p5pRT
commented
9 years ago From @dcollinsn
Greetings Porters\,
I have compiled bleadperl with the afl-gcc compiler using:
./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache afl-gcc' -Duselongdouble -Duse64bitint -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -des AFL_HARDEN=1 make && make test
And then fuzzed the resulting binary using:
AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @@
After reducing testcases using `afl-tmin` and filtering out testcases that are merely iterations of "#!perl -u"\, I have located the following testcase that triggers a double free in the perl interpreter. The testcase is the 134-character file:
du_S.Ak.SA.=$[.=_.Ak.SA.=$[.=$[=$$$_S.Ak.S.=$[.=$[=$$$A.k.SA.=$[.=*[=$$$_S.AkAk.SA.=%[=__S.Ak.SA.=$[.=$[=$S.Ak.SA.=$[.=_.Ak.SA.=$[.$$$
Any attempt to reduce this testcase causes the bug to disappear.
dcollins@nightshade:/usr/local/perl-afl/out$ ../bin/perl f2/crashes/id\:000000\\,sig\:06\\,src\:006941+020231\\,op\:splice\\,rep\:2ig\:06\\,src\ *** Error in `../bin/perl': double free or corruption (!prev): 0x0a21c3f0 *** ======= Backtrace: ========= /lib/libc.so.6(+0x68c9b)[0xb7589c9b] /lib/libc.so.6(+0x6eef7)[0xb758fef7] /lib/libc.so.6(+0x6f6a1)[0xb75906a1] ../bin/perl(Perl_sv_clear+0x609)[0x838b2c9] ../bin/perl(Perl_sv_free2+0x191)[0x8386cd1] ../bin/perl(Perl_free_tmps+0x27a)[0x845e6ea] ../bin/perl(perl_run+0xaf5)[0x8116ec5] ../bin/perl(main+0x392)[0x8068972] /lib/libc.so.6(__libc_start_main+0xf7)[0xb7539447] ../bin/perl[0x80689d7] ======= Memory map: ======== 08048000-087d8000 r-xp 00000000 08:01 192212 /usr/local/perl-afl/bin/perl 087d8000-087da000 rw-p 00790000 08:01 192212 /usr/local/perl-afl/bin/perl 0a215000-0a258000 rw-p 00000000 00:00 0 [heap] b7200000-b7221000 rw-p 00000000 00:00 0 b7221000-b7300000 ---p 00000000 00:00 0 b7364000-b7380000 r-xp 00000000 08:01 1219379 /usr/local/lib/libgcc_s.so.1 b7380000-b7381000 rw-p 0001b000 08:01 1219379 /usr/local/lib/libgcc_s.so.1 b7391000-b751f000 r--p 00000000 08:01 1209425 /usr/lib/locale/locale-archive b751f000-b7521000 rw-p 00000000 00:00 0 b7521000-b76d1000 r-xp 00000000 08:01 858184 /lib/libc-2.22.so b76d1000-b76d3000 r--p 001b0000 08:01 858184 /lib/libc-2.22.so b76d3000-b76d4000 rw-p 001b2000 08:01 858184 /lib/libc-2.22.so b76d4000-b76d7000 rw-p 00000000 00:00 0 b76d7000-b76d9000 r-xp 00000000 08:01 858182 /lib/libutil-2.22.so b76d9000-b76da000 r--p 00001000 08:01 858182 /lib/libutil-2.22.so b76da000-b76db000 rw-p 00002000 08:01 858182 /lib/libutil-2.22.so b76db000-b76e4000 r-xp 00000000 08:01 439490 /lib/libcrypt-2.22.so b76e4000-b76e5000 r--p 00008000 08:01 439490 /lib/libcrypt-2.22.so b76e5000-b76e6000 rw-p 00009000 08:01 439490 /lib/libcrypt-2.22.so b76e6000-b770e000 rw-p 00000000 00:00 0 b770e000-b7759000 r-xp 00000000 08:01 858147 /lib/libm-2.22.so b7759000-b775a000 r--p 0004b000 08:01 858147 /lib/libm-2.22.so b775a000-b775b000 rw-p 0004c000 08:01 858147 /lib/libm-2.22.so b775b000-b775e000 r-xp 00000000 08:01 858149 /lib/libdl-2.22.so