heap-buffer-overflow in Perl_my_atof3

[dur-randir]

This is a bug report for perl from [email protected],
generated with the help of perlbug 1.41 running under perl 5.31.6.

[Please describe your issue here]

While fuzzing perl v5.31.5-213-g9bec17d7c built with afl and run
under libdislocator, I found the following program

0=~/\p{nV:-0}/

to cause heap-buffer-overflow. ASAN diagnostics are:

==44466==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001375 at pc 0x000000db90b1 bp 0x7ffc4c3fe2f0 sp 0x7ffc4c3fe2e8
READ of size 1 at 0x602000001375 thread T0
#0 0xdb90b0 in Perl_my_atof3 /home/afl/afl-asan/numeric.c:1564:14
#1 0x816b5d in Perl_parse_uniprop_string /home/afl/afl-asan/regcomp.c:23624:24
#2 0x88ce21 in S_regclass /home/afl/afl-asan/regcomp.c:17210:44
#3 0x8673b8 in S_regatom /home/afl/afl-asan/regcomp.c:13538:19
#4 0x849b82 in S_regpiece /home/afl/afl-asan/regcomp.c:12404:11
#5 0x849b82 in S_regbranch /home/afl/afl-asan/regcomp.c:12324
#6 0x7a6080 in S_reg /home/afl/afl-asan/regcomp.c:12026:10
#7 0x78122f in Perl_re_op_compile /home/afl/afl-asan/regcomp.c:7738:9
#8 0x55c406 in Perl_pmruntime /home/afl/afl-asan/op.c:8089:6
#9 0x752a87 in Perl_yyparse /home/afl/afl-asan/perly.y:1260:23
#10 0x614bfc in S_parse_body /home/afl/afl-asan/perl.c:2529:9
#11 0x60a9b6 in perl_parse /home/afl/afl-asan/perl.c:1820:2
#12 0x5352bd in main /home/afl/afl-asan/perlmain.c:132:18
#13 0x7f7b3ec4509a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
#14 0x43ccb9 in _start (/home/afl/afl-asan/perl+0x43ccb9)

0x602000001375 is located 0 bytes to the right of 5-byte region [0x602000001370,0x602000001375)
allocated by thread T0 here:
#0 0x501a90 in malloc (/home/afl/afl-asan/perl+0x501a90)
#1 0x8ded86 in Perl_safesysmalloc /home/afl/afl-asan/util.c:155:21
#2 0x81451c in Perl_parse_uniprop_string /home/afl/afl-asan/regcomp.c:22771:5
#3 0x88ce21 in S_regclass /home/afl/afl-asan/regcomp.c:17210:44
#4 0x8673b8 in S_regatom /home/afl/afl-asan/regcomp.c:13538:19
#5 0x849b82 in S_regpiece /home/afl/afl-asan/regcomp.c:12404:11
#6 0x849b82 in S_regbranch /home/afl/afl-asan/regcomp.c:12324
#7 0x7a6080 in S_reg /home/afl/afl-asan/regcomp.c:12026:10
#8 0x78122f in Perl_re_op_compile /home/afl/afl-asan/regcomp.c:7738:9
#9 0x55c406 in Perl_pmruntime /home/afl/afl-asan/op.c:8089:6
#10 0x752a87 in Perl_yyparse /home/afl/afl-asan/perly.y:1260:23
#11 0x614bfc in S_parse_body /home/afl/afl-asan/perl.c:2529:9
#12 0x60a9b6 in perl_parse /home/afl/afl-asan/perl.c:1820:2
#13 0x5352bd in main /home/afl/afl-asan/perlmain.c:132:18
#14 0x7f7b3ec4509a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

This is regression in blead, bisect points to

commit 14d26b4 (HEAD, refs/bisect/bad)
Author: Tony Cook [email protected]
AuthorDate: Tue Aug 20 15:43:05 2019 +1000
Commit: Tony Cook [email protected]
CommitDate: Mon Aug 26 09:42:10 2019 +1000

(perl #134230) don't interpret 0x, 0b when numifying strings

[Please do not change anything below this line]
Flags:
category=core
severity=high
Site configuration information for perl 5.31.6:

Configured by dur-randir at Fri Nov 8 05:18:19 MSK 2019.

