AddressSanitizer: heap-buffer-overflow in Perl_pp_unpack

[p5pRT]

Migrated from rt.perl.org#130917 (status was 'open')

Searchable as RT130917$

[p5pRT]

From mtowalski@pentest.net.pl

Hello,

I've attached the poc and the asan log.
Tested on git version of perl.

Configure options​:

“./Configure -des -Dusedevel -DDEBUGGING -Dcc=clang -Doptimize=-O2 -Accflags="-fsanitize=address -fsanitize-coverage=edge" -Aldflags="-fsanitize=address -fsanitize-coverage=edge" -Alddlflags=-shared"

Information about configuration​:

Distributor ID​: Ubuntu
Description​: Ubuntu 16.10
Release​: 16.10
Codename​: yakkety
Arch​: x86_64

Best Regards,
Marcin T.

[p5pRT]

From mtowalski@pentest.net.pl

heap-buffer-overflow-9ba-c44-bb3

[p5pRT]

From mtowalski@pentest.net.pl

/usr/bin/llvm-symbolizer
perl​: warning​: Setting locale failed.
perl​: warning​: Please check that your locale settings​:
  LANGUAGE = (unset),
  LC_ALL = (unset),
  LC_CTYPE = "UTF-8",
  LANG = "en_US.UTF-8"
  are supported and installed on your system.
perl​: warning​: Falling back to a fallback locale ("en_US.UTF-8").

==11600==ERROR​: AddressSanitizer​: heap-buffer-overflow on address 0x619000000078 at pc 0x000000c109bb bp 0x7ffddc02bad0 sp 0x7ffddc02bac8
READ of size 8 at 0x619000000078 thread T0
  #0 0xc109ba in Perl_pp_unpack /home/mtowalski/Fuzzing/Programs/perl-git/pp_pack.c​:1837​:5
  #1 0x7fbc44 in Perl_runops_debug /home/mtowalski/Fuzzing/Programs/perl-git/dump.c​:2451​:23
  #2 0x5e7bb3 in perl_run /home/mtowalski/Fuzzing/Programs/perl-git/perl.c
  #3 0x524302 in main /home/mtowalski/Fuzzing/Programs/perl-git/perlmain.c​:123​:9
  #4 0x7f26c09df3f0 in __libc_start_main /build/glibc-jxM2Ev/glibc-2.24/csu/../csu/libc-start.c​:291
  #5 0x4356f9 in _start (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x4356f9)

0x619000000078 is located 8 bytes to the left of 1024-byte region [0x619000000080,0x619000000480)
allocated by thread T0 here​:
  #0 0x4eb0a8 in malloc (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x4eb0a8)
  #1 0x80087e in Perl_safesysmalloc /home/mtowalski/Fuzzing/Programs/perl-git/util.c​:153​:21

SUMMARY​: AddressSanitizer​: heap-buffer-overflow /home/mtowalski/Fuzzing/Programs/perl-git/pp_pack.c​:1837​:5 in Perl_pp_unpack
Shadow bytes around the buggy address​:
  0x0c327fff7fb0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff7fc0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff7fd0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff7fe0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff7ff0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8000​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c327fff8010​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8020​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8030​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8040​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8050​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes)​:
  Addressable​: 00
  Partially addressable​: 01 02 03 04 05 06 07
  Heap left redzone​: fa
  Freed heap region​: fd
  Stack left redzone​: f1
  Stack mid redzone​: f2
  Stack right redzone​: f3
  Stack after return​: f5
  Stack use after scope​: f8
  Global redzone​: f9
  Global init order​: f6
  Poisoned by user​: f7
  Container overflow​: fc
  Array cookie​: ac
  Intra object redzone​: bb
  ASan internal​: fe
  Left alloca redzone​: ca
  Right alloca redzone​: cb
==11600==ABORTING

[p5pRT]

From @arc

RT <perl5-security-report@​perl.org> wrote​:

I've attached the poc and the asan log.

Minor reduction​:

./miniperl -e 'BEGIN { $SIG{__DIE__} = sub { exit } } unpack'

But the unpack is a red herring here​: the bug is actually that exit(0)
(including the implicit 0 used for zero-argument exit) in a die hook
won't exit the process in the face of parser-triggered errors. This is
reproducible on all Perls I have easy access to (5.6 onwards).