b775e000-b775f000 r--p 00002000 08:01 858149 /lib/libdl-2.22.so b775f000-b7760000 rw-p 00003000 08:01 858149 /lib/libdl-2.22.so b7760000-b7777000 r-xp 00000000 08:01 858160 /lib/libnsl-2.22.so b7777000-b7778000 r--p 00016000 08:01 858160 /lib/libnsl-2.22.so b7778000-b7779000 rw-p 00017000 08:01 858160 /lib/libnsl-2.22.so b7779000-b777b000 rw-p 00000000 00:00 0 b777b000-b7794000 r-xp 00000000 08:01 439491 /lib/libpthread-2.22.so b7794000-b7795000 r--p 00018000 08:01 439491 /lib/libpthread-2.22.so b7795000-b7796000 rw-p 00019000 08:01 439491 /lib/libpthread-2.22.so b7796000-b7798000 rw-p 00000000 00:00 0 b779c000-b779d000 rw-p 00000000 00:00 0 b779d000-b77a7000 r-xp 00000000 08:01 216674 /usr/local/perl-afl/lib/5.23.4/i686-linux-64int-ld/auto/arybase/arybase.so b77a7000-b77a8000 rw-p 00009000 08:01 216674 /usr/local/perl-afl/lib/5.23.4/i686-linux-64int-ld/auto/arybase/arybase.so b77a8000-b77a9000 rw-p 00000000 00:00 0 b77a9000-b77aa000 r-xp 00000000 00:00 0 [vdso] b77aa000-b77cc000 r-xp 00000000 08:01 858183 /lib/ld-2.22.so b77cc000-b77cd000 r--p 00021000 08:01 858183 /lib/ld-2.22.so b77cd000-b77ce000 rw-p 00022000 08:01 858183 /lib/ld-2.22.so bf88d000-bf8a2000 rw-p 00000000 00:00 0 [stack] Aborted
**GDB**
Program received signal SIGABRT\, Aborted.
0xb7fdb424 in __kernel_vsyscall ()
(gdb) bt
#0 0xb7fdb424 in __kernel_vsyscall ()
#1 0xb7d7ebd6 in __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:55
#2 0xb7d801a7 in __GI_abort () at abort.c:89
#3 0xb7dbbca0 in __libc_message (do_abort=2\,
fmt=0xb7eb31d0 "*** Error in `%s': %s: 0x%s ***\n")
at ../sysdeps/posix/libc_fatal.c:175
#4 0xb7dc1ef7 in malloc_printerr (action=\
**VALGRIND**
As usual\, valgrind seems to modify the behavior slightly\, but this call to memmove() on blocks of memory that are already freed seems to be quite relevant.
dcollins@nightshade:/usr/local/perl-afl/out$ valgrind ../bin/perl f2/crashes/id\:000000\\,sig\:06\\,src\:006941+020231\\,op\:splice\\,rep\:2 ==28572== Memcheck\, a memory error detector ==28572== Copyright (C) 2002-2013\, and GNU GPL'd\, by Julian Seward et al. ==28572== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info ==28572== Command: ../bin/perl f2/crashes/id:000000\,sig:06\,src:006941+020231\,op:splice\,rep:2 ==28572== ==28572== Invalid write of size 1 ==28572== at 0x83CB717: Perl_sv_setpvn (sv.c:4851) ==28572== by 0x835594F: Perl_pp_concat (pp_hot.c:286) ==28572== by 0x835106A: Perl_runops_standard (run.c:41) ==28572== by 0x8116EB6: S_run_body (perl.c:2456) ==28572== by 0x8116EB6: perl_run (perl.c:2379) ==28572== by 0x8068971: main (perlmain.c:116) ==28572== Address 0x4303238 is 0 bytes inside a block of size 10 free'd ==28572== at 0x402B0B0: free (vg_replace_malloc.c:473) ==28572== by 0x838B2C8: Perl_sv_clear (sv.c:6606) ==28572== by 0x8386CD0: Perl_sv_free2 (sv.c:6881) ==28572== by 0x811B455: S_SvREFCNT_dec (inline.h:166) ==28572== by 0x811B455: Perl_gp_free (gv.c:2539) ==28572== by 0x83AB7C8: Perl_sv_setsv_flags (sv.c:4507) ==28572== by 