Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Memory read overflow in Perl_grok_infnan #17367

Closed
lightsey opened this issue Dec 17, 2019 · 0 comments
Closed

Memory read overflow in Perl_grok_infnan #17367

lightsey opened this issue Dec 17, 2019 · 0 comments

Comments

@lightsey
Copy link
Contributor

Description

This issue was originally reported to the Perl security team by Sergey Aleynikov as SEC-129. The Perl security team does not consider this issue to represent a vulnerability.

The bug is a 1 byte read overflow in Perl_grok_infnan introduced between 5.28 and 5.30 by the following commit:

f394a63acec59165936868c5a8fa2daef2adb7bf is the first bad commit
commit f394a63acec59165936868c5a8fa2daef2adb7bf
Author: Karl Williamson <[email protected]>
Date:   Mon Apr 30 10:39:46 2018 -0600

    utf8.c: Use \p{nv=float}

    Now that the float data is available to us (in the previous commit), we
    can take advantage of it, and avoid swash creation.

    We just use the perl atof() to convert the input string to an NV, and
    then convert back to a string, but in guaranteed canonical form.  Then
    we look that up.

The overflow behavior causes no user visible bug. It is only evident when Perl is compiled with address sanitizer.

Steps to Reproduce

$ ./perl -e '0=~/\p{nv:NAnq}/'
=================================================================
==25672==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf5e01c97 at pc 0x57b92f3a bp 0xffbb9588 sp 0xffbb957c
READ of size 1 at 0xf5e01c97 thread T0
    #0 0x57b92f39 in Perl_grok_infnan /home/jd/src/git/lab/perl5/numeric.c:793
    #1 0x57b9394f in S_my_atof_infnan /home/jd/src/git/lab/perl5/numeric.c:1429
    #2 0x57b9394f in Perl_my_atof3 /home/jd/src/git/lab/perl5/numeric.c:1557
    #3 0x5728d839 in Perl_parse_uniprop_string /home/jd/src/git/lab/perl5/regcomp.c:24065
    #4 0x572f958a in S_regclass /home/jd/src/git/lab/perl5/regcomp.c:17484
    #5 0x5732cd25 in S_regatom /home/jd/src/git/lab/perl5/regcomp.c:13555
    #6 0x57359e81 in S_regpiece /home/jd/src/git/lab/perl5/regcomp.c:12421
    #7 0x57359e81 in S_regbranch /home/jd/src/git/lab/perl5/regcomp.c:12341
    #8 0x57367f71 in S_reg /home/jd/src/git/lab/perl5/regcomp.c:12043
    #9 0x5739e3b8 in Perl_re_op_compile /home/jd/src/git/lab/perl5/regcomp.c:7744
    #10 0x56f1bf24 in Perl_pmruntime /home/jd/src/git/lab/perl5/op.c:8166
    #11 0x5716b1da in Perl_yyparse /home/jd/src/git/lab/perl5/perly.y:1260
    #12 0x56f77cb3 in S_parse_body /home/jd/src/git/lab/perl5/perl.c:2601
    #13 0x56f7f674 in perl_parse /home/jd/src/git/lab/perl5/perl.c:1892
    #14 0x56ce9ebe in main /home/jd/src/git/lab/perl5/perlmain.c:126
    #15 0xf7ba7b40 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x1ab40)
    #16 0x56ceabf0 in _start (/home/jd/src/git/lab/perl5/perl+0x723bf0)

0xf5e01c97 is located 0 bytes to the right of 7-byte region [0xf5e01c90,0xf5e01c97)
allocated by thread T0 here:
    #0 0x56dbc604 in __interceptor_malloc (/home/jd/src/git/lab/perl5/perl+0x7f5604)
    #1 0x57421f8d in Perl_safesysmalloc /home/jd/src/git/lab/perl5/util.c:155

