p5pRT
commented
6 years ago From bug-Perl-Core@rt.cpan.org
This is forward of transaction #1775369 of a ticket #124716
Open p5pRT opened 6 years ago
p5pRT
commented
6 years ago This is forward of transaction #1775369 of a ticket #124716
p5pRT
commented
6 years ago Message RFC822: X-Mailer: MIME-tools 5.504 (Entity 5.504) Content-Disposition: inline Message-ID: rt-4.0.18-15904-1520472554-1065.0-0-0@rt.cpan.org X-RT-Interface: Web X-RT-Encrypt: 0 Content-Transfer-Encoding: binary MIME-Version: 1.0 X-RT-Sign: 0 From: hackyzh002@gmail.com Content-Length: 3037 Subject: Use after free in sv.c:4860 Content-Type: text/plain; charset="utf-8" X-RT-Original-Encoding: utf-8
==20930==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200000e510 at pc 0x0000009fd4cc bp 0x7ffcc315cc40 sp 0x7ffcc315cc30 WRITE of size 1 at 0x60200000e510 thread T0
#1 0xbfee9b in Perl_do_vop /home/hackyzh/Desktop/perl-5.27.9/doop.c:1039
#2 0xa748c6 in Perl_pp_bit_or /home/hackyzh/Desktop/perl-5.27.9/pp.c:2391
#3 0x92c74a in Perl_runops_standard /home/hackyzh/Desktop/perl-5.27.9/run.c:41
#4 0x555b39 in S_run_body /home/hackyzh/Desktop/perl-5.27.9/perl.c:2750
#5 0x555b39 in perl_run /home/hackyzh/Desktop/perl-5.27.9/perl.c:2671
#6 0x42b6e5 in main /home/hackyzh/Desktop/perl-5.27.9/perlmain.c:122
#7 0x7fc92c42c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#8 0x42c6c8 in _start (/home/hackyzh/Desktop/perl-5.27.9/perl+0x42c6c8)0x60200000e510 is located 0 bytes inside of 10-byte region [0x60200000e510,0x60200000e51a) freed by thread T0 here:
#1 0x999630 in Perl_sv_clear /home/hackyzh/Desktop/perl-5.27.9/sv.c:6732previously allocated by thread T0 here:
#1 0x8372dc in Perl_safesysmalloc /home/hackyzh/Desktop/perl-5.27.9/util.c:153SUMMARY: AddressSanitizer: heap-use-after-free /home/hackyzh/Desktop/perl-5.27.9/sv.c:4860 Perl_sv_setpv_bufsize Shadow bytes around the buggy address: 0x0c047fff9c50: fa fa 00 00 fa fa 00 02 fa fa 00 04 fa fa 00 02 0x0c047fff9c60: fa fa 05 fa fa fa 00 00 fa fa 00 07 fa fa 00 fa 0x0c047fff9c70: fa fa 00 02 fa fa 00 02 fa fa 00 04 fa fa 00 05 0x0c047fff9c80: fa fa 00 07 fa fa 00 02 fa fa 00 03 fa fa 00 05 0x0c047fff9c90: fa fa 00 01 fa fa 00 05 fa fa 00 01 fa fa 00 02 =>0x0c047fff9ca0: fa fa[fd]fd fa fa fd fa fa fa 00 02 fa fa 00 02 0x0c047fff9cb0: fa fa 00 02 fa fa 00 02 fa fa 00 06 fa fa 00 04 0x0c047fff9cc0: fa fa 00 02 fa fa 00 02 fa fa 00 fa fa fa 00 02 0x0c047fff9cd0: fa fa fd fa fa fa 00 02 fa fa 00 02 fa fa 00 02 0x0c047fff9ce0: fa fa 00 02 fa fa 00 02 fa fa 00 02 fa fa 00 02 0x0c047fff9cf0: fa fa 00 02 fa fa 00 02 fa fa 00 02 fa fa 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==20930==ABORTING
p5pRT
commented
6 years ago ==20930==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200000e510 at pc 0x0000009fd4cc bp 0x7ffcc315cc40 sp 0x7ffcc315cc30 WRITE of size 1 at 0x60200000e510 thread T0 #0 0x9fd4cb in Perl_sv_setpv_bufsize /home/hackyzh/Desktop/perl-5.27.9/sv.c:4860 #1 0xbfee9b in Perl_do_vop /home/hackyzh/Desktop/perl-5.27.9/doop.c:1039 #2 0xa748c6 in Perl_pp_bit_or /home/hackyzh/Desktop/perl-5.27.9/pp.c:2391 #3 0x92c74a in Perl_runops_standard /home/hackyzh/Desktop/perl-5.27.9/run.c:41 #4 0x555b39 in S_run_body /home/hackyzh/Desktop/perl-5.27.9/perl.c:2750 #5 0x555b39 in perl_run /home/hackyzh/Desktop/perl-5.27.9/perl.c:2671 #6 0x42b6e5 in main /home/hackyzh/Desktop/perl-5.27.9/perlmain.c:122 #7 0x7fc92c42c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #8 0x42c6c8 in _start (/home/hackyzh/Desktop/perl-5.27.9/perl+0x42c6c8)