0x835392E: Perl_pp_sassign (pp_hot.c:225) ==28572== by 0x835106A: Perl_runops_standard (run.c:41) ==28572== by 0x8116EB6: S_run_body (perl.c:2456) ==28572== by 0x8116EB6: perl_run (perl.c:2379) ==28572== by 0x8068971: main (perlmain.c:116) ==28572== ==28572== Invalid write of size 4 ==28572== at 0x402DAB2: __GI_memmove (vg_replace_strmem.c:1110) ==28572== by 0x83C7194: memmove (string3.h:59) ==28572== by 0x83C7194: Perl_sv_catpvn_flags (sv.c:5370) ==28572== by 0x83555B4: Perl_pp_concat (pp_hot.c:310) ==28572== by 0x835106A: Perl_runops_standard (run.c:41) ==28572== by 0x8116EB6: S_run_body (perl.c:2456) ==28572== by 0x8116EB6: perl_run (perl.c:2379) ==28572== by 0x8068971: main (perlmain.c:116) ==28572== Address 0x4303238 is 0 bytes inside a block of size 10 free'd ==28572== at 0x402B0B0: free (vg_replace_malloc.c:473) ==28572== by 0x838B2C8: Perl_sv_clear (sv.c:6606) ==28572== by 0x8386CD0: Perl_sv_free2 (sv.c:6881) ==28572== by 0x811B455: S_SvREFCNT_dec (inline.h:166) ==28572== by 0x811B455: Perl_gp_free (gv.c:2539) ==28572== by 0x83AB7C8: Perl_sv_setsv_flags (sv.c:4507) ==28572== by 0x835392E: Perl_pp_sassign (pp_hot.c:225) ==28572== by 0x835106A: Perl_runops_standard (run.c:41) ==28572== by 0x8116EB6: S_run_body (perl.c:2456) ==28572== by 0x8116EB6: perl_run (perl.c:2379) ==28572== by 0x8068971: main (perlmain.c:116) ==28572== ==28572== Invalid write of size 2 ==28572== at 0x402DB23: __GI_memmove (vg_replace_strmem.c:1110) ==28572== by 0x83C7194: memmove (string3.h:59) ==28572== by 0x83C7194: Perl_sv_catpvn_flags (sv.c:5370) ==28572== by 0x83555B4: Perl_pp_concat (pp_hot.c:310) ==28572== by 0x835106A: Perl_runops_standard (run.c:41) ==28572== by 0x8116EB6: S_run_body (perl.c:2456) ==28572== by 0x8116EB6: perl_run (perl.c:2379) ==28572== by 0x8068971: main (perlmain.c:116) ==28572== Address 0x4303244 is 2 bytes after a block of size 10 free'd ==28572== at 0x402B0B0: free (vg_replace_malloc.c:473) ==28572== by 0x838B2C8: Perl_sv_clear (sv.c:6606) ==28572== by 0x8386CD0: Perl_sv_free2 (sv.c:6881) ==28572== by 0x811B455: S_SvREFCNT_dec (inline.h:166) ==28572== by 0x811B455: Perl_gp_free (gv.c:2539) ==28572== by 0x83AB7C8: Perl_sv_setsv_flags (sv.c:4507) ==28572== by 0x835392E: Perl_pp_sassign (pp_hot.c:225) ==28572== by 0x835106A: Perl_runops_standard (run.c:41) ==28572== by 0x8116EB6: S_run_body (perl.c:2456) ==28572== by 0x8116EB6: perl_run (perl.c:2379) ==28572== by 0x8068971: main (perlmain.c:116) ==28572== ==28572== Invalid write of size 1 ==28572== at 0x83C71D8: Perl_sv_catpvn_flags (sv.c:5392) ==28572== by 0x83555B4: Perl_pp_concat (pp_hot.c:310) ==28572== by 0x835106A: Perl_runops_standard (run.c:41) ==28572== by 0x8116EB6: S_run_body (perl.c:2456) ==28572== by 0x8116EB6: perl_run (perl.c:2379) ==28572== by 0x8068971: main (perlmain.c:116) ==28572== Address 0x4303246 is 4 bytes after a block of size 10 free'd ==28572== at 0x402B0B0: free (vg_replace_malloc.c:473) ==28572== by 0x838B2C8: Perl_sv_clear (sv.c:6606) ==28572== by 