When this happens, execution proceeds to the run-time phase. So afaict
the crash here happens when pp_unpack tries to read its arguments from
a part of the stack that doesn't exist.

The same happens for other builtins that have one or more required arguments.

$ ./miniperl -le 'BEGIN { $SIG{__DIE__} = sub { print "exiting​:
$_[0]"; exit } } print "not ok"; substr if 0'
exiting​: Not enough arguments for substr at -e line 1, near "substr if"
Execution of -e aborted due to compilation errors.

not ok
$

Calling a builtin with too many arguments still exhibits the
failure-to-exit bug, but yields no out-of-bounds read, because
arguments can be found on the stack.

This is probably related to #2754 "[BUG] can't exit 0 from CHECK{}";
and applying George Greer's patch from that ticket fixes it. But the
discussion on that ticket suggested that it might break API
guarantees.

--
Aaron Crane ** http​://aaroncrane.co.uk/

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From mtowalski@pentest.net.pl

Hello,

I've attached the poc and the asan log.
Tested on git version of perl.

Configure options​:

“./Configure -des -Dusedevel -DDEBUGGING -Dcc=clang -Doptimize=-O2 -Accflags="-fsanitize=address -fsanitize-coverage=edge" -Aldflags="-fsanitize=address -fsanitize-coverage=edge" -Alddlflags=-shared"

Information about configuration​:

Distributor ID​: Ubuntu
Description​: Ubuntu 16.10
Release​: 16.10
Codename​: yakkety
Arch​: x86_64

Best Regards,
Marcin T.

[p5pRT]

From mtowalski@pentest.net.pl

new-heap-buffer-overflow-1d0-c44-bb3

[p5pRT]

From mtowalski@pentest.net.pl

/usr/bin/llvm-symbolizer
perl​: warning​: Setting locale failed.
perl​: warning​: Please check that your locale settings​:
  LANGUAGE = (unset),
  LC_ALL = (unset),
  LC_CTYPE = "UTF-8",
  LANG = "en_US.UTF-8"
  are supported and installed on your system.
perl​: warning​: Falling back to a fallback locale ("en_US.UTF-8").

==11768==ERROR​: AddressSanitizer​: heap-buffer-overflow on address 0x619000000078 at pc 0x00000089c1d1 bp 0x7ffe2638a110 sp 0x7ffe2638a108
READ of size 8 at 0x619000000078 thread T0
  #0 0x89c1d0 in Perl_pp_sassign /home/mtowalski/Fuzzing/Programs/perl-git/pp_hot.c​:131​:34
  #1 0x7fbc44 in Perl_runops_debug /home/mtowalski/Fuzzing/Programs/perl-git/dump.c​:2451​:23
  #2 0x5e7bb3 in perl_run /home/mtowalski/Fuzzing/Programs/perl-git/perl.c
  #3 0x524302 in main /home/mtowalski/Fuzzing/Programs/perl-git/perlmain.c​:123​:9
  #4 0x7f100bb283f0 in __libc_start_main /build/glibc-jxM2Ev/glibc-2.24/csu/../csu/libc-start.c​:291
  #5 0x4356f9 in _start (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x4356f9)

0x619000000078 is located 8 bytes to the left of 1024-byte region [0x619000000080,0x619000000480)
allocated by thread T0 here​:
  #0 0x4eb0a8 in malloc (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x4eb0a8)
  #1 0x80087e in Perl_safesysmalloc /home/mtowalski/Fuzzing/Programs/perl-git/util.c​:153​:21

SUMMARY​: AddressSanitizer​: heap-buffer-overflow /home/mtowalski/Fuzzing/Programs/perl-git/pp_hot.c​:131​:34 in Perl_pp_sassign
Shadow bytes around the buggy address​:
  0x0c327fff7fb0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff7fc0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff7fd0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff7fe0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff7ff0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8000​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c327fff8010​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8020​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8030​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8040​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8050​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes)​:
  Addressable​: 00
  Partially addressable​: 01 02 03 04 05 06 07
  Heap left redzone​: fa
  Freed heap region​: fd
  Stack left redzone​: f1
  Stack mid redzone​: f2
  Stack right redzone​: f3
  Stack after return​: f5
  Stack use after scope​: f8
  Global redzone​: f9
  Global init order​: f6
  Poisoned by user​: f7
  Container overflow​: fc
  Array cookie​: ac
  Intra object redzone​: bb
  ASan internal​: fe
  Left alloca redzone​: ca
  Right alloca redzone​: cb
==11768==ABORTING

[p5pRT]

From mtowalski@pentest.net.pl

Hello,

I've attached the poc and the asan log.
Tested on git version of perl.

