search

Perl / perl5

🐪 The Perl programming language
https://dev.perl.org/perl5/
Other
1.9k stars 539 forks source link

AddressSanitizer: heap-buffer-overflow in Perl_pp_unpack #15909

Open p5pRT opened 7 years ago

p5pRT commented 7 years ago

Migrated from rt.perl.org#130917 (status was 'open')

Searchable as RT130917$

p5pRT commented 7 years ago

From mtowalski@pentest.net.pl

Hello\,

I've attached the poc and the asan log. Tested on git version of perl.

Configure options​:

“./Configure -des -Dusedevel -DDEBUGGING -Dcc=clang -Doptimize=-O2 -Accflags="-fsanitize=address -fsanitize-coverage=edge" -Aldflags="-fsanitize=address -fsanitize-coverage=edge" -Alddlflags=-shared"

Information about configuration​:

Distributor ID​: Ubuntu Description​: Ubuntu 16.10 Release​: 16.10 Codename​: yakkety Arch​: x86_64

Best Regards\, Marcin T.

p5pRT commented 7 years ago

From mtowalski@pentest.net.pl

heap-buffer-overflow-9ba-c44-bb3

p5pRT commented 7 years ago

From mtowalski@pentest.net.pl

/usr/bin/llvm-symbolizer perl​: warning​: Setting locale failed. perl​: warning​: Please check that your locale settings​:   LANGUAGE = (unset)\,   LC_ALL = (unset)\,   LC_CTYPE = "UTF-8"\,   LANG = "en_US.UTF-8"   are supported and installed on your system. perl​: warning​: Falling back to a fallback locale ("en_US.UTF-8").

==11600==ERROR​: AddressSanitizer​: heap-buffer-overflow on address 0x619000000078 at pc 0x000000c109bb bp 0x7ffddc02bad0 sp 0x7ffddc02bac8 READ of size 8 at 0x619000000078 thread T0   #0 0xc109ba in Perl_pp_unpack /home/mtowalski/Fuzzing/Programs/perl-git/pp_pack.c​:1837​:5   #1 0x7fbc44 in Perl_runops_debug /home/mtowalski/Fuzzing/Programs/perl-git/dump.c​:2451​:23   #2 0x5e7bb3 in perl_run /home/mtowalski/Fuzzing/Programs/perl-git/perl.c   #3 0x524302 in main /home/mtowalski/Fuzzing/Programs/perl-git/perlmain.c​:123​:9   #4 0x7f26c09df3f0 in __libc_start_main /build/glibc-jxM2Ev/glibc-2.24/csu/../csu/libc-start.c​:291   #5 0x4356f9 in _start (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x4356f9)

0x619000000078 is located 8 bytes to the left of 1024-byte region [0x619000000080\,0x619000000480) allocated by thread T0 here​:   #0 0x4eb0a8 in malloc (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x4eb0a8)   #1 0x80087e in Perl_safesysmalloc /home/mtowalski/Fuzzing/Programs/perl-git/util.c​:153​:21

SUMMARY​: AddressSanitizer​: heap-buffer-overflow /home/mtowalski/Fuzzing/Programs/perl-git/pp_pack.c​:1837​:5 in Perl_pp_unpack Shadow bytes around the buggy address​:   0x0c327fff7fb0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   0x0c327fff7fc0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   0x0c327fff7fd0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   0x0c327fff7fe0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   0x0c327fff7ff0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c327fff8000​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]   0x0c327fff8010​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   0x0c327fff8020​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   0x0c327fff8030​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   0x0c327fff8040​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   0x0c327fff8050​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes)​:   Addressable​: 00   Partially addressable​: 01 02 03 04 05 06 07   Heap left redzone​: fa   Freed heap region​: fd   Stack left redzone​: f1   Stack mid redzone​: f2   Stack right redzone​: f3   Stack after return​: f5   Stack use after scope​: f8   Global redzone​: f9   Global init order​: f6   Poisoned by user​: f7   Container overflow​: fc   Array cookie​: ac   Intra object redzone​: bb   ASan internal​: fe   Left alloca redzone​: ca   Right alloca redzone​: cb ==11600==ABORTING

p5pRT commented 7 years ago

From @arc

RT \perl5\-security\-report@​perl\.org wrote​:

I've attached the poc and the asan log.

Minor reduction​:

./miniperl -e 'BEGIN { $SIG{__DIE__} = sub { exit } } unpack'

But the unpack is a red herring here​: the bug is actually that exit(0) (including the implicit 0 used for zero-argument exit) in a die hook won't exit the process in the face of parser-triggered errors. This is reproducible on all Perls I have easy access to (5.6 onwards).

When this happens\, execution proceeds to the run-time phase. So afaict the crash here happens when pp_unpack tries to read its arguments from a part of the stack that doesn't exist.