0x8386CD0: Perl_sv_free2 (sv.c:6881) ==28572== by 0x811B455: S_SvREFCNT_dec (inline.h:166) ==28572== by 0x811B455: Perl_gp_free (gv.c:2539) ==28572== by 0x83AB7C8: Perl_sv_setsv_flags (sv.c:4507) ==28572== by 0x835392E: Perl_pp_sassign (pp_hot.c:225) ==28572== by 0x835106A: Perl_runops_standard (run.c:41) ==28572== by 0x8116EB6: S_run_body (perl.c:2456) ==28572== by 0x8116EB6: perl_run (perl.c:2379) ==28572== by 0x8068971: main (perlmain.c:116) ==28572== ==28572== Invalid read of size 1 ==28572== at 0x402DAE0: __GI_memmove (vg_replace_strmem.c:1110) ==28572== by 0x83C7194: memmove (string3.h:59) ==28572== by 0x83C7194: Perl_sv_catpvn_flags (sv.c:5370) ==28572== by 0x83555B4: Perl_pp_concat (pp_hot.c:310) ==28572== by 0x835106A: Perl_runops_standard (run.c:41) ==28572== by 0x8116EB6: S_run_body (perl.c:2456) ==28572== by 0x8116EB6: perl_run (perl.c:2379) ==28572== by 0x8068971: main (perlmain.c:116) ==28572== Address 0x4303238 is 0 bytes inside a block of size 10 free'd ==28572== at 0x402B0B0: free (vg_replace_malloc.c:473) ==28572== by 0x838B2C8: Perl_sv_clear (sv.c:6606) ==28572== by 0x8386CD0: Perl_sv_free2 (sv.c:6881) ==28572== by 0x811B455: S_SvREFCNT_dec (inline.h:166) ==28572== by 0x811B455: Perl_gp_free (gv.c:2539) ==28572== by 0x83AB7C8: Perl_sv_setsv_flags (sv.c:4507) ==28572== by 0x835392E: Perl_pp_sassign (pp_hot.c:225) ==28572== by 0x835106A: Perl_runops_standard (run.c:41) ==28572== by 0x8116EB6: S_run_body (perl.c:2456) ==28572== by 0x8116EB6: perl_run (perl.c:2379) ==28572== by 0x8068971: main (perlmain.c:116) ==28572== ==28572== Invalid read of size 1 ==28572== at 0x402DAEB: __GI_memmove (vg_replace_strmem.c:1110) ==28572== by 0x83C7194: memmove (string3.h:59) ==28572== by 0x83C7194: Perl_sv_catpvn_flags (sv.c:5370) ==28572== by 0x83555B4: Perl_pp_concat (pp_hot.c:310) ==28572== by 0x835106A: Perl_runops_standard (run.c:41) ==28572== by 0x8116EB6: S_run_body (perl.c:2456) ==28572== by 0x8116EB6: perl_run (perl.c:2379) ==28572== by 0x8068971: main (perlmain.c:116) ==28572== Address 0x430323a is 2 bytes inside a block of size 10 free'd ==28572== at 0x402B0B0: free (vg_replace_malloc.c:473) ==28572== by 0x838B2C8: Perl_sv_clear (sv.c:6606) ==28572== by 0x8386CD0: Perl_sv_free2 (sv.c:6881) ==28572== by 0x811B455: S_SvREFCNT_dec (inline.h:166) ==28572== by 0x811B455: Perl_gp_free (gv.c:2539) ==28572== by 0x83AB7C8: Perl_sv_setsv_flags (sv.c:4507) ==28572== by 0x835392E: Perl_pp_sassign (pp_hot.c:225) ==28572== by 0x835106A: Perl_runops_standard (run.c:41) ==28572== by 0x8116EB6: S_run_body (perl.c:2456) ==28572== by 0x8116EB6: perl_run (perl.c:2379) ==28572== by 0x8068971: main (perlmain.c:116) ==28572== ==28572== ==28572== HEAP SUMMARY: ==28572== in use at exit: 136\,520 bytes in 805 blocks ==28572== total heap usage: 1\,414 allocs\, 609 frees\, 226\,471 bytes allocated ==28572== ==28572== LEAK SUMMARY: ==28572== definitely lost: 0 bytes in 0 blocks ==28572== indirectly lost: 0 bytes in 0 blocks ==28572== possibly lost: 16\,925 bytes in 9 blocks ==28572== still reachable: 119\,595 bytes in 796 blocks ==28572== suppressed: 0 bytes in 0 blocks ==28572== Rerun with --leak-check=full to see details of leaked memory ==28572== ==28572== For counts of detected and suppressed errors\, rerun with: -v ==28572== ERROR SUMMARY: 21 errors from 6 contexts (suppressed: 0 from 0)
