search

Perl / perl5

🐪 The Perl programming language
https://dev.perl.org/perl5/
Other
1.89k stars 532 forks source link

AddressSanitizer: SEGV on unknown address 0x602ddc052500 in S_incline #15915

Open p5pRT opened 7 years ago

p5pRT commented 7 years ago

Migrated from rt.perl.org#130937 (status was 'open')

Searchable as RT130937$

p5pRT commented 7 years ago

From mtowalski@pentest.net.pl

Hello\,

I've attached the poc and the asan log. Tested on git version of perl.

Configure options​:

“./Configure -des -Dusedevel -DDEBUGGING -Dcc=clang -Doptimize=-O2 -Accflags="-fsanitize=address -fsanitize-coverage=edge" -Aldflags="-fsanitize=address -fsanitize-coverage=edge" -Alddlflags=-shared"

Information about configuration​:

Distributor ID​: Ubuntu Description​: Ubuntu 16.10 Release​: 16.10 Codename​: yakkety Arch​: x86_64

Best Regards\, Marcin T.

p5pRT commented 7 years ago

From mtowalski@pentest.net.pl

new-SEGV-385-bba-34d

p5pRT commented 7 years ago

From mtowalski@pentest.net.pl

/usr/bin/llvm-symbolizer perl​: warning​: Setting locale failed. perl​: warning​: Please check that your locale settings​:   LANGUAGE = (unset)\,   LC_ALL = (unset)\,   LC_CTYPE = "UTF-8"\,   LANG = "en_US.UTF-8"   are supported and installed on your system. perl​: warning​: Falling back to a fallback locale ("en_US.UTF-8"). ASAN​:DEADLYSIGNAL

==11681==ERROR​: AddressSanitizer​: SEGV on unknown address 0x602ddc052500 (pc 0x000000643386 bp 0x7ffd9e262d30 sp 0x7ffd9e262b60 T0) ==11681==The signal is caused by a READ memory access.   #0 0x643385 in S_incline /home/mtowalski/Fuzzing/Programs/perl-git/toke.c​:1834​:5   #1 0x64bbba in Perl_yylex /home/mtowalski/Fuzzing/Programs/perl-git/toke.c​:5565​:17   #2 0x6e834d in Perl_yyparse /home/mtowalski/Fuzzing/Programs/perl-git/perly.c​:340​:34   #3 0xa561c0 in S_doeval_compile /home/mtowalski/Fuzzing/Programs/perl-git/pp_ctl.c​:3436​:77   #4 0xa5359f in Perl_pp_entereval /home/mtowalski/Fuzzing/Programs/perl-git/pp_ctl.c​:4296​:9   #5 0x7fbc44 in Perl_runops_debug /home/mtowalski/Fuzzing/Programs/perl-git/dump.c​:2451​:23   #6 0x5e7bb3 in perl_run /home/mtowalski/Fuzzing/Programs/perl-git/perl.c   #7 0x524302 in main /home/mtowalski/Fuzzing/Programs/perl-git/perlmain.c​:123​:9   #8 0x7f7240b7d3f0 in __libc_start_main /build/glibc-jxM2Ev/glibc-2.24/csu/../csu/libc-start.c​:291   #9 0x4356f9 in _start (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x4356f9)

AddressSanitizer can not provide additional info. SUMMARY​: AddressSanitizer​: SEGV /home/mtowalski/Fuzzing/Programs/perl-git/toke.c​:1834​:5 in S_incline ==11681==ABORTING

p5pRT commented 7 years ago

From @hvds

The test case reduces to​:

$^P = 0x400; # or 0x02 do {   # 2147483651 = 0x80000003   eval qq{#line 2147483651 \n#line 1 n}; }

This appears to be simple wraparound on perldb's handling of the line number. In S_incline at the point of failure (the "else if (GvAV(cfgv))" block starting around toke.c​:1826)\, we get a negative value for start\, and it is unsurprising then that this​:   SV **svp = AvARRAY(av) + start; leads to sad faces.

Quite what it should be doing instead I'm not sure\, though s/I32 start/line_t start/ might be a good\, um\, start.

Given this is driven solely by $^P and the line number\, I don't think this has any security implications.

Hugo

p5pRT commented 7 years ago

The RT System itself - Status changed from 'new' to 'open'

p5pRT commented 7 years ago

From @iabyn

On Tue\, Mar 07\, 2017 at 02​:36​:44PM -0800\, Hugo van der Sanden via RT wrote​:

The test case reduces to​:

$^P = 0x400; # or 0x02 do { # 2147483651 = 0x80000003 eval qq{#line 2147483651 \n#line 1 n}; }

This appears to be simple wraparound on perldb's handling of the line number. In S_incline at the point of failure (the "else if (GvAV(cfgv))" block starting around toke.c​:1826)\, we get a negative value for start\, and it is unsurprising then that this​: SV **svp = AvARRAY(av) + start; leads to sad faces.

Quite what it should be doing instead I'm not sure\, though s/I32 start/line_t start/ might be a good\, um\, start.

Given this is driven solely by $^P and the line number\, I don't think this has any security implications.

I agree. I'll move this to the public queue in a few days' time unless anyone objects.

-- "Strange women lying in ponds distributing swords is no basis for a system of government. Supreme executive power derives from a mandate from the masses\, not from some farcical aquatic ceremony."   -- Dennis\, "Monty Python and the Holy Grail"

p5pRT commented 7 years ago

From @iabyn

On Fri\, Mar 17\, 2017 at 04​:27​:17PM +0000\, Dave Mitchell wrote​:

On Tue\, Mar 07\, 2017 at 02​:36​:44PM -0800\, Hugo van der Sanden via RT wrote​:

The test case reduces to​:

$^P = 0x400; # or 0x02 do { # 2147483651 = 0x80000003 eval qq{#line 2147483651 \n#line 1 n}; }

This appears to be simple wraparound on perldb's handling of the line number. In S_incline at the point of failure (the "else if (GvAV(cfgv))" block starting around toke.c​:1826)\, we get a negative value for start\, and it is unsurprising then that this​: SV **svp = AvARRAY(av) + start; leads to sad faces.

Quite what it should be doing instead I'm not sure\, though s/I32 start/line_t start/ might be a good\, um\, start.

Given this is driven solely by $^P and the line number\, I don't think this has any security implications.

I agree. I'll move this to the public queue in a few days' time unless anyone objects.

Now moved.

-- You never really learn to swear until you learn to drive.