Configure options​:

“./Configure -des -Dusedevel -DDEBUGGING -Dcc=clang -Doptimize=-O2 -Accflags="-fsanitize=address -fsanitize-coverage=edge" -Aldflags="-fsanitize=address -fsanitize-coverage=edge" -Alddlflags=-shared"

Information about configuration​:

Distributor ID​: Ubuntu
Description​: Ubuntu 16.10
Release​: 16.10
Codename​: yakkety
Arch​: x86_64

Best Regards,
Marcin T.

[p5pRT]

From mtowalski@pentest.net.pl

heap-buffer-overflow-9ba-c44-bb3

[p5pRT]

From mtowalski@pentest.net.pl

/usr/bin/llvm-symbolizer
perl​: warning​: Setting locale failed.
perl​: warning​: Please check that your locale settings​:
  LANGUAGE = (unset),
  LC_ALL = (unset),
  LC_CTYPE = "UTF-8",
  LANG = "en_US.UTF-8"
  are supported and installed on your system.
perl​: warning​: Falling back to a fallback locale ("en_US.UTF-8").

==11600==ERROR​: AddressSanitizer​: heap-buffer-overflow on address 0x619000000078 at pc 0x000000c109bb bp 0x7ffddc02bad0 sp 0x7ffddc02bac8
READ of size 8 at 0x619000000078 thread T0
  #0 0xc109ba in Perl_pp_unpack /home/mtowalski/Fuzzing/Programs/perl-git/pp_pack.c​:1837​:5
  #1 0x7fbc44 in Perl_runops_debug /home/mtowalski/Fuzzing/Programs/perl-git/dump.c​:2451​:23
  #2 0x5e7bb3 in perl_run /home/mtowalski/Fuzzing/Programs/perl-git/perl.c
  #3 0x524302 in main /home/mtowalski/Fuzzing/Programs/perl-git/perlmain.c​:123​:9
  #4 0x7f26c09df3f0 in __libc_start_main /build/glibc-jxM2Ev/glibc-2.24/csu/../csu/libc-start.c​:291
  #5 0x4356f9 in _start (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x4356f9)

0x619000000078 is located 8 bytes to the left of 1024-byte region [0x619000000080,0x619000000480)
allocated by thread T0 here​:
  #0 0x4eb0a8 in malloc (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x4eb0a8)
  #1 0x80087e in Perl_safesysmalloc /home/mtowalski/Fuzzing/Programs/perl-git/util.c​:153​:21

SUMMARY​: AddressSanitizer​: heap-buffer-overflow /home/mtowalski/Fuzzing/Programs/perl-git/pp_pack.c​:1837​:5 in Perl_pp_unpack
Shadow bytes around the buggy address​:
  0x0c327fff7fb0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff7fc0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff7fd0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff7fe0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff7ff0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8000​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c327fff8010​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8020​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8030​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8040​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8050​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes)​:
  Addressable​: 00
  Partially addressable​: 01 02 03 04 05 06 07
  Heap left redzone​: fa
  Freed heap region​: fd
  Stack left redzone​: f1
  Stack mid redzone​: f2
  Stack right redzone​: f3
  Stack after return​: f5
  Stack use after scope​: f8
  Global redzone​: f9
  Global init order​: f6
  Poisoned by user​: f7
  Container overflow​: fc
  Array cookie​: ac
  Intra object redzone​: bb
  ASan internal​: fe
  Left alloca redzone​: ca
  Right alloca redzone​: cb
==11600==ABORTING

[p5pRT]

From @arc

This reduces to​:

BEGIN { $SIG{__DIE__} = sub { exit } }
yte = substr unpa

and has the same cause as #130917 (namely, that doing exit in a __DIE__ hook visible at compile-time both fails to exit and prevents compilation errors from being thrown). I've therefore merged it into #130917.