**PERL -V**
dcollins@nightshade:/usr/local/perl-afl/out$ ../bin/perl -V Summary of my perl5 (revision 5 version 23 subversion 4) configuration: Commit id: 7a36e618ad808bf649080137e3fb56386d8420e3 Platform: osname=linux\, osvers=2.6.32-5-686\, archname=i686-linux-64int-ld uname='linux nightshade 2.6.32-5-686 #1 smp tue may 13 16:33:32 utc 2014 i686 gnulinux ' config_args='-Dusedevel -Dprefix=/usr/local/perl-afl -Dcc=ccache afl-gcc -Duselongdouble -Duse64bitint -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -des' hint=recommended\, useposix=true\, d_sigaction=define useithreads=undef\, usemultiplicity=undef use64bitint=define\, use64bitall=undef\, uselongdouble=define usemymalloc=n\, bincompat5005=undef Compiler: cc='ccache afl-gcc'\, ccflags ='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64'\, optimize='-g'\, cppflags='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include' ccversion=''\, gccversion='5.2.0'\, gccosandvers='' intsize=4\, longsize=4\, ptrsize=4\, doublesize=8\, byteorder=12345678\, doublekind=3 d_longlong=define\, longlongsize=8\, d_longdbl=define\, longdblsize=12\, longdblkind=3 ivtype='long long'\, ivsize=8\, nvtype='long double'\, nvsize=12\, Off_t='off_t'\, lseeksize=8 alignbytes=4\, prototype=define Linker and Libraries: ld='ccache afl-gcc'\, ldflags =' -fstack-protector-strong -L/usr/local/lib' libpth=/usr/local/lib /usr/local/lib/gcc/i686-pc-linux-gnu/5.2.0/include-fixed /usr/lib /lib/../lib /usr/lib/../lib /lib /usr/lib/i486-linux-gnu /usr/lib64 libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc libc=libc-2.22.so\, so=so\, useshrplib=false\, libperl=libperl.a gnulibc_version='2.22' Dynamic Linking: dlsrc=dl_dlopen.xs\, dlext=so\, d_dlsymun=undef\, ccdlflags='-Wl\,-E' cccdlflags='-fPIC'\, lddlflags='-shared -g -L/usr/local/lib -fstack-protector-strong'
Characteristics of this binary (from libperl): Compile-time options: HAS_TIMES PERLIO_LAYERS PERL_COPY_ON_WRITE PERL_DONT_CREATE_GVSV PERL_HASH_FUNC_ONE_AT_A_TIME_HARD PERL_MALLOC_WRAP PERL_PRESERVE_IVUV PERL_USE_DEVEL USE_64_BIT_INT USE_LARGE_FILES USE_LOCALE USE_LOCALE_COLLATE USE_LOCALE_CTYPE USE_LOCALE_NUMERIC USE_LOCALE_TIME USE_LONG_DOUBLE USE_PERLIO USE_PERL_ATOF Built under linux Compiled at Sep 24 2015 13:01:10 @INC: /usr/local/perl-afl/lib/site_perl/5.23.4/i686-linux-64int-ld /usr/local/perl-afl/lib/site_perl/5.23.4 /usr/local/perl-afl/lib/5.23.4/i686-linux-64int-ld /usr/local/perl-afl/lib/5.23.4 /usr/local/perl-afl/lib/site_perl/5.23.3 /usr/local/perl-afl/lib/site_perl/5.23.2 /usr/local/perl-afl/lib/site_perl .
Migrated from rt.perl.org#126199 (status was 'open')
Searchable as RT126199$