The same happens for other builtins that have one or more required arguments.

$ ./miniperl -le 'BEGIN { $SIG{__DIE__} = sub { print "exiting​: $_[0]"; exit } } print "not ok"; substr if 0' exiting​: Not enough arguments for substr at -e line 1\, near "substr if" Execution of -e aborted due to compilation errors.

not ok $

Calling a builtin with too many arguments still exhibits the failure-to-exit bug\, but yields no out-of-bounds read\, because arguments can be found on the stack.

This is probably related to #2754 "[BUG] can't exit 0 from CHECK{}"; and applying George Greer's patch from that ticket fixes it. But the discussion on that ticket suggested that it might break API guarantees.

-- Aaron Crane ** http​://aaroncrane.co.uk/

p5pRT commented 7 years ago

The RT System itself - Status changed from 'new' to 'open'

p5pRT commented 7 years ago

From mtowalski@pentest.net.pl

Hello\,

I've attached the poc and the asan log. Tested on git version of perl.

Configure options​:

“./Configure -des -Dusedevel -DDEBUGGING -Dcc=clang -Doptimize=-O2 -Accflags="-fsanitize=address -fsanitize-coverage=edge" -Aldflags="-fsanitize=address -fsanitize-coverage=edge" -Alddlflags=-shared"

Information about configuration​:

Distributor ID​: Ubuntu Description​: Ubuntu 16.10 Release​: 16.10 Codename​: yakkety Arch​: x86_64

Best Regards\, Marcin T.

p5pRT commented 7 years ago

From mtowalski@pentest.net.pl

new-heap-buffer-overflow-1d0-c44-bb3

p5pRT commented 7 years ago

From mtowalski@pentest.net.pl

/usr/bin/llvm-symbolizer perl​: warning​: Setting locale failed. perl​: warning​: Please check that your locale settings​:   LANGUAGE = (unset)\,   LC_ALL = (unset)\,   LC_CTYPE = "UTF-8"\,   LANG = "en_US.UTF-8"   are supported and installed on your system. perl​: warning​: Falling back to a fallback locale ("en_US.UTF-8").

==11768==ERROR​: AddressSanitizer​: heap-buffer-overflow on address 0x619000000078 at pc 0x00000089c1d1 bp 0x7ffe2638a110 sp 0x7ffe2638a108 READ of size 8 at 0x619000000078 thread T0   #0 0x89c1d0 in Perl_pp_sassign /home/mtowalski/Fuzzing/Programs/perl-git/pp_hot.c​:131​:34   #1 0x7fbc44 in Perl_runops_debug /home/mtowalski/Fuzzing/Programs/perl-git/dump.c​:2451​:23   #2 0x5e7bb3 in perl_run /home/mtowalski/Fuzzing/Programs/perl-git/perl.c   #3 0x524302 in main /home/mtowalski/Fuzzing/Programs/perl-git/perlmain.c​:123​:9   #4 0x7f100bb283f0 in __libc_start_main /build/glibc-jxM2Ev/glibc-2.24/csu/../csu/libc-start.c​:291   #5 0x4356f9 in _start (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x4356f9)

0x619000000078 is located 8 bytes to the left of 1024-byte region [0x619000000080\,0x619000000480) allocated by thread T0 here​:   #0 0x4eb0a8 in malloc (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x4eb0a8)   #1 0x80087e in Perl_safesysmalloc /home/mtowalski/Fuzzing/Programs/perl-git/util.c​:153​:21

SUMMARY​: AddressSanitizer​: heap-buffer-overflow /home/mtowalski/Fuzzing/Programs/perl-git/pp_hot.c​:131​:34 in Perl_pp_sassign Shadow bytes around the buggy address​:   0x0c327fff7fb0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   0x0c327fff7fc0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   0x0c327fff7fd0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   0x0c327fff7fe0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   0x0c327fff7ff0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c327fff8000​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]   0x0c327fff8010​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   0x0c327fff8020​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   0x0c327fff8030​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   0x0c327fff8040​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   0x0c327fff8050​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes)​:   Addressable​: 00   Partially addressable​: 01 02 03 04 05 06 07   Heap left redzone​: fa   Freed heap region​: fd   Stack left redzone​: f1   Stack mid redzone​: f2   Stack right redzone​: f3   Stack after return​: f5   Stack use after scope​: f8   Global redzone​: f9   Global init order​: f6   Poisoned by user​: f7   Container overflow​: fc   Array cookie​: ac   Intra object redzone​: bb   ASan internal​: fe   Left alloca redzone​: ca   Right alloca redzone​: cb ==11768==ABORTING

p5pRT commented 7 years ago

From mtowalski@pentest.net.pl

Hello\,

I've attached the poc and the asan log. Tested on git version of perl.

