Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-buffer-overflow in Perl_grok_infnan #17370

Closed
dur-randir opened this issue Dec 17, 2019 · 0 comments
Closed

heap-buffer-overflow in Perl_grok_infnan #17370

dur-randir opened this issue Dec 17, 2019 · 0 comments

Comments

@dur-randir
Copy link
Member

dur-randir commented Dec 17, 2019
edited by toddr
Loading

This is a bug report for perl from [email protected],
generated with the help of perlbug 1.41 running under perl 5.31.6.

[Please describe your issue here]

While fuzzing perl v5.31.5-213-g9bec17d7c built with afl and run
under libdislocator, I found the following program

0=~/\p{nv=qnan}/

to cause heap-buffer-overflow. ASAN diagnostics are:

==36610==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000f3b7 at pc 0x000000dca57a bp 0x7ffd251d7ff0 sp 0x7ffd251d7fe8
READ of size 1 at 0x60200000f3b7 thread T0
    #0 0xdca579 in Perl_grok_infnan /home/afl/afl-runner/numeric.c:789:17
    #1 0xdcdd5c in S_my_atof_infnan /home/afl/afl-runner/numeric.c:1432:24
    #2 0xdcdd5c in Perl_my_atof3 /home/afl/afl-runner/numeric.c:1560
    #3 0x81b17e in Perl_parse_uniprop_string /home/afl/afl-runner/regcomp.c:24065:24
    #4 0x896381 in S_regclass /home/afl/afl-runner/regcomp.c:17484:44
    #5 0x86b329 in S_regatom /home/afl/afl-runner/regcomp.c:13555:19
    #6 0x84db52 in S_regpiece /home/afl/afl-runner/regcomp.c:12421:11
    #7 0x84db52 in S_regbranch /home/afl/afl-runner/regcomp.c:12341
    #8 0x7a77b8 in S_reg /home/afl/afl-runner/regcomp.c:12043:10
    #9 0x784a7f in Perl_re_op_compile /home/afl/afl-runner/regcomp.c:7744:9
    #10 0x55c2d6 in Perl_pmruntime /home/afl/afl-runner/op.c:8168:6
    #11 0x7566f7 in Perl_yyparse /home/afl/afl-runner/perly.y:1260:23
    #12 0xbcbf5a in S_doeval_compile /home/afl/afl-runner/pp_ctl.c:3540:77
    #13 0xbc8b8c in Perl_pp_entereval /home/afl/afl-runner/pp_ctl.c:4516:9
    #14 0x8e34ba in Perl_runops_debug /home/afl/afl-runner/dump.c:2571:23
    #15 0x61e33e in S_run_body /home/afl/afl-runner/perl.c
    #16 0x61d7a8 in perl_run /home/afl/afl-runner/perl.c:2709:2
    #17 0x5352f3 in main /home/afl/afl-runner/perlmain.c:134:9
    #18 0x7fb3c405c09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #19 0x43ccb9 in _start (/home/afl/afl-runner/perl+0x43ccb9)

This is regression between 5.28 and 5.30, bisect points to

f394a63 is the first bad commit
commit f394a63
Author: Karl Williamson [email protected]
Date: Mon Apr 30 10:39:46 2018 -0600

utf8.c: Use \p{nv=float}

Now that the float data is available to us (in the previous commit), we
can take advantage of it, and avoid swash creation.

We just use the perl atof() to convert the input string to an NV, and
then convert back to a string, but in guaranteed canonical form.  Then
we look that up.

[Please do not change anything below this line]
Flags:
category=core
severity=medium
Site configuration information for perl 5.31.6:

Configured by dur-randir at Fri Nov 8 05:18:19 MSK 2019.

Summary of my perl5 (revision 5 version 31 subversion 6) configuration:
Commit id: 1462134
Platform:
osname=darwin
osvers=13.4.0
archname=darwin-2level
uname='darwin isengard.local 13.4.0 darwin kernel version 13.4.0: mon jan 11 18:17:34 pst 2016; root:xnu-2422.115.15~1release_x86_64 x86_64 '
config_args='-de -Dusedevel -DDEBUGGING'
hint=recommended
useposix=true
d_sigaction=define
useithreads=undef
usemultiplicity=undef
use64bitint=define
use64bitall=define
uselongdouble=undef
usemymalloc=n
default_inc_excludes_dot=define
bincompat5005=undef
Compiler:
cc='cc'
ccflags ='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9 -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -I/opt/local/include -DPERL_USE_SAFE_PUTENV'
optimize='-O3 -g'
cppflags='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9 -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -I/opt/local/include'
ccversion=''
gccversion='4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.56)'
gccosandvers=''
intsize=4
longsize=8
ptrsize=8
doublesize=8
byteorder=12345678
doublekind=3
d_longlong=define
longlongsize=8
d_longdbl=define
longdblsize=16
longdblkind=3
ivtype='long'
ivsize=8
nvtype='double'
nvsize=8
Off_t='off_t'
lseeksize=8
alignbytes=8
prototype=define
Linker and Libraries:
ld='cc'
ldflags =' -mmacosx-version-min=10.9 -fstack-protector -L/usr/local/lib -L/opt/local/lib'
libpth=/usr/local/lib /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/../lib/clang/6.0/lib /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib /usr/lib /opt/local/lib
libs=-lpthread -lgdbm -ldbm -ldl -lm -lutil -lc
perllibs=-lpthread -ldl -lm -lutil -lc
libc=
so=dylib
useshrplib=false
libperl=libperl.a
gnulibc_version=''
Dynamic Linking:
dlsrc=dl_dlopen.xs
dlext=bundle
d_dlsymun=undef
ccdlflags=' '
cccdlflags=' '
lddlflags=' -mmacosx-version-min=10.9 -bundle -undefined dynamic_lookup -L/usr/local/lib -L/opt/local/lib -fstack-protector'

