Closed p5pRT closed 7 years ago
Hello\,
I've attached the poc and the asan log. Tested on git version of perl.
Configure options:
“./Configure -des -Dusedevel -DDEBUGGING -Dcc=clang -Doptimize=-O2 -Accflags="-fsanitize=address -fsanitize-coverage=edge" -Aldflags="-fsanitize=address -fsanitize-coverage=edge" -Alddlflags=-shared"
Information about configuration:
Distributor ID: Ubuntu Description: Ubuntu 16.10 Release: 16.10 Codename: yakkety Arch: x86_64
Best Regards\, Marcin T.
==708==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000009a78 at pc 0x000000a7c685 bp 0x7fff554408f0 sp 0x7fff554408e8 WRITE of size 8 at 0x619000009a78 thread T0 #0 0xa7c684 in Perl_pp_rv2sv /home/mtowalski/Fuzzing/Programs/perl-git/pp.c:406:5 #1 0x85d546 in Perl_runops_debug /home/mtowalski/Fuzzing/Programs/perl-git/dump.c:2450:23 #2 0x5eaf07 in S_run_body /home/mtowalski/Fuzzing/Programs/perl-git/perl.c:2524:2 #3 0x5eaf07 in perl_run /home/mtowalski/Fuzzing/Programs/perl-git/perl.c:2447 #4 0x503205 in main /home/mtowalski/Fuzzing/Programs/perl-git/perlmain.c:123:9 #5 0x7fef44a433f0 in __libc_start_main /build/glibc-jxM2Ev/glibc-2.24/csu/../csu/libc-start.c:291 #6 0x433a89 in _start (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x433a89)
0x619000009a78 is located 1016 bytes inside of 1024-byte region [0x619000009680\,0x619000009a80) freed by thread T0 here: #0 0x4d2410 in realloc (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x4d2410) #1 0x863fe8 in Perl_safesysrealloc /home/mtowalski/Fuzzing/Programs/perl-git/util.c:274:18
previously allocated by thread T0 here: #0 0x4d2038 in malloc (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x4d2038) #1 0x863661 in Perl_safesysmalloc /home/mtowalski/Fuzzing/Programs/perl-git/util.c:153:21
SUMMARY: AddressSanitizer: heap-use-after-free /home/mtowalski/Fuzzing/Programs/perl-git/pp.c:406:5 in Perl_pp_rv2sv Shadow bytes around the buggy address: 0x0c327fff92f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c327fff9300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c327fff9310: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c327fff9320: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c327fff9330: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c327fff9340: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd] 0x0c327fff9350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff9370: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c327fff9380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c327fff9390: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==708==ABORTING
On 25 February 2017 at 23:56\, via RT \perl5\-security\-report@​perl\.org wrote:
I've attached the poc and the asan log.
That asan log is:
==708==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000009a78 at pc 0x000000a7c685 bp 0x7fff554408f0 sp 0x7fff554408e8 WRITE of size 8 at 0x619000009a78 thread T0 #0 0xa7c684 in Perl_pp_rv2sv /home/mtowalski/Fuzzing/Programs/perl-git/pp.c:406:5 #1 0x85d546 in Perl_runops_debug /home/mtowalski/Fuzzing/Programs/perl-git/dump.c:2450:23 #2 0x5eaf07 in S_run_body /home/mtowalski/Fuzzing/Programs/perl-git/perl.c:2524:2 #3 0x5eaf07 in perl_run /home/mtowalski/Fuzzing/Programs/perl-git/perl.c:2447 #4 0x503205 in main /home/mtowalski/Fuzzing/Programs/perl-git/perlmain.c:123:9 #5 0x7fef44a433f0 in __libc_start_main /build/glibc-jxM2Ev/glibc-2.24/csu/../csu/libc-start.c:291 #6 0x433a89 in _start (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x433a89)
0x619000009a78 is located 1016 bytes inside of 1024-byte region [0x619000009680\,0x619000009a80) freed by thread T0 here: #0 0x4d2410 in realloc (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x4d2410) #1 0x863fe8 in Perl_safesysrealloc /home/mtowalski/Fuzzing/Programs/perl-git/util.c:274:18