Perl configuration

Summary of my perl5 (revision 5 version 31 subversion 7) configuration:
  Commit id: 06d9a3d13e993e5cadfae73035700bd536e31d44
  Platform:
    osname=linux
    osvers=4.19.0-6-amd64
    archname=x86_64-linux
    uname='linux toucan 4.19.0-6-amd64 #1 smp debian 4.19.67-2+deb10u2 (2019-11-11) x86_64 gnulinux '
    config_args='-des -Dusedevel -DDEBUGGING -Dcc=gcc -Accflags=-m32 -O0 -ggdb3 -fsanitize=address -fsanitize=undefined -static-libasan -static-libubsan -Aldflags=-m32 -O0 -ggdb3 -fsanitize=address -fsanitize=undefined -static-libasan -static-libubsan -Alddlflags=-shared -m32 -O0 -ggdb3 -fsanitize=address -fsanitize=undefined -static-libasan -static-libubsan'
    hint=recommended
    useposix=true
    d_sigaction=define
    useithreads=undef
    usemultiplicity=undef
    use64bitint=undef
    use64bitall=undef
    uselongdouble=undef
    usemymalloc=n
    default_inc_excludes_dot=define
    bincompat5005=undef
  Compiler:
    cc='gcc'
    ccflags ='-m32 -O0 -ggdb3 -fsanitize=address -fsanitize=undefined -static-libasan -static-libubsan -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2'
    optimize='-O2 -g'
    cppflags='-m32 -O0 -ggdb3 -fsanitize=address -fsanitize=undefined -static-libasan -static-libubsan -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
    ccversion=''
    gccversion='8.3.0'
    gccosandvers=''
    intsize=4
    longsize=4
    ptrsize=4
    doublesize=8
    byteorder=1234
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=12
    longdblkind=3
    ivtype='long'
    ivsize=4
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=4
    prototype=define
  Linker and Libraries:
    ld='gcc'
    ldflags =' -m32 -O0 -ggdb3 -fsanitize=address -fsanitize=undefined -static-libasan -static-libubsan -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/lib/gcc/x86_64-linux-gnu/8/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
    libs=-lpthread -lnsl -lgdbm -ldl -lm -lcrypt -lutil -lc
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    libc=libc-2.28.so
    so=so
    useshrplib=false
    libperl=libperl.a
    gnulibc_version='2.28'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=so
    d_dlsymun=undef
    ccdlflags='-Wl,-E'
    cccdlflags='-fPIC'
    lddlflags=' -shared -m32 -O0 -ggdb3 -fsanitize=address -fsanitize=undefined -static-libasan -static-libubsan -L/usr/local/lib -fstack-protector-strong'


Characteristics of this binary (from libperl):
  Compile-time options:
    DEBUGGING
    HAS_TIMES
    PERLIO_LAYERS
    PERL_COPY_ON_WRITE
    PERL_DONT_CREATE_GVSV
    PERL_MALLOC_WRAP
    PERL_OP_PARENT
    PERL_PRESERVE_IVUV
    PERL_USE_DEVEL
    USE_LARGE_FILES
    USE_LOCALE
    USE_LOCALE_COLLATE
    USE_LOCALE_CTYPE
    USE_LOCALE_NUMERIC
    USE_LOCALE_TIME
    USE_PERLIO
    USE_PERL_ATOF
  Built under linux
  Compiled at Dec 16 2019 15:06:44
  %ENV:
    PERL5LIB="lib"
  @INC:
    lib
    /usr/local/lib/perl5/site_perl/5.31.7/x86_64-linux
    /usr/local/lib/perl5/site_perl/5.31.7
    /usr/local/lib/perl5/5.31.7/x86_64-linux
    /usr/local/lib/perl5/5.31.7
khwilliamson added a commit that referenced this issue Dec 17, 2019
@khwilliamson
PATCH: GH #17367 read 1 beyond end of buffer
81d1145 
This is a bug in grok_infnan() in which in one place it failed to check
that it was reading within bounds.
khwilliamson added a commit that referenced this issue Dec 17, 2019
@khwilliamson
PATCH: GH #17370, read beyond buffer in grok_inf_nan
9f16475 
Like GH #17367, this was caused by a failure to check that we aren't at
the end of the buffer after advancing the ptr to it.
steve-m-hay pushed a commit that referenced this issue Feb 12, 2020
@khwilliamson @steve-m-hay
PATCH: GH #17367 read 1 beyond end of buffer
92be2d3 
This is a bug in grok_infnan() in which in one place it failed to check
that it was reading within bounds.

(cherry picked from commit 81d1145)
steve-m-hay pushed a commit that referenced this issue Feb 12, 2020
@khwilliamson @steve-m-hay
PATCH: GH #17370, read beyond buffer in grok_inf_nan
55288d9 
Like GH #17367, this was caused by a failure to check that we aren't at
the end of the buffer after advancing the ptr to it.

(cherry picked from commit 9f16475)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@toddr @khwilliamson @lightsey