/site_perl/5.29.9
    /usr/local/lib/perl5/5.29.9/darwin-thread-multi-2level
    /usr/local/lib/perl5/5.29.9

---
Environment for perl 5.29.9:
    DYLD_LIBRARY_PATH (unset)
    HOME=/Users/dur-randir
    LANG=en_US.UTF-8
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.22.1/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/texbin
    PERLBREW_HOME=/Users/dur-randir/.perlbrew
    PERLBREW_MANPATH=/Users/dur-randir/perlbrew/perls/perl-5.22.1/man
    PERLBREW_PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.22.1/bin
    PERLBREW_PERL=perl-5.22.1
    PERLBREW_ROOT=/Users/dur-randir/perlbrew
    PERLBREW_SHELLRC_VERSION=0.84
    PERLBREW_VERSION=0.84
    PERL_BADLANG (unset)
    SHELL=/usr/local/bin/zsh

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About