heap-use-after-free in Perl_sv_setpv_bufsize

[p5pRT]

Migrated from rt.perl.org#131931 (status was 'open')

Searchable as RT131931$

[p5pRT]

From gy741.kim@gmail.com

Hi.

I found a heap-use-after-free bug in perl.

Please confirm.

Thanks.

Version​: This is perl 5\, version 27\, subversion 3 (v5.27.3) built for x86_64-linux OS​: Ubuntu 16.04.2 64bit Steps to reproduce​: 1.Download the PoC files. 2.Compile the source code with ASan. 3.Execute the following command   : ./perl $PoC

```

==8441==ERROR​: AddressSanitizer​: heap-use-after-free on address 0x602000000e70 at pc 0x0000009d60d7 bp 0x7ffe47d9fe50 sp 0x7ffe47d9fe48 WRITE of size 1 at 0x602000000e70 thread T0   #0 0x9d60d6 in Perl_sv_setpv_bufsize /root/karas/perl5-64bit-0815/sv.c​:4958​:17   #1 0xbdcac6 in Perl_do_vop /root/karas/perl5-64bit-0815/doop.c​:1045​:9   #2 0xa7278d in Perl_pp_bit_or /root/karas/perl5-64bit-0815/pp.c​:2405​:2   #3 0x87a1ec in Perl_runops_debug /root/karas/perl5-64bit-0815/dump.c​:2483​:23   #4 0x5fc915 in S_run_body /root/karas/perl5-64bit-0815/perl.c   #5 0x5fc915 in perl_run /root/karas/perl5-64bit-0815/perl.c​:2484   #6 0x52797a in main /root/karas/perl5-64bit-0815/perlmain.c​:123​:9   #7 0x7f486393682f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c​:291   #8 0x435a98 in _start (/root/karas/perl5-64bit-0815/perl+0x435a98)

0x602000000e70 is located 0 bytes inside of 10-byte region [0x602000000e70\,0x602000000e7a) freed by thread T0 here​:   #0 0x4edf60 in __interceptor_cfree.localalias.0 (/root/karas/perl5-64bit-0815/perl+0x4edf60)   #1 0x880607 in Perl_safesysfree /root/karas/perl5-64bit-0815/util.c​:388​:2   #2 0x9f4c2e in Perl_sv_free2 /root/karas/perl5-64bit-0815/sv.c​:7090​:9

previously allocated by thread T0 here​:   #0 0x4ee118 in malloc (/root/karas/perl5-64bit-0815/perl+0x4ee118)   #1 0x87f80b in Perl_safesysmalloc /root/karas/perl5-64bit-0815/util.c​:153​:21

SUMMARY​: AddressSanitizer​: heap-use-after-free /root/karas/perl5-64bit-0815/sv.c​:4958​:17 in Perl_sv_setpv_bufsize Shadow bytes around the buggy address​:   0x0c047fff8170​: fa fa 05 fa fa fa 00 02 fa fa 00 fa fa fa 00 07   0x0c047fff8180​: fa fa 00 01 fa fa 00 05 fa fa 00 00 fa fa 00 02   0x0c047fff8190​: fa fa 00 04 fa fa 02 fa fa fa fd fd fa fa fd fd   0x0c047fff81a0​: fa fa 00 02 fa fa fd fd fa fa fd fa fa fa fd fa   0x0c047fff81b0​: fa fa 00 02 fa fa fd fd fa fa fd fd fa fa 00 02 =>0x0c047fff81c0​: fa fa 02 fa fa fa fd fd fa fa fd fd fa fa[fd]fd   0x0c047fff81d0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa   0x0c047fff81e0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa   0x0c047fff81f0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa   0x0c047fff8200​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa   0x0c047fff8210​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes)​:   Addressable​: 00   Partially addressable​: 01 02 03 04 05 06 07   Heap left redzone​: fa   Freed heap region​: fd   Stack left redzone​: f1   Stack mid redzone​: f2   Stack right redzone​: f3   Stack after return​: f5   Stack use after scope​: f8   Global redzone​: f9   Global init order​: f6   Poisoned by user​: f7   Container overflow​: fc   Array cookie​: ac   Intra object redzone​: bb   ASan internal​: fe   Left alloca redzone​: ca   Right alloca redzone​: cb ==8441==ABORTING ```

[p5pRT]

From gy741.kim@gmail.com

073_PoC

[p5pRT]

From @tonycoz

On Sat\, 19 Aug 2017 18​:27​:54 -0700\, gy741.kim@​gmail.com wrote​:

Hi.

I found a heap-use-after-free bug in perl.

Simplifies to​:

$~|=*~='a';

which is a stack-not-refcounted bug\, and not a security issue.

Tony

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From geeknik@protonmail.ch

This is likely a duplicate of #130256.

[p5pRT]

From @tonycoz

On Wed\, 16 Jan 2019 08​:10​:01 -0800\, geeknik@​protonmail.ch wrote​:

This is likely a duplicate of #130256.

Thanks for the reminder\, linked to the stack-not-refcounted meta ticket.

Tony