previously allocated by thread T0 here: #0 0x4d2038 in malloc (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x4d2038) #1 0x863661 in Perl_safesysmalloc /home/mtowalski/Fuzzing/Programs/perl-git/util.c:153:21
which isn't terribly helpful. However\, I get something much more detailed and interesting on Mac OS:
==75998==ERROR: AddressSanitizer: heap-use-after-free on address
0x619000007c70 at pc 0x0001059f5ffa bp 0x7fff5a6bbe30 sp
0x7fff5a6bbe28
WRITE of size 8 at 0x619000007c70 thread T0
#0 0x1059f5ff9 in Perl_pp_rv2sv (perl+0x1004b2ff9)
#1 0x1058f5e02 in Perl_runops_standard (perl+0x1003b2e02)
#2 0x1056235e9 in perl_run (perl+0x1000e05e9)
#3 0x105543bcf in main (perl+0x100000bcf)
#4 0x7fff924075fc in start (libdyld.dylib+0x35fc)
#5 0x2 (\
0x619000007c70 is located 1008 bytes inside of 1024-byte region
[0x619000007880\,0x619000007c80)
freed by thread T0 here:
#0 0x105f18b07 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib+0x46b07)
#1 0x1058359db in Perl_safesysrealloc (perl+0x1002f29db)
#2 0x1058e60f7 in Perl_av_extend_guts (perl+0x1003a30f7)
#3 0x1058e5394 in Perl_av_extend (perl+0x1003a2394)
#4 0x105a75877 in Perl_stack_grow (perl+0x100532877)
#5 0x105625b98 in Perl_call_sv (perl+0x1000e2b98)
#6 0x105669c92 in S_require_tie_mod (perl+0x100126c92)
#7 0x10564bca0 in Perl_gv_fetchpvn_flags (perl+0x100108ca0)
#8 0x10564f252 in Perl_gv_fetchsv (perl+0x10010c252)
#9 0x1059f4ecb in Perl_softref2xv (perl+0x1004b1ecb)
#10 0x1059f5767 in Perl_pp_rv2sv (perl+0x1004b2767)
#11 0x1058f5e02 in Perl_runops_standard (perl+0x1003b2e02)
#12 0x1056235e9 in perl_run (perl+0x1000e05e9)
#13 0x105543bcf in main (perl+0x100000bcf)
#14 0x7fff924075fc in start (libdyld.dylib+0x35fc)
#15 0x2 (\
previously allocated by thread T0 here:
#0 0x105f18770 in wrap_malloc (libclang_rt.asan_osx_dynamic.dylib+0x46770)
#1 0x105835611 in Perl_safesysmalloc (perl+0x1002f2611)
#2 0x1058e59f9 in Perl_av_extend_guts (perl+0x1003a29f9)
#3 0x1058e5394 in Perl_av_extend (perl+0x1003a2394)
#4 0x105a759bf in Perl_new_stackinfo (perl+0x1005329bf)
#5 0x105608489 in perl_construct (perl+0x1000c5489)
#6 0x105543b1c in main (perl+0x100000b1c)
#7 0x7fff924075fc in start (libdyld.dylib+0x35fc)
#8 0x2 (\
That is: the freed memory was allocated by Perl_new_stackinfo\, and freed by Perl_stack_grow\, which suggests strongly to me that something has extended the stack\, and that pp_rv2sv is trying to write through the old stack pointer.
The attached patch fixes this for me\, and includes a slightly reduced version of the failing program as a test case\, but I'd like at least one more pair of eyes on it\, because I don't have a detailed analysis of what causes the crash. (That also means I don't have a sense for how easy it would be for an attacker to trigger this.)
Also\, if someone can find a better reduction\, that'd be great; I found that most of the changes I made to the large string literal in the failing program concealed the error. In particular\, the failing program ends up dereferencing the string "["\, which loads arybase\, which means that miniperl can't reproduce the error. Indeed\, the presence of S_require_tie_mod in asan's "freed by" suggests that it's perhaps loading arybase that triggers the stack reallocation.
-- Aaron Crane ** http://aaroncrane.co.uk/
The RT System itself - Status changed from 'new' to 'open'
On Sun\, 26 Feb 2017 04:13:44 -0800\, arc wrote:
On 25 February 2017 at 23:56\, via RT \perl5\-security\-report@​perl\.org wrote:
I've attached the poc and the asan log.
