Open p5pRT opened 6 years ago
There's a use-after-free bug in function Perl_sv_setpv_bufsize()\, when the buffer pointed by sv is freed. complete ASAN output is as follows:
================================================================= [2/1824] ==9960==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000000fb0 at pc 0x0000008159df bp 0x7fff92a6ff50 sp 0x7fff92a6ff48 WRITE of size 1 at 0x602000000fb0 thread T0 #0 0x8159de in Perl_sv_setpv_bufsize ~/test_progs/perl_dir/perl-asan/sv.c:4961:17 #1 0x947c4d in Perl_do_vop ~/test_progs/perl_dir/perl-asan/doop.c:1031:9 #2 0x871462 in Perl_pp_bit_or ~/test_progs/perl_dir/perl-asan/pp.c:2464:2 #3 0x74c6e9 in Perl_runops_debug ~/test_progs/perl_dir/perl-asan/dump.c:2451:23 #4 0x5bd845 in S_run_body ~/test_progs/perl_dir/perl-asan/perl.c #5 0x5bd0e1 in perl_run ~/test_progs/perl_dir/perl-asan/perl.c:2455:2 #6 0x543718 in main ~/test_progs/perl_dir/perl-asan/perlmain.c:123:9 #7 0x7f0dd39baf44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287 #8 0x43655b in _start (~/test_progs/perl_dir/perl-asan/perl+0x43655b)
0x602000000fb0 is located 0 bytes inside of 10-byte region [0x602000000fb0\,0x602000000fba) freed by thread T0 here: #0 0x50ef00 in __interceptor_free /home/farshaq/softwares/llvm-latest/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68 #1 0x822e57 in Perl_sv_clear ~/test_progs/perl_dir/perl-asan/sv.c:6771:7 #2 0x826bde in Perl_sv_free2 ~/test_progs/perl_dir/perl-asan/sv.c:7073:9
previously allocated by thread T0 here: #0 0x50f266 in malloc /home/farshaq/softwares/llvm-latest/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88 #1 0x74f690 in Perl_safesysmalloc ~/test_progs/perl_dir/perl-asan/util.c:153:21
SUMMARY: AddressSanitizer: heap-use-after-free ~/test_progs/perl_dir/perl-asan/sv.c:4961:17 in Perl_sv_setpv_bufsize Shadow bytes around the buggy address: 0x0c047fff81a0: fa fa fd fd fa fa fd fd fa fa 00 02 fa fa fd fd 0x0c047fff81b0: fa fa fd fa fa fa 00 02 fa fa fd fd fa fa fd fd 0x0c047fff81c0: fa fa 00 02 fa fa 02 fa fa fa fd fd fa fa fd fa 0x0c047fff81d0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c047fff81e0: fa fa fd fd fa fa 02 fa fa fa fd fa fa fa 00 02 =>0x0c047fff81f0: fa fa fd fd fa fa[fd]fd fa fa 00 02 fa fa 02 fa 0x0c047fff8200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==9960==ABORTING
On Sat\, Jun 02\, 2018 at 01:56:20PM -0700\, Yaohui Chen (via RT) wrote:
This is a bug report for perl from yaohway@gmail.com\, generated with the help of perlbug 1.40 running under perl 5.26.2.
The POC is attached in this mail. Simply run perl compiled with ASAN on the POC file will recreate the problem.
It can be reduced to this:
$~ |= *~ = $~;
It looks like like a stack-not-refcounted issue.
If possible could you also help apply for a CVE.
Since you've posted it to the public bug address\, the issue is already public\, so a bit late for a CVE!
However\, it doesn't look like a realistic security issue. Real code isn't going to be doing *~ = $~ (which triggers the premature free)\, then doing bit ops on the stringified result.
-- The crew of the Enterprise encounter an alien life form which is surprisingly neither humanoid nor made from pure energy. -- Things That Never Happen in "Star Trek" #22
The RT System itself - Status changed from 'new' to 'open'
This is likely a duplicate of #130256.
Migrated from rt.perl.org#133241 (status was 'open')
Searchable as RT133241$