0x60200000e510 is located 0 bytes inside of 10-byte region [0x60200000e510\,0x60200000e51a) freed by thread T0 here: #0 0x7fc92d1d02ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca) #1 0x999630 in Perl_sv_clear /home/hackyzh/Desktop/perl-5.27.9/sv.c:6732
previously allocated by thread T0 here: #0 0x7fc92d1d0602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x8372dc in Perl_safesysmalloc /home/hackyzh/Desktop/perl-5.27.9/util.c:153
SUMMARY: AddressSanitizer: heap-use-after-free /home/hackyzh/Desktop/perl-5.27.9/sv.c:4860 Perl_sv_setpv_bufsize Shadow bytes around the buggy address: 0x0c047fff9c50: fa fa 00 00 fa fa 00 02 fa fa 00 04 fa fa 00 02 0x0c047fff9c60: fa fa 05 fa fa fa 00 00 fa fa 00 07 fa fa 00 fa 0x0c047fff9c70: fa fa 00 02 fa fa 00 02 fa fa 00 04 fa fa 00 05 0x0c047fff9c80: fa fa 00 07 fa fa 00 02 fa fa 00 03 fa fa 00 05 0x0c047fff9c90: fa fa 00 01 fa fa 00 05 fa fa 00 01 fa fa 00 02 =>0x0c047fff9ca0: fa fa[fd]fd fa fa fd fa fa fa 00 02 fa fa 00 02 0x0c047fff9cb0: fa fa 00 02 fa fa 00 02 fa fa 00 06 fa fa 00 04 0x0c047fff9cc0: fa fa 00 02 fa fa 00 02 fa fa 00 fa fa fa 00 02 0x0c047fff9cd0: fa fa fd fa fa fa 00 02 fa fa 00 02 fa fa 00 02 0x0c047fff9ce0: fa fa 00 02 fa fa 00 02 fa fa 00 02 fa fa 00 02 0x0c047fff9cf0: fa fa 00 02 fa fa 00 02 fa fa 00 02 fa fa 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==20930==ABORTING
p5pRT
commented
6 years ago On Thu\, Mar 08\, 2018 at 12:26:35AM -0800\, via RT wrote:
==20930==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200000e510 at pc 0x0000009fd4cc bp 0x7ffcc315cc40 sp 0x7ffcc315cc30 WRITE of size 1 at 0x60200000e510 thread T0 #0 0x9fd4cb in Perl_sv_setpv_bufsize /home/hackyzh/Desktop/perl-5.27.9/sv.c:4860 #1 0xbfee9b in Perl_do_vop /home/hackyzh/Desktop/perl-5.27.9/doop.c:1039 #2 0xa748c6 in Perl_pp_bit_or /home/hackyzh/Desktop/perl-5.27.9/pp.c:2391 ... 0x60200000e510 is located 0 bytes inside of 10-byte region [0x60200000e510\,0x60200000e51a)
The code reduces to
$a ^= (*a = 'b');
Its a stack-not-refcounted issue\, and not a security issue.
-- The Enterprise is captured by a vastly superior alien intelligence which does not put them on trial. -- Things That Never Happen in "Star Trek" #10
p5pRT
commented
6 years ago The RT System itself - Status changed from 'new' to 'open'
p5pRT
commented
6 years ago On Thu\, 08 Mar 2018 03:51:14 -0800\, davem wrote:
On Thu\, Mar 08\, 2018 at 12:26:35AM -0800\, via RT wrote:
==20930==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200000e510 at pc 0x0000009fd4cc bp 0x7ffcc315cc40 sp 0x7ffcc315cc30 WRITE of size 1 at 0x60200000e510 thread T0 #0 0x9fd4cb in Perl_sv_setpv_bufsize /home/hackyzh/Desktop/perl- 5.27.9/sv.c:4860 #1 0xbfee9b in Perl_do_vop /home/hackyzh/Desktop/perl- 5.27.9/doop.c:1039 #2 0xa748c6 in Perl_pp_bit_or /home/hackyzh/Desktop/perl- 5.27.9/pp.c:2391 ... 0x60200000e510 is located 0 bytes inside of 10-byte region [0x60200000e510\,0x60200000e51a)
The code reduces to
$a ^= (*a = 'b');
Its a stack-not-refcounted issue\, and not a security issue.
Now public and linked to the stack-not-refcounted meta ticket.
Tony
Migrated from rt.perl.org#132951 (status was 'open')
Searchable as RT132951$