Reporting a use-after-free vulnerability in function Perl_sv_setpv_bufsize

[p5pRT]

Migrated from rt.perl.org#133241 (status was 'open')

Searchable as RT133241$

[p5pRT]

From yaohway@gmail.com

Created by yaohway@gmail.com

There's a use-after-free bug in function Perl_sv_setpv_bufsize()\, when the buffer pointed by sv is freed. complete ASAN output is as follows​:

================================================================= [2/1824] ==9960==ERROR​: AddressSanitizer​: heap-use-after-free on address 0x602000000fb0 at pc 0x0000008159df bp 0x7fff92a6ff50 sp 0x7fff92a6ff48 WRITE of size 1 at 0x602000000fb0 thread T0   #0 0x8159de in Perl_sv_setpv_bufsize ~/test_progs/perl_dir/perl-asan/sv.c​:4961​:17   #1 0x947c4d in Perl_do_vop ~/test_progs/perl_dir/perl-asan/doop.c​:1031​:9   #2 0x871462 in Perl_pp_bit_or ~/test_progs/perl_dir/perl-asan/pp.c​:2464​:2   #3 0x74c6e9 in Perl_runops_debug ~/test_progs/perl_dir/perl-asan/dump.c​:2451​:23   #4 0x5bd845 in S_run_body ~/test_progs/perl_dir/perl-asan/perl.c   #5 0x5bd0e1 in perl_run ~/test_progs/perl_dir/perl-asan/perl.c​:2455​:2   #6 0x543718 in main ~/test_progs/perl_dir/perl-asan/perlmain.c​:123​:9   #7 0x7f0dd39baf44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c​:287   #8 0x43655b in _start (~/test_progs/perl_dir/perl-asan/perl+0x43655b)

0x602000000fb0 is located 0 bytes inside of 10-byte region [0x602000000fb0\,0x602000000fba) freed by thread T0 here​:   #0 0x50ef00 in __interceptor_free /home/farshaq/softwares/llvm-latest/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc​:68   #1 0x822e57 in Perl_sv_clear ~/test_progs/perl_dir/perl-asan/sv.c​:6771​:7   #2 0x826bde in Perl_sv_free2 ~/test_progs/perl_dir/perl-asan/sv.c​:7073​:9

previously allocated by thread T0 here​:   #0 0x50f266 in malloc /home/farshaq/softwares/llvm-latest/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc​:88   #1 0x74f690 in Perl_safesysmalloc ~/test_progs/perl_dir/perl-asan/util.c​:153​:21

SUMMARY​: AddressSanitizer​: heap-use-after-free ~/test_progs/perl_dir/perl-asan/sv.c​:4961​:17 in Perl_sv_setpv_bufsize Shadow bytes around the buggy address​:   0x0c047fff81a0​: fa fa fd fd fa fa fd fd fa fa 00 02 fa fa fd fd   0x0c047fff81b0​: fa fa fd fa fa fa 00 02 fa fa fd fd fa fa fd fd   0x0c047fff81c0​: fa fa 00 02 fa fa 02 fa fa fa fd fd fa fa fd fa   0x0c047fff81d0​: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd   0x0c047fff81e0​: fa fa fd fd fa fa 02 fa fa fa fd fa fa fa 00 02 =>0x0c047fff81f0​: fa fa fd fd fa fa[fd]fd fa fa 00 02 fa fa 02 fa   0x0c047fff8200​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa   0x0c047fff8210​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa   0x0c047fff8220​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa   0x0c047fff8230​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa   0x0c047fff8240​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes)​:   Addressable​: 00   Partially addressable​: 01 02 03 04 05 06 07   Heap left redzone​: fa   Freed heap region​: fd   Stack left redzone​: f1   Stack mid redzone​: f2   Stack right redzone​: f3   Stack after return​: f5   Stack use after scope​: f8   Global redzone​: f9   Global init order​: f6   Poisoned by user​: f7   Container overflow​: fc   Array cookie​: ac   Intra object redzone​: bb   ASan internal​: fe   Left alloca redzone​: ca   Right alloca redzone​: cb ==9960==ABORTING