Configure options​:

“./Configure -des -Dusedevel -DDEBUGGING -Dcc=clang -Doptimize=-O2 -Accflags="-fsanitize=address -fsanitize-coverage=edge" -Aldflags="-fsanitize=address -fsanitize-coverage=edge" -Alddlflags=-shared"

Information about configuration​:

Distributor ID​: Ubuntu Description​: Ubuntu 16.10 Release​: 16.10 Codename​: yakkety Arch​: x86_64

Best Regards\, Marcin T.

p5pRT commented 7 years ago

From mtowalski@pentest.net.pl

heap-buffer-overflow-9ba-c44-bb3

p5pRT commented 7 years ago

From mtowalski@pentest.net.pl

/usr/bin/llvm-symbolizer perl​: warning​: Setting locale failed. perl​: warning​: Please check that your locale settings​:   LANGUAGE = (unset)\,   LC_ALL = (unset)\,   LC_CTYPE = "UTF-8"\,   LANG = "en_US.UTF-8"   are supported and installed on your system. perl​: warning​: Falling back to a fallback locale ("en_US.UTF-8").

==11600==ERROR​: AddressSanitizer​: heap-buffer-overflow on address 0x619000000078 at pc 0x000000c109bb bp 0x7ffddc02bad0 sp 0x7ffddc02bac8 READ of size 8 at 0x619000000078 thread T0   #0 0xc109ba in Perl_pp_unpack /home/mtowalski/Fuzzing/Programs/perl-git/pp_pack.c​:1837​:5   #1 0x7fbc44 in Perl_runops_debug /home/mtowalski/Fuzzing/Programs/perl-git/dump.c​:2451​:23   #2 0x5e7bb3 in perl_run /home/mtowalski/Fuzzing/Programs/perl-git/perl.c   #3 0x524302 in main /home/mtowalski/Fuzzing/Programs/perl-git/perlmain.c​:123​:9   #4 0x7f26c09df3f0 in __libc_start_main /build/glibc-jxM2Ev/glibc-2.24/csu/../csu/libc-start.c​:291   #5 0x4356f9 in _start (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x4356f9)

0x619000000078 is located 8 bytes to the left of 1024-byte region [0x619000000080\,0x619000000480) allocated by thread T0 here​:   #0 0x4eb0a8 in malloc (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x4eb0a8)   #1 0x80087e in Perl_safesysmalloc /home/mtowalski/Fuzzing/Programs/perl-git/util.c​:153​:21

SUMMARY​: AddressSanitizer​: heap-buffer-overflow /home/mtowalski/Fuzzing/Programs/perl-git/pp_pack.c​:1837​:5 in Perl_pp_unpack Shadow bytes around the buggy address​:   0x0c327fff7fb0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   0x0c327fff7fc0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   0x0c327fff7fd0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   0x0c327fff7fe0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   0x0c327fff7ff0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c327fff8000​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]   0x0c327fff8010​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   0x0c327fff8020​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   0x0c327fff8030​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   0x0c327fff8040​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   0x0c327fff8050​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes)​:   Addressable​: 00   Partially addressable​: 01 02 03 04 05 06 07   Heap left redzone​: fa   Freed heap region​: fd   Stack left redzone​: f1   Stack mid redzone​: f2   Stack right redzone​: f3   Stack after return​: f5   Stack use after scope​: f8   Global redzone​: f9   Global init order​: f6   Poisoned by user​: f7   Container overflow​: fc   Array cookie​: ac   Intra object redzone​: bb   ASan internal​: fe   Left alloca redzone​: ca   Right alloca redzone​: cb ==11600==ABORTING

p5pRT commented 7 years ago

From @arc

This reduces to​:

BEGIN { $SIG{__DIE__} = sub { exit } } yte = substr unpa

and has the same cause as #130917 (namely\, that doing exit in a __DIE__ hook visible at compile-time both fails to exit and prevents compilation errors from being thrown). I've therefore merged it into #130917.

-- Aaron Crane ** http​://aaroncrane.co.uk/

p5pRT commented 7 years ago

From @arc

This is exactly the same underlying bug as #130917 and #130931\, so I've merged it into #130917.

-- Aaron Crane ** http​://aaroncrane.co.uk/

p5pRT commented 7 years ago

From mtowalski@pentest.net.pl

Hello\,

I've attached the poc and the asan log. Tested on git version of perl.

