develooper Front page | perl.perl5.porters | Postings from August 2019

[perl #134269] heap-use-after-free in Perl_sv_setpv_bufsize(perl/sv.c:4918:17)

From:
Tony Cook via RT
Date:
August 7, 2019 23:37
Subject:
[perl #134269] heap-use-after-free in Perl_sv_setpv_bufsize(perl/sv.c:4918:17)
Message ID:
rt-4.0.24-27404-1565221024-1601.134269-15-0@perl.org
On Wed, 07 Aug 2019 01:58:17 -0700, davem wrote:
> On Mon, Aug 05, 2019 at 06:29:21PM -0700, Tony Cook via RT wrote:
> > On Mon, 08 Jul 2019 03:34:38 -0700, imdb95@gmail.com wrote:
> > > On Mon, Jul 8, 2019 at 4:18 PM Dave Mitchell via RT <
> > > perl5-security-report-followup@perl.org> wrote:
> > >
> > > > These all look like stack-not-refcounted bugs, and I don't think
> > > > they're security issues.
> > > >
> > >
> > > Can you explain why it is not a security issue when heap-use-after-
> > > free
> > > (WRITE of size 1) happens?
> >
> > We've had some debate on whether to treat such issues as security
> > issues.
> >
> > The base cause of this and similar bugs is that the perl
> > parameter/return stack isn't reference counted, and when normal
> > variables are pushed onto the stack they don't get a reference count
> > increment with delayed decrement like typical return values do.
> 
> I propose that this ticket gets moved to the public queue.

Now public.

Tony


---
via perlbug:  queue: perl5 status: open
https://rt.perl.org/Ticket/Display.html?id=134269



nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About