That asan log is:
==708==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000009a78 at pc 0x000000a7c685 bp 0x7fff554408f0 sp 0x7fff554408e8 WRITE of size 8 at 0x619000009a78 thread T0 #0 0xa7c684 in Perl_pp_rv2sv /home/mtowalski/Fuzzing/Programs/perl-git/pp.c:406:5 #1 0x85d546 in Perl_runops_debug /home/mtowalski/Fuzzing/Programs/perl-git/dump.c:2450:23 #2 0x5eaf07 in S_run_body /home/mtowalski/Fuzzing/Programs/perl-git/perl.c:2524:2 #3 0x5eaf07 in perl_run /home/mtowalski/Fuzzing/Programs/perl-git/perl.c:2447 #4 0x503205 in main /home/mtowalski/Fuzzing/Programs/perl-git/perlmain.c:123:9 #5 0x7fef44a433f0 in __libc_start_main /build/glibc-jxM2Ev/glibc-2.24/csu/../csu/libc-start.c:291 #6 0x433a89 in _start (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x433a89)
0x619000009a78 is located 1016 bytes inside of 1024-byte region [0x619000009680\,0x619000009a80) freed by thread T0 here: #0 0x4d2410 in realloc (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x4d2410) #1 0x863fe8 in Perl_safesysrealloc /home/mtowalski/Fuzzing/Programs/perl-git/util.c:274:18
previously allocated by thread T0 here: #0 0x4d2038 in malloc (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x4d2038) #1 0x863661 in Perl_safesysmalloc /home/mtowalski/Fuzzing/Programs/perl-git/util.c:153:21
which isn't terribly helpful. However\, I get something much more detailed and interesting on Mac OS:
==75998==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000007c70 at pc 0x0001059f5ffa bp 0x7fff5a6bbe30 sp 0x7fff5a6bbe28 WRITE of size 8 at 0x619000007c70 thread T0 #0 0x1059f5ff9 in Perl_pp_rv2sv (perl+0x1004b2ff9) #1 0x1058f5e02 in Perl_runops_standard (perl+0x1003b2e02) #2 0x1056235e9 in perl_run (perl+0x1000e05e9) #3 0x105543bcf in main (perl+0x100000bcf) #4 0x7fff924075fc in start (libdyld.dylib+0x35fc) #5 0x2 (\
) 0x619000007c70 is located 1008 bytes inside of 1024-byte region [0x619000007880\,0x619000007c80) freed by thread T0 here: #0 0x105f18b07 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib+0x46b07) #1 0x1058359db in Perl_safesysrealloc (perl+0x1002f29db) #2 0x1058e60f7 in Perl_av_extend_guts (perl+0x1003a30f7) #3 0x1058e5394 in Perl_av_extend (perl+0x1003a2394) #4 0x105a75877 in Perl_stack_grow (perl+0x100532877) #5 0x105625b98 in Perl_call_sv (perl+0x1000e2b98) #6 0x105669c92 in S_require_tie_mod (perl+0x100126c92) #7 0x10564bca0 in Perl_gv_fetchpvn_flags (perl+0x100108ca0) #8 0x10564f252 in Perl_gv_fetchsv (perl+0x10010c252) #9 0x1059f4ecb in Perl_softref2xv (perl+0x1004b1ecb) #10 0x1059f5767 in Perl_pp_rv2sv (perl+0x1004b2767) #11 0x1058f5e02 in Perl_runops_standard (perl+0x1003b2e02) #12 0x1056235e9 in perl_run (perl+0x1000e05e9) #13 0x105543bcf in main (perl+0x100000bcf) #14 0x7fff924075fc in start (libdyld.dylib+0x35fc) #15 0x2 (\
) previously allocated by thread T0 here: #0 0x105f18770 in wrap_malloc (libclang_rt.asan_osx_dynamic.dylib+0x46770) #1 0x105835611 in Perl_safesysmalloc (perl+0x1002f2611) #2 0x1058e59f9 in Perl_av_extend_guts (perl+0x1003a29f9) #3 0x1058e5394 in Perl_av_extend (perl+0x1003a2394) #4 0x105a759bf in Perl_new_stackinfo (perl+0x1005329bf) #5 0x105608489 in perl_construct (perl+0x1000c5489) #6 0x105543b1c in main (perl+0x100000b1c) #7 0x7fff924075fc in start (libdyld.dylib+0x35fc) #8 0x2 (\
) That is: the freed memory was allocated by Perl_new_stackinfo\, and freed by Perl_stack_grow\, which suggests strongly to me that something has extended the stack\, and that pp_rv2sv is trying to write through the old stack pointer.
The attached patch fixes this for me\, and includes a slightly reduced version of the failing program as a test case\, but I'd like at least one more pair of eyes on it\, because I don't have a detailed analysis of what causes the crash. (That also means I don't have a sense for how easy it would be for an attacker to trigger this.)
Also\, if someone can find a better reduction\, that'd be great; I found that most of the changes I made to the large string literal in the failing program concealed the error. In particular\, the failing program ends up dereferencing the string "["\, which loads arybase\, which means that miniperl can't reproduce the error. Indeed\, the presence of S_require_tie_mod in asan's "freed by" suggests that it's perhaps loading arybase that triggers the stack reallocation.
Here's a slightly different minification.
Changes to the literal that preserve the number of matches against the regexp were safe\, so compressing sequences of digits\, replacing non-ASCII characters and removing the new lines from the literal worked for me.
Changing the literal to a generated value ("1" . ("x" x 123)) didn't reproduce the issue.
WRT arybase\, perhaps require_tie_mod() needs to work with a new stack\, perhaps gv_fetchpvn_flags() reallocating the stack is a bug.