Perl Info

``` Flags: category=core severity=high Site configuration information for perl 5.26.2: Configured by farshaq at Sat Jun 2 15:41:08 EDT 2018. Summary of my perl5 (revision 5 version 26 subversion 2) configuration: Platform: osname=linux osvers=4.4.0-57-generic archname=x86_64-linux uname='linux farshaq-terminator 4.4.0-57-generic #78~14.04.1-ubuntu smp sat dec 10 00:14:47 utc 2016 x86_64 x86_64 x86_64 gnulinux ' config_args='-de -Dusedevel -DEBUGGING -Doptimize=-g -O2 -Dcc=clang -Accflags=-fsanitize=address -Aldflags=-fsanitize=address' hint=recommended useposix=true d_sigaction=define useithreads=undef usemultiplicity=undef use64bitint=define use64bitall=define uselongdouble=undef usemymalloc=n default_inc_excludes_dot=define bincompat5005=undef Compiler: cc='clang' ccflags ='-fsanitize=address -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2' optimize='-g -O2' cppflags='-fsanitize=address -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include' ccversion='' gccversion='4.2.1 Compatible Clang 6.0.0 (trunk 310803)' gccosandvers='' intsize=4 longsize=8 ptrsize=8 doublesize=8 byteorder=12345678 doublekind=3 d_longlong=define longlongsize=8 d_longdbl=define longdblsize=16 longdblkind=3 ivtype='long' ivsize=8 nvtype='double' nvsize=8 Off_t='off_t' lseeksize=8 alignbytes=8 prototype=define Linker and Libraries: ld='clang' ldflags =' -fsanitize=address -fstack-protector-strong -L/usr/local/lib' libpth=/usr/local/lib /usr/local/lib/clang/6.0.0/lib /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc libc=libc-2.19.so so=so useshrplib=false libperl=libperl.a gnulibc_version='2.19' Dynamic Linking: dlsrc=dl_dlopen.xs dlext=so d_dlsymun=undef ccdlflags='-Wl,-E' cccdlflags='-fPIC' lddlflags='-shared -g -O2 -L/usr/local/lib -fstack-protector-strong' @INC for perl 5.26.2: /usr/local/lib/perl5/site_perl/5.26.2/x86_64-linux /usr/local/lib/perl5/site_perl/5.26.2 /usr/local/lib/perl5/5.26.2/x86_64-linux /usr/local/lib/perl5/5.26.2 Environment for perl 5.26.2: HOME=/home/farshaq LANG=en_US.UTF-8 LANGUAGE (unset) LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/home/farshaq/work/VulSniper/umet_aosp_6.0.1_r8/prebuilts/gcc/linux-x86/aarch64/aarch64-linux-android-4.9/bin:/home/farshaq/Android/Sdk/platform-tools:/home/farshaq/Android/Sdk/tools:/home/farshaq/work/VulSniper/umet_aosp_6.0.1_r8/prebuilts/gcc/linux-x86/aarch64/aarch64-linux-android-4.9/bin:/home/farshaq/Android/Sdk/platform-tools:/home/farshaq/Android/Sdk/tools:/home/farshaq/work/VulSniper/umet_aosp_6.0.1_r8/prebuilts/gcc/linux-x86/aarch64/aarch64-linux-android-4.9/bin:/home/farshaq/Android/Sdk/platform-tools:/home/farshaq/Android/Sdk/tools:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games PERL_BADLANG (unset) SHELL=/usr/local/bin/fish ```

[p5pRT]

From yaohway@gmail.com

poc

[p5pRT]

From @iabyn

On Sat\, Jun 02\, 2018 at 01​:56​:20PM -0700\, Yaohui Chen (via RT) wrote​:

This is a bug report for perl from yaohway@​gmail.com\, generated with the help of perlbug 1.40 running under perl 5.26.2.

The POC is attached in this mail. Simply run perl compiled with ASAN on the POC file will recreate the problem.

It can be reduced to this​:

$~ |= *~ = $~;

It looks like like a stack-not-refcounted issue.

If possible could you also help apply for a CVE.

Since you've posted it to the public bug address\, the issue is already public\, so a bit late for a CVE!

However\, it doesn't look like a realistic security issue. Real code isn't going to be doing *~ = $~ (which triggers the premature free)\, then doing bit ops on the stringified result.

-- The crew of the Enterprise encounter an alien life form which is surprisingly neither humanoid nor made from pure energy.   -- Things That Never Happen in "Star Trek" #22

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From geeknik@protonmail.ch

This is likely a duplicate of #130256.