Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SUMMARY: AddressSanitizer: heap-use-after-free #16817

Closed
p5pRT opened this issue Jan 19, 2019 · 9 comments
Closed

SUMMARY: AddressSanitizer: heap-use-after-free #16817

p5pRT opened this issue Jan 19, 2019 · 9 comments

Comments

@p5pRT
Copy link

p5pRT commented Jan 19, 2019

Migrated from rt.perl.org#133778 (status was 'resolved')

Searchable as RT133778$
@p5pRT
Copy link
Author

p5pRT commented Jan 19, 2019

From hersheys.ryan@gmail.com

Triggered fuzzing Perl 5.29.2

=================================================================
==85931==ERROR​: AddressSanitizer​: heap-use-after-free on address
0x61900000a478 at pc 0x000000d3d00b bp 0x7ffeb92c0670 sp 0x7ffeb92c0668
WRITE of size 8 at 0x61900000a478 thread T0
  #0 0xd3d00a (/usr/local/bin/perl5.29.2+0xd3d00a)
  #1 0xa11b68 (/usr/local/bin/perl5.29.2+0xa11b68)
  #2 0x669ed5 (/usr/local/bin/perl5.29.2+0x669ed5)
  #3 0x506dfb (/usr/local/bin/perl5.29.2+0x506dfb)
  #4 0x7f42fc1d182f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
  #5 0x435388 (/usr/local/bin/perl5.29.2+0x435388)

0x61900000a478 is located 1016 bytes inside of 1024-byte region
[0x61900000a080,0x61900000a480)
freed by thread T0 here​:
  #0 0x4d5838 (/usr/local/bin/perl5.29.2+0x4d5838)
  #1 0xa1b940 (/usr/local/bin/perl5.29.2+0xa1b940)

previously allocated by thread T0 here​:
  #0 0x4d54b8 (/usr/local/bin/perl5.29.2+0x4d54b8)
  #1 0xa1ac48 (/usr/local/bin/perl5.29.2+0xa1ac48)

SUMMARY​: AddressSanitizer​: heap-use-after-free
(/usr/local/bin/perl5.29.2+0xd3d00a)
Shadow bytes around the buggy address​:
  0x0c327fff9430​: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff9440​: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff9450​: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff9460​: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff9470​: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c327fff9480​: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]
  0x0c327fff9490​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff94a0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff94b0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff94c0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff94d0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes)​:
  Addressable​: 00
  Partially addressable​: 01 02 03 04 05 06 07
  Heap left redzone​: fa
  Heap right redzone​: fb
  Freed heap region​: fd
  Stack left redzone​: f1
  Stack mid redzone​: f2
  Stack right redzone​: f3
  Stack partial redzone​: f4
  Stack after return​: f5
  Stack use after scope​: f8
  Global redzone​: f9
  Global init order​: f6
  Poisoned by user​: f7
  Container overflow​: fc
  Array cookie​: ac
  Intra object redzone​: bb
  ASan internal​: fe
  Left alloca redzone​: ca
  Right alloca redzone​: cb
==85931==ABORTING

Summary of my perl5 (revision 5 version 29 subversion 2) configuration​:
  Commit id​: 50749d5
  Platform​:
  osname=linux
  osvers=4.4.0-128-generic
  archname=x86_64-linux
  uname='linux ubuntu 4.4.0-128-generic #154-ubuntu smp fri may 25
14​:15​:18 utc 2018 x86_64 x86_64 x86_64 gnulinux '
  config_args='-des -Dusedevel -DDEBUGGING -Dcc=afl-clang -Doptimize=-O2
-g'
  hint=recommended
  useposix=true
  d_sigaction=define
  useithreads=undef
  usemultiplicity=undef
  use64bitint=define
  use64bitall=define
  uselongdouble=undef
  usemymalloc=n
  default_inc_excludes_dot=define
  bincompat5005=undef
  Compiler​:
  cc='afl-clang'
  ccflags ='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2'
  optimize='-O2 -g'
  cppflags='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include'
  ccversion=''
  gccversion='4.2.1 Compatible Clang 3.8.0 (tags/RELEASE_380/final)'
  gccosandvers=''
  intsize=4
  longsize=8
  ptrsize=8
  doublesize=8
  byteorder=12345678
  doublekind=3
  d_longlong=define
  longlongsize=8
  d_longdbl=define
  longdblsize=16
  longdblkind=3
  ivtype='long'
  ivsize=8
  nvtype='double'
  nvsize=8
  Off_t='off_t'
  lseeksize=8
  alignbytes=8
  prototype=define
  Linker and Libraries​:
  ld='afl-clang'
  ldflags =' -fstack-protector-strong -L/usr/local/lib'
  libpth=/usr/local/lib /usr/lib/llvm-3.8/bin/../lib/clang/3.8.0/lib
/usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib
/usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
  libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  libc=libc-2.23.so
  so=so
  useshrplib=false
  libperl=libperl.a
  gnulibc_version='2.23'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs
  dlext=so
  d_dlsymun=undef
  ccdlflags='-Wl,-E'
  cccdlflags='-fPIC'
  lddlflags='-shared -O2 -g -L/usr/local/lib -fstack-protector-strong'

