Open p5pRT opened 7 years ago
Hello\,
I've attached the poc and the asan log. Tested on git version of perl.
Configure options:
“./Configure -des -Dusedevel -DDEBUGGING -Dcc=clang -Doptimize=-O2 -Accflags="-fsanitize=address -fsanitize-coverage=edge" -Aldflags="-fsanitize=address -fsanitize-coverage=edge" -Alddlflags=-shared"
Information about configuration:
Distributor ID: Ubuntu Description: Ubuntu 16.10 Release: 16.10 Codename: yakkety Arch: x86_64
Best Regards\, Marcin T.
==11681==ERROR: AddressSanitizer: SEGV on unknown address 0x602ddc052500 (pc 0x000000643386 bp 0x7ffd9e262d30 sp 0x7ffd9e262b60 T0) ==11681==The signal is caused by a READ memory access. #0 0x643385 in S_incline /home/mtowalski/Fuzzing/Programs/perl-git/toke.c:1834:5 #1 0x64bbba in Perl_yylex /home/mtowalski/Fuzzing/Programs/perl-git/toke.c:5565:17 #2 0x6e834d in Perl_yyparse /home/mtowalski/Fuzzing/Programs/perl-git/perly.c:340:34 #3 0xa561c0 in S_doeval_compile /home/mtowalski/Fuzzing/Programs/perl-git/pp_ctl.c:3436:77 #4 0xa5359f in Perl_pp_entereval /home/mtowalski/Fuzzing/Programs/perl-git/pp_ctl.c:4296:9 #5 0x7fbc44 in Perl_runops_debug /home/mtowalski/Fuzzing/Programs/perl-git/dump.c:2451:23 #6 0x5e7bb3 in perl_run /home/mtowalski/Fuzzing/Programs/perl-git/perl.c #7 0x524302 in main /home/mtowalski/Fuzzing/Programs/perl-git/perlmain.c:123:9 #8 0x7f7240b7d3f0 in __libc_start_main /build/glibc-jxM2Ev/glibc-2.24/csu/../csu/libc-start.c:291 #9 0x4356f9 in _start (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x4356f9)
AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/mtowalski/Fuzzing/Programs/perl-git/toke.c:1834:5 in S_incline ==11681==ABORTING
The test case reduces to:
$^P = 0x400; # or 0x02 do { # 2147483651 = 0x80000003 eval qq{#line 2147483651 \n#line 1 n}; }
This appears to be simple wraparound on perldb's handling of the line number. In S_incline at the point of failure (the "else if (GvAV(cfgv))" block starting around toke.c:1826)\, we get a negative value for start\, and it is unsurprising then that this: SV **svp = AvARRAY(av) + start; leads to sad faces.
Quite what it should be doing instead I'm not sure\, though s/I32 start/line_t start/ might be a good\, um\, start.
Given this is driven solely by $^P and the line number\, I don't think this has any security implications.
Hugo
The RT System itself - Status changed from 'new' to 'open'
On Tue\, Mar 07\, 2017 at 02:36:44PM -0800\, Hugo van der Sanden via RT wrote:
The test case reduces to:
$^P = 0x400; # or 0x02 do { # 2147483651 = 0x80000003 eval qq{#line 2147483651 \n#line 1 n}; }
This appears to be simple wraparound on perldb's handling of the line number. In S_incline at the point of failure (the "else if (GvAV(cfgv))" block starting around toke.c:1826)\, we get a negative value for start\, and it is unsurprising then that this: SV **svp = AvARRAY(av) + start; leads to sad faces.
Quite what it should be doing instead I'm not sure\, though s/I32 start/line_t start/ might be a good\, um\, start.
Given this is driven solely by $^P and the line number\, I don't think this has any security implications.
I agree. I'll move this to the public queue in a few days' time unless anyone objects.
-- "Strange women lying in ponds distributing swords is no basis for a system of government. Supreme executive power derives from a mandate from the masses\, not from some farcical aquatic ceremony." -- Dennis\, "Monty Python and the Holy Grail"
On Fri\, Mar 17\, 2017 at 04:27:17PM +0000\, Dave Mitchell wrote:
On Tue\, Mar 07\, 2017 at 02:36:44PM -0800\, Hugo van der Sanden via RT wrote:
The test case reduces to:
$^P = 0x400; # or 0x02 do { # 2147483651 = 0x80000003 eval qq{#line 2147483651 \n#line 1 n}; }
This appears to be simple wraparound on perldb's handling of the line number. In S_incline at the point of failure (the "else if (GvAV(cfgv))" block starting around toke.c:1826)\, we get a negative value for start\, and it is unsurprising then that this: SV **svp = AvARRAY(av) + start; leads to sad faces.
Quite what it should be doing instead I'm not sure\, though s/I32 start/line_t start/ might be a good\, um\, start.
Given this is driven solely by $^P and the line number\, I don't think this has any security implications.
I agree. I'll move this to the public queue in a few days' time unless anyone objects.
Now moved.
-- You never really learn to swear until you learn to drive.
Migrated from rt.perl.org#130937 (status was 'open')
Searchable as RT130937$