stack overflow in Perl_push_scope ()

[p5pRT]

Migrated from rt.perl.org#131537 (status was 'open')

Searchable as RT131537$

[p5pRT]

From @Mipu94

I have found a bug that triggered stack-buffer-overflow. this bug
affect on perl v5.22.1.

Please find POC attached bellow to check.

some info about this bug with GDB and ASAN.

[GDB]

[----------------------------------registers-----------------------------------]
RAX​: 0x2d ('-')
RBX​: 0x0
RCX​: 0x2decfb0 --> 0x0
RDX​: 0x0
RSI​: 0x2d ('-')
RDI​: 0xeb5b98 --> 0xeb40f8 --> 0x0
RBP​: 0x2e10b00 --> 0x2e1e430 --> 0xeb5c10 --> 0xea0ee0 --> 0x0
RSP​: 0x7fffff7fefd0
RIP​: 0x8ced88 (<Perl_push_scope+8>​: mov QWORD PTR [rsp],rdx)
R8 : 0x0
R9 : 0x2decfb0 --> 0x0
R10​: 0x0
R11​: 0x2e10b48 --> 0x2decfb0 --> 0x0
R12​: 0xeb5b98 --> 0xeb40f8 --> 0x0
R13​: 0x1
R14​: 0x2e10b30 --> 0x2e10b20 --> 0xff00000000
R15​: 0xeb5b98 --> 0xeb40f8 --> 0x0
EFLAGS​: 0x10202 (carry parity adjust zero sign trap INTERRUPT
direction overflow)
[-------------------------------------code-------------------------------------]
  0x8ced78 <Perl_cxinc+328>​: call 0x8ce900 <S_croak_memory_wrap>
  0x8ced7d​: nop DWORD PTR [rax]
  0x8ced80 <Perl_push_scope>​: lea rsp,[rsp-0x98]
=> 0x8ced88 <Perl_push_scope+8>​: mov QWORD PTR [rsp],rdx
  0x8ced8c <Perl_push_scope+12>​: mov QWORD PTR [rsp+0x8],rcx
  0x8ced91 <Perl_push_scope+17>​: mov QWORD PTR [rsp+0x10],rax
  0x8ced96 <Perl_push_scope+22>​: mov rcx,0x67e
  0x8ced9d <Perl_push_scope+29>​: call 0x8d95c0 <__afl_maybe_log>
[------------------------------------stack-------------------------------------]
Invalid $SP address​: 0x7fffff7fefd0
[------------------------------------------------------------------------------]
blue
Legend​: code, data, rodata, value
Stopped reason​: SIGSEGV
0x00000000008ced88 in Perl_push_scope () at scope.c​:105

[ASAN]

  #246 0x5dc819 (/home/mipu94/fuzz/fuzzperl/perl-asan+0x5dc819)
  #247 0x5dbd29 (/home/mipu94/fuzz/fuzzperl/perl-asan+0x5dbd29)
  #248 0x5dca19 (/home/mipu94/fuzz/fuzzperl/perl-asan+0x5dca19)
  #249 0x5fc1ae (/home/mipu94/fuzz/fuzzperl/perl-asan+0x5fc1ae)
  #250 0x548ee0 (/home/mipu94/fuzz/fuzzperl/perl-asan+0x548ee0)

SUMMARY​: AddressSanitizer​: stack-overflow
(/home/mipu94/fuzz/fuzzperl/perl-asan+0x4b91b5)
==24209==ABORTING

--
Ta Dinh Sung,

[p5pRT]

From @Mipu94

poc

[p5pRT]

From @iabyn

On Thu, Jun 08, 2017 at 07​:26​:11AM -0700, sung wrote​:

I have found a bug that triggered stack-buffer-overflow. this bug
affect on perl v5.22.1.

This is one of a class of perl bugs which can cause the C stack to
overflow. As well as your recursive DESTROY example, you can create
similar effects with tied variable handlers, overload handlers etc.

I don't see that that it's a security issue though.

--
Never work with children, animals, or actors.

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From @tonycoz

On Fri, 09 Jun 2017 03​:30​:56 -0700, davem wrote​:

On Thu, Jun 08, 2017 at 07​:26​:11AM -0700, sung wrote​:

I have found a bug that triggered stack-buffer-overflow. this bug
affect on perl v5.22.1.

This is one of a class of perl bugs which can cause the C stack to
overflow. As well as your recursive DESTROY example, you can create
similar effects with tied variable handlers, overload handlers etc.

I don't see that that it's a security issue though.

Yes, this isn't a security issue, and is now public.

If we treat it as a bug, I'm not sure how we could fix it without breaking other things (eg. time of destruction might change.)

Tony