Open p5pRT opened 11 years ago
I discovered accidentally\, that if you're writing a PerlIO layer with PerlIO::via\, that you can accidentally leak the contents of the previously loaded file to calling code.
In the given example on my machine\, the contents of XSLoader.pm are spewed to my terminal with arbitrary binary data around it\, suggesting to me some kind of memory leakage/buffer overflow.
---- use strict; use warnings; use utf8;
{ package PerlIO::via::Bug;
sub PUSHED { return bless {}\, $_[0]; } sub READ { return $_[2]; } }
open my $fh\, '\<:raw:via(Bug)'\, '/dev/null' or die "Cannot open\, $! $?";
read $fh\, ( my $buf )\, 1024;
print $buf;
---
The failure still occurs without any of the aforementioned "use" statements\, just 'use utf8' is convenient for me\, because it somehow causes the contents of "XSLoader.pm" to be dumped\, which is a clear indication of error.
different values of "use" will result in different output.
I should also note\, even assigning to $buffer doesn't help you.
It just assumes you're not lying when you return $length
So as long as $length > length($buffer)\, corruption will be seen.
The RT System itself - Status changed from 'new' to 'open'
More\, if you change the return to a fixed number such as 1024\, and then invoke the read as simply 'read $fh\, ( my $buf )\, 1'\, it invokes a GLIBC corruption:
On Mon Sep 23 08:54:16 2013\, kentfredric@gmail.com wrote:
I discovered accidentally\, that if you're writing a PerlIO layer with PerlIO::via\, that you can accidentally leak the contents of the previously loaded file to calling code.
In the given example on my machine\, the contents of XSLoader.pm are spewed to my terminal with arbitrary binary data around it\, suggesting to me some kind of memory leakage/buffer overflow.
---- use strict; use warnings; use utf8;
{ package PerlIO::via::Bug;
sub PUSHED { return bless {}\, $_[0]; } sub READ { return $_[2]; } }
open my $fh\, '\<:raw:via(Bug)'\, '/dev/null' or die "Cannot open\, $! $?";
read $fh\, ( my $buf )\, 1024;
print $buf;
---
The failure still occurs without any of the aforementioned "use" statements\, just 'use utf8' is convenient for me\, because it somehow causes the contents of "XSLoader.pm" to be dumped\, which is a clear indication of error.
different values of "use" will result in different output.
The bug is in PerlIOVia_read. It's doing a two things wrong: 1) It does not ensure the buffer is in fact a string before using SvPVX. 2) It does not check if the length is in any way sane.
Leon
Migrated from rt.perl.org#119961 (status was 'open')
Searchable as RT119961$