Configure options​:

“./Configure -des -Dusedevel -DDEBUGGING -Dcc=clang -Doptimize=-O2 -Accflags="-fsanitize=address -fsanitize-coverage=edge" -Aldflags="-fsanitize=address -fsanitize-coverage=edge" -Alddlflags=-shared"

Information about configuration​:

Distributor ID​: Ubuntu Description​: Ubuntu 16.10 Release​: 16.10 Codename​: yakkety Arch​: x86_64

Best Regards\, Marcin T.

p5pRT commented 7 years ago

From mtowalski@pentest.net.pl

new-heap-buffer-overflow-cd5-c44-bb3

p5pRT commented 7 years ago

From mtowalski@pentest.net.pl

/usr/bin/llvm-symbolizer perl​: warning​: Setting locale failed. perl​: warning​: Please check that your locale settings​:   LANGUAGE = (unset)\,   LC_ALL = (unset)\,   LC_CTYPE = "UTF-8"\,   LANG = "en_US.UTF-8"   are supported and installed on your system. perl​: warning​: Falling back to a fallback locale ("en_US.UTF-8").

==11930==ERROR​: AddressSanitizer​: heap-buffer-overflow on address 0x619000000078 at pc 0x0000009bfcd6 bp 0x7ffc5671d7b0 sp 0x7ffc5671d7a8 READ of size 8 at 0x619000000078 thread T0   #0 0x9bfcd5 in Perl_pp_substr /home/mtowalski/Fuzzing/Programs/perl-git/pp.c​:3366​:10   #1 0x7fbc44 in Perl_runops_debug /home/mtowalski/Fuzzing/Programs/perl-git/dump.c​:2451​:23   #2 0x5e7bb3 in perl_run /home/mtowalski/Fuzzing/Programs/perl-git/perl.c   #3 0x524302 in main /home/mtowalski/Fuzzing/Programs/perl-git/perlmain.c​:123​:9   #4 0x7f6caf01a3f0 in __libc_start_main /build/glibc-jxM2Ev/glibc-2.24/csu/../csu/libc-start.c​:291   #5 0x4356f9 in _start (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x4356f9)

0x619000000078 is located 8 bytes to the left of 1024-byte region [0x619000000080\,0x619000000480) allocated by thread T0 here​:   #0 0x4eb0a8 in malloc (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x4eb0a8)   #1 0x80087e in Perl_safesysmalloc /home/mtowalski/Fuzzing/Programs/perl-git/util.c​:153​:21

SUMMARY​: AddressSanitizer​: heap-buffer-overflow /home/mtowalski/Fuzzing/Programs/perl-git/pp.c​:3366​:10 in Perl_pp_substr Shadow bytes around the buggy address​:   0x0c327fff7fb0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   0x0c327fff7fc0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   0x0c327fff7fd0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   0x0c327fff7fe0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   0x0c327fff7ff0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c327fff8000​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]   0x0c327fff8010​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   0x0c327fff8020​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   0x0c327fff8030​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   0x0c327fff8040​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   0x0c327fff8050​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes)​:   Addressable​: 00   Partially addressable​: 01 02 03 04 05 06 07   Heap left redzone​: fa   Freed heap region​: fd   Stack left redzone​: f1   Stack mid redzone​: f2   Stack right redzone​: f3   Stack after return​: f5   Stack use after scope​: f8   Global redzone​: f9   Global init order​: f6   Poisoned by user​: f7   Container overflow​: fc   Array cookie​: ac   Intra object redzone​: bb   ASan internal​: fe   Left alloca redzone​: ca   Right alloca redzone​: cb ==11930==ABORTING

p5pRT commented 7 years ago

From @iabyn

On Mon\, Mar 06\, 2017 at 08​:25​:34AM -0800\, via RT wrote​:

BEGIN{$SIG{__DIE__}=sub{$_=exit}}t=unpack

This is the same issue as RT #130917 - I'll merge the tickets.

-- Standards (n). Battle insignia or tribal totems.

p5pRT commented 7 years ago

From @iabyn

On Mon\, Mar 06\, 2017 at 08​:55​:51AM -0800\, via RT wrote​:

BEGIN { print $SIG{__DIE__} = sub {$_=~ exit }; }te = substr

This is the same issue as RT #130917. I'll merge the tickets.

-- You live and learn (although usually you just live).

p5pRT commented 7 years ago

The RT System itself - Status changed from 'new' to 'open'

p5pRT commented 7 years ago

From @tonycoz

On Thu\, 09 Mar 2017 03​:44​:29 -0800\, davem wrote​:

On Mon\, Mar 06\, 2017 at 08​:55​:51AM -0800\, via RT wrote​:

BEGIN { print $SIG{__DIE__} = sub {$_=~ exit }; }te = substr

This is the same issue as RT #130917. I'll merge the tickets.

This doesn't look like a security issue\, since it requires feeding code to the interpreter\, I'll move it to the public queue in a couple of days unless someone disagrees (or beats me to it.)

Tony