Tony
On Sun\, Feb 26\, 2017 at 08:22:01PM -0800\, Tony Cook via RT wrote:
On Sun\, 26 Feb 2017 04:13:44 -0800\, arc wrote:
On 25 February 2017 at 23:56\, via RT \perl5\-security\-report@​perl\.org That is: the freed memory was allocated by Perl_new_stackinfo\, and freed by Perl_stack_grow\, which suggests strongly to me that something has extended the stack\, and that pp_rv2sv is trying to write through the old stack pointer.
The attached patch fixes this for me\, and includes a slightly reduced version of the failing program as a test case\, but I'd like at least one more pair of eyes on it\, because I don't have a detailed analysis of what causes the crash. (That also means I don't have a sense for how easy it would be for an attacker to trigger this.)
Also\, if someone can find a better reduction\, that'd be great; I found that most of the changes I made to the large string literal in the failing program concealed the error. In particular\, the failing program ends up dereferencing the string "["\, which loads arybase\, which means that miniperl can't reproduce the error. Indeed\, the presence of S_require_tie_mod in asan's "freed by" suggests that it's perhaps loading arybase that triggers the stack reallocation.
Here's a slightly different minification.
Changes to the literal that preserve the number of matches against the regexp were safe\, so compressing sequences of digits\, replacing non-ASCII characters and removing the new lines from the literal worked for me.
Changing the literal to a generated value ("1" . ("x" x 123)) didn't reproduce the issue.
WRT arybase\, perhaps require_tie_mod() needs to work with a new stack\, perhaps gv_fetchpvn_flags() reallocating the stack is a bug.
I attach an alternative patch which I suggest should supersede Aaron's one. It has a much simplified test case\, and adds a SAVESTACKi() to S_require_tie_mod() in addition to the SPAGAIN in pp_rv2sv.
I don't think it really counts as a security issue: it involves using one of - + ! [ as a run-time symbolic reference\, at a point where the stack is almost exactly full.
So I think this ticket should be moved to the public queue soonish\, then my patch should be applied to blead post-5.26 release.
-- Dave's first rule of Opera: If something needs saying\, say it: don't warble it.
On Tue\, Mar 14\, 2017 at 09:40:54AM +0000\, Dave Mitchell wrote:
On Sun\, Feb 26\, 2017 at 08:22:01PM -0800\, Tony Cook via RT wrote:
On Sun\, 26 Feb 2017 04:13:44 -0800\, arc wrote:
On 25 February 2017 at 23:56\, via RT \perl5\-security\-report@​perl\.org That is: the freed memory was allocated by Perl_new_stackinfo\, and freed by Perl_stack_grow\, which suggests strongly to me that something has extended the stack\, and that pp_rv2sv is trying to write through the old stack pointer.
The attached patch fixes this for me\, and includes a slightly reduced version of the failing program as a test case\, but I'd like at least one more pair of eyes on it\, because I don't have a detailed analysis of what causes the crash. (That also means I don't have a sense for how easy it would be for an attacker to trigger this.)
Also\, if someone can find a better reduction\, that'd be great; I found that most of the changes I made to the large string literal in the failing program concealed the error. In particular\, the failing program ends up dereferencing the string "["\, which loads arybase\, which means that miniperl can't reproduce the error. Indeed\, the presence of S_require_tie_mod in asan's "freed by" suggests that it's perhaps loading arybase that triggers the stack reallocation.
Here's a slightly different minification.
Changes to the literal that preserve the number of matches against the regexp were safe\, so compressing sequences of digits\, replacing non-ASCII characters and removing the new lines from the literal worked for me.
Changing the literal to a generated value ("1" . ("x" x 123)) didn't reproduce the issue.
WRT arybase\, perhaps require_tie_mod() needs to work with a new stack\, perhaps gv_fetchpvn_flags() reallocating the stack is a bug.
I attach an alternative patch which I suggest should supersede Aaron's one. It has a much simplified test case\, and adds a SAVESTACKi() to S_require_tie_mod() in addition to the SPAGAIN in pp_rv2sv.
I don't think it really counts as a security issue: it involves using one of - + ! [ as a run-time symbolic reference\, at a point where the stack is almost exactly full.
So I think this ticket should be moved to the public queue soonish\, then my patch should be applied to blead post-5.26 release.
Now pushed as v5.27.0-118-g655f5b2. I'll move this ticket to the public queue now.
-- Wesley Crusher gets beaten up by his classmates for being a smarmy git\, and consequently has a go at making some friends of his own age for a change. -- Things That Never Happen in "Star Trek" #18
@iabyn - Status changed from 'open' to 'resolved'
Migrated from rt.perl.org#130861 (status was 'resolved')
Searchable as RT130861$