Summary of my perl5 (revision 5 version 31 subversion 6) configuration:
Commit id: 1462134
Platform:
osname=darwin
osvers=13.4.0
archname=darwin-2level
uname='darwin isengard.local 13.4.0 darwin kernel version 13.4.0: mon jan 11 18:17:34 pst 2016; root:xnu-2422.115.15~1release_x86_64 x86_64 '
config_args='-de -Dusedevel -DDEBUGGING'
hint=recommended
useposix=true
d_sigaction=define
useithreads=undef
usemultiplicity=undef
use64bitint=define
use64bitall=define
uselongdouble=undef
usemymalloc=n
default_inc_excludes_dot=define
bincompat5005=undef
Compiler:
cc='cc'
ccflags ='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9 -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -I/opt/local/include -DPERL_USE_SAFE_PUTENV'
optimize='-O3 -g'
cppflags='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9 -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -I/opt/local/include'
ccversion=''
gccversion='4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.56)'
gccosandvers=''
intsize=4
longsize=8
ptrsize=8
doublesize=8
byteorder=12345678
doublekind=3
d_longlong=define
longlongsize=8
d_longdbl=define
longdblsize=16
longdblkind=3
ivtype='long'
ivsize=8
nvtype='double'
nvsize=8
Off_t='off_t'
lseeksize=8
alignbytes=8
prototype=define
Linker and Libraries:
ld='cc'
ldflags =' -mmacosx-version-min=10.9 -fstack-protector -L/usr/local/lib -L/opt/local/lib'
libpth=/usr/local/lib /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/../lib/clang/6.0/lib /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib /usr/lib /opt/local/lib
libs=-lpthread -lgdbm -ldbm -ldl -lm -lutil -lc
perllibs=-lpthread -ldl -lm -lutil -lc
libc=
so=dylib
useshrplib=false
libperl=libperl.a
gnulibc_version=''
Dynamic Linking:
dlsrc=dl_dlopen.xs
dlext=bundle
d_dlsymun=undef
ccdlflags=' '
cccdlflags=' '
lddlflags=' -mmacosx-version-min=10.9 -bundle -undefined dynamic_lookup -L/usr/local/lib -L/opt/local/lib -fstack-protector'

@inc for perl 5.31.6:
lib
/usr/local/lib/perl5/site_perl/5.31.6/darwin-2level
/usr/local/lib/perl5/site_perl/5.31.6
/usr/local/lib/perl5/5.31.6/darwin-2level
/usr/local/lib/perl5/5.31.6

Environment for perl 5.31.6:
DYLD_LIBRARY_PATH (unset)
HOME=/Users/dur-randir
LANG=en_US.UTF-8
LANGUAGE (unset)
LC_CTYPE=en_US.UTF-8
LD_LIBRARY_PATH (unset)
LOGDIR (unset)
PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.26.0/bin:/opt/local/bin:/usr/texbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/Library/TeX/texbin
PERLBREW_HOME=/Users/dur-randir/.perlbrew
PERLBREW_MANPATH=/Users/dur-randir/perlbrew/perls/perl-5.26.0/man
PERLBREW_PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.26.0/bin
PERLBREW_PERL=perl-5.26.0
PERLBREW_ROOT=/Users/dur-randir/perlbrew
PERLBREW_SHELLRC_VERSION=0.86
PERLBREW_VERSION=0.86
PERL_BADLANG (unset)
SHELL=/opt/local/bin/zsh

[khwilliamson]

This turns out to be a bug in code that I didn't add :)

The bug is in my_atof3. The code under some #ifdefs parses the input and moves the input past any leading white space and sign. But it forgets it has done this when it looks to see if there is something after the 0. There isn't in this case, and so it does an out-of-bounds read. It's looking for 0x or 0b here. Are those legal if there is a sign? I suppose so, but writing +0xdeadbeef seems odd to me.

I started to work on this, and decided to let others think about it. The various combinations of what's compiled make it somewhat tricky. My Linux box says that strod and strtold accept leading space, sign, but the documentation for strtoflt128 has no detail like that.

[khwilliamson]

@sisyphus what do you think?

[sisyphus]

Is there some program I can run (either Perl or XS) that will enable me to more clearly see the problem ? IOW, how does one demonstrate this issue ? Cheers, Rob

…

On Sun, Nov 10, 2019 at 4:50 AM Karl Williamson ***@***.***> wrote: @sisyphus <https://github.com/sisyphus> what do you think? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#17279?email_source=notifications&email_token=AAAR3PFQFAHBIZ3MQJ3CLKDQS3Z5NA5CNFSM4JK2AFPKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEDULNXQ#issuecomment-552122078>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAR3PC2HWNHLR2ESM7YJTLQS3Z5NANCNFSM4JK2AFPA> .

[khwilliamson]

On 11/10/19 9:06 PM, sisyphus wrote: Is there some program I can run (either Perl or XS) that will enable me to more clearly see the problem ? IOW, how does one demonstrate this issue ?

See the new test added in #17289

…

Cheers, Rob On Sun, Nov 10, 2019 at 4:50 AM Karl Williamson ***@***.***> wrote: > @sisyphus <https://github.com/sisyphus> what do you think? > > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub > <#17279?email_source=notifications&email_token=AAAR3PFQFAHBIZ3MQJ3CLKDQS3Z5NA5CNFSM4JK2AFPKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEDULNXQ#issuecomment-552122078>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAAR3PC2HWNHLR2ESM7YJTLQS3Z5NANCNFSM4JK2AFPA> > . > — You are receiving this because you were assigned. Reply to this email directly, view it on GitHub <#17279?email_source=notifications&email_token=AAA2DH2I3SG4IZKDKAO3QDLQTDK5VA5CNFSM4JK2AFPKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEDVTIVA#issuecomment-552285268>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAA2DH6RDH5KHFD5R4HTVWDQTDK5VANCNFSM4JK2AFPA>.