Characteristics of this binary (from libperl)​:
  Compile-time options​:
  DEBUGGING
  HAS_TIMES
  PERLIO_LAYERS
  PERL_COPY_ON_WRITE
  PERL_DONT_CREATE_GVSV
  PERL_MALLOC_WRAP
  PERL_OP_PARENT
  PERL_PRESERVE_IVUV
  PERL_USE_DEVEL
  USE_64_BIT_ALL
  USE_64_BIT_INT
  USE_LARGE_FILES
  USE_LOCALE
  USE_LOCALE_COLLATE
  USE_LOCALE_CTYPE
  USE_LOCALE_NUMERIC
  USE_LOCALE_TIME
  USE_PERLIO
  USE_PERL_ATOF
  Built under linux
  Compiled at Aug 1 2018 10​:59​:47
  @​INC​:
  /usr/local/lib/perl5/site_perl/5.29.2/x86_64-linux
  /usr/local/lib/perl5/site_perl/5.29.2
  /usr/local/lib/perl5/5.29.2/x86_64-linux
  /usr/local/lib/perl5/5.29.2

@p5pRT
Copy link
Author

p5pRT commented Jan 19, 2019

From hersheys.ryan@gmail.com

uaf2.pl

@p5pRT
Copy link
Author

p5pRT commented Feb 5, 2019

From @tonycoz

On Fri, 18 Jan 2019 19​:33​:50 -0800, hersheys.ryan@​gmail.com wrote​:

Triggered fuzzing Perl 5.29.2

=================================================================
==85931==ERROR​: AddressSanitizer​: heap-use-after-free on address
0x61900000a478 at pc 0x000000d3d00b bp 0x7ffeb92c0670 sp 0x7ffeb92c0668
WRITE of size 8 at 0x61900000a478 thread T0
#0 0xd3d00a (/usr/local/bin/perl5.29.2+0xd3d00a)
#1 0xa11b68 (/usr/local/bin/perl5.29.2+0xa11b68)
#2 0x669ed5 (/usr/local/bin/perl5.29.2+0x669ed5)
#3 0x506dfb (/usr/local/bin/perl5.29.2+0x506dfb)
#4 0x7f42fc1d182f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x435388 (/usr/local/bin/perl5.29.2+0x435388)

The attached should fix it.

Tony

@p5pRT
Copy link
Author

p5pRT commented Feb 5, 2019

From @tonycoz

0001-perl-133778-adjust-MARK-if-we-extend-the-stack-in-pp.patch 
From e55ae7fab990c07cccf1293beecfc388fa0990ab Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Wed, 6 Feb 2019 10:37:58 +1100
Subject: (perl #133778) adjust MARK if we extend the stack in pp_repeat

for a list repeat in scalar/void context
---
 pp.c          |  3 ++-
 t/op/repeat.t | 84 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 85 insertions(+), 2 deletions(-)

diff --git a/pp.c b/pp.c
index 522e985931..19f96f933a 100644
--- a/pp.c
+++ b/pp.c
@@ -1694,7 +1694,8 @@ PP(pp_repeat)
 	    else {
 		dTOPss;
 		ASSUME(MARK + 1 == SP);
-		XPUSHs(sv);
+                MEXTEND(SP, 1);
+                PUSHs(sv);
 		MARK[1] = &PL_sv_undef;
 	    }
 	    SP = MARK + 2;
diff --git a/t/op/repeat.t b/t/op/repeat.t
index 978916689b..fa7ce06904 100644
--- a/t/op/repeat.t
+++ b/t/op/repeat.t
@@ -6,7 +6,7 @@ BEGIN {
     set_up_inc( '../lib' );
 }
 
-plan(tests => 49);
+plan(tests => 50);
 
 # compile time
 
@@ -192,3 +192,85 @@ fresh_perl_like(
 
 eval q{() = (() or ((0) x 0)); 1};
 is($@, "", "RT #130247");
+
+# yes, the newlines matter
+fresh_perl_is(<<'PERL', "", { stderr => 1 }, "(perl #133778) MARK mishandling");
+map{s[][];eval;0}<DATA>__END__
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+()x0
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+0
+PERL
-- 
2.11.0

@p5pRT
Copy link
Author

p5pRT commented Feb 5, 2019

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Feb 21, 2019

From @tonycoz

On Tue, 05 Feb 2019 15​:41​:52 -0800, tonyc wrote​:

On Fri, 18 Jan 2019 19​:33​:50 -0800, hersheys.ryan@​gmail.com wrote​:

Triggered fuzzing Perl 5.29.2

=================================================================
==85931==ERROR​: AddressSanitizer​: heap-use-after-free on address
0x61900000a478 at pc 0x000000d3d00b bp 0x7ffeb92c0670 sp 0x7ffeb92c0668
WRITE of size 8 at 0x61900000a478 thread T0
#0 0xd3d00a (/usr/local/bin/perl5.29.2+0xd3d00a)
#1 0xa11b68 (/usr/local/bin/perl5.29.2+0xa11b68)
#2 0x669ed5 (/usr/local/bin/perl5.29.2+0x669ed5)
#3 0x506dfb (/usr/local/bin/perl5.29.2+0x506dfb)
#4 0x7f42fc1d182f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x435388 (/usr/local/bin/perl5.29.2+0x435388)

The attached should fix it.

Applied as d81b773.

Tony

@p5pRT
Copy link
Author

p5pRT commented Feb 21, 2019

@tonycoz - Status changed from 'open' to 'pending release'

@p5pRT
Copy link
Author

p5pRT commented May 22, 2019

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release today of Perl 5.30.0, this and 160 other issues have been
resolved.

Perl 5.30.0 may be downloaded via​:
https://metacpan.org/release/XSAWYERX/perl-5.30.0

If you find that the problem persists, feel free to reopen this ticket.

@p5pRT
Copy link
Author

p5pRT commented May 22, 2019

@khwilliamson - Status changed from 'pending release' to 'resolved'

@p5pRT p5pRT closed this as completed May 22, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@p5pRT