@inc for perl 5.31.6:
lib
/usr/local/lib/perl5/site_perl/5.31.6/darwin-2level
/usr/local/lib/perl5/site_perl/5.31.6
/usr/local/lib/perl5/5.31.6/darwin-2level
/usr/local/lib/perl5/5.31.6

Environment for perl 5.31.6:
DYLD_LIBRARY_PATH (unset)
HOME=/Users/dur-randir
LANG=en_US.UTF-8
LANGUAGE (unset)
LC_CTYPE=en_US.UTF-8
LD_LIBRARY_PATH (unset)
LOGDIR (unset)
PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.26.0/bin:/opt/local/bin:/usr/texbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/Library/TeX/texbin
PERLBREW_HOME=/Users/dur-randir/.perlbrew
PERLBREW_MANPATH=/Users/dur-randir/perlbrew/perls/perl-5.26.0/man
PERLBREW_PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.26.0/bin
PERLBREW_PERL=perl-5.26.0
PERLBREW_ROOT=/Users/dur-randir/perlbrew
PERLBREW_SHELLRC_VERSION=0.86
PERLBREW_VERSION=0.86
PERL_BADLANG (unset)
SHELL=/opt/local/bin/zsh
khwilliamson added a commit that referenced this issue Dec 17, 2019
@khwilliamson
PATCH: GH #17370, read beyond buffer in grok_inf_nan
9f16475 
Like GH #17367, this was caused by a failure to check that we aren't at
the end of the buffer after advancing the ptr to it.
khwilliamson added a commit that referenced this issue Dec 17, 2019
@khwilliamson
Actually fix GH #17370
dca9f61 
I only added a test, but not the change in
9f16475.  The test passes except when
run under address sanitizer or valgrind.
steve-m-hay pushed a commit that referenced this issue Feb 12, 2020
@khwilliamson @steve-m-hay
PATCH: GH #17370, read beyond buffer in grok_inf_nan
55288d9 
Like GH #17367, this was caused by a failure to check that we aren't at
the end of the buffer after advancing the ptr to it.

(cherry picked from commit 9f16475)
steve-m-hay pushed a commit that referenced this issue Feb 12, 2020
@khwilliamson @steve-m-hay
Actually fix GH #17370
818b850 
I only added a test, but not the change in
9f16475.  The test passes except when
run under address sanitizer or valgrind.

(cherry picked from commit dca9f61)
lightsey added a commit to lightsey/perl5 that referenced this issue Aug 20, 2020
@lightsey
Add missing boundary check to grok_infnan
5e4e461 
The grok_infnan() function was walking past the end of the string
while skipping over trailing '0' characters. This another variation
of Perl#17370.
lightsey added a commit to lightsey/perl5 that referenced this issue Aug 20, 2020
@lightsey
Add missing boundary check to grok_infnan
7a3f3cf 
The grok_infnan() function was walking past the end of the string
while skipping over trailing '0' characters. This is another
variation of Perl#17370.
lightsey added a commit to lightsey/perl5 that referenced this issue Aug 21, 2020
@lightsey
Add missing boundary check to grok_infnan
e87002c 
The grok_infnan() function was walking past the end of the string
while skipping over trailing '0' characters. This is another
variation of Perl#17370.
lightsey added a commit to lightsey/perl5 that referenced this issue Aug 21, 2020
@lightsey
Add missing boundary check to grok_infnan
13d313f 
The grok_infnan() function was walking past the end of the string
while skipping over trailing '0' characters. This is another
variation of Perl#17370.
@lightsey lightsey mentioned this issue Aug 21, 2020
Merged
khwilliamson pushed a commit that referenced this issue Aug 22, 2020
@lightsey @khwilliamson
Add missing boundary check to grok_infnan
bbd8607 
The grok_infnan() function was walking past the end of the string
while skipping over trailing '0' characters. This is another
variation of #17370.
steve-m-hay pushed a commit that referenced this issue Dec 26, 2020
@lightsey @steve-m-hay
Add missing boundary check to grok_infnan
13ff090 
The grok_infnan() function was walking past the end of the string
while skipping over trailing '0' characters. This is another
variation of #17370.

(cherry picked from commit bbd8607)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@toddr @khwilliamson @dur-randir