--
Aaron Crane ** http​://aaroncrane.co.uk/

[p5pRT]

From @arc

This is exactly the same underlying bug as #130917 and #130931, so I've merged it into #130917.

--
Aaron Crane ** http​://aaroncrane.co.uk/

[p5pRT]

From mtowalski@pentest.net.pl

Hello,

I've attached the poc and the asan log.
Tested on git version of perl.

Configure options​:

“./Configure -des -Dusedevel -DDEBUGGING -Dcc=clang -Doptimize=-O2 -Accflags="-fsanitize=address -fsanitize-coverage=edge" -Aldflags="-fsanitize=address -fsanitize-coverage=edge" -Alddlflags=-shared"

Information about configuration​:

Distributor ID​: Ubuntu
Description​: Ubuntu 16.10
Release​: 16.10
Codename​: yakkety
Arch​: x86_64

Best Regards,
Marcin T.

[p5pRT]

From mtowalski@pentest.net.pl

new-heap-buffer-overflow-cd5-c44-bb3

[p5pRT]

From mtowalski@pentest.net.pl

/usr/bin/llvm-symbolizer
perl​: warning​: Setting locale failed.
perl​: warning​: Please check that your locale settings​:
  LANGUAGE = (unset),
  LC_ALL = (unset),
  LC_CTYPE = "UTF-8",
  LANG = "en_US.UTF-8"
  are supported and installed on your system.
perl​: warning​: Falling back to a fallback locale ("en_US.UTF-8").

==11930==ERROR​: AddressSanitizer​: heap-buffer-overflow on address 0x619000000078 at pc 0x0000009bfcd6 bp 0x7ffc5671d7b0 sp 0x7ffc5671d7a8
READ of size 8 at 0x619000000078 thread T0
  #0 0x9bfcd5 in Perl_pp_substr /home/mtowalski/Fuzzing/Programs/perl-git/pp.c​:3366​:10
  #1 0x7fbc44 in Perl_runops_debug /home/mtowalski/Fuzzing/Programs/perl-git/dump.c​:2451​:23
  #2 0x5e7bb3 in perl_run /home/mtowalski/Fuzzing/Programs/perl-git/perl.c
  #3 0x524302 in main /home/mtowalski/Fuzzing/Programs/perl-git/perlmain.c​:123​:9
  #4 0x7f6caf01a3f0 in __libc_start_main /build/glibc-jxM2Ev/glibc-2.24/csu/../csu/libc-start.c​:291
  #5 0x4356f9 in _start (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x4356f9)

0x619000000078 is located 8 bytes to the left of 1024-byte region [0x619000000080,0x619000000480)
allocated by thread T0 here​:
  #0 0x4eb0a8 in malloc (/home/mtowalski/Fuzzing/Programs/perl-git/perl+0x4eb0a8)
  #1 0x80087e in Perl_safesysmalloc /home/mtowalski/Fuzzing/Programs/perl-git/util.c​:153​:21

SUMMARY​: AddressSanitizer​: heap-buffer-overflow /home/mtowalski/Fuzzing/Programs/perl-git/pp.c​:3366​:10 in Perl_pp_substr
Shadow bytes around the buggy address​:
  0x0c327fff7fb0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff7fc0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff7fd0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff7fe0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff7ff0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8000​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c327fff8010​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8020​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8030​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8040​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8050​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes)​:
  Addressable​: 00
  Partially addressable​: 01 02 03 04 05 06 07
  Heap left redzone​: fa
  Freed heap region​: fd
  Stack left redzone​: f1
  Stack mid redzone​: f2
  Stack right redzone​: f3
  Stack after return​: f5
  Stack use after scope​: f8
  Global redzone​: f9
  Global init order​: f6
  Poisoned by user​: f7
  Container overflow​: fc
  Array cookie​: ac
  Intra object redzone​: bb
  ASan internal​: fe
  Left alloca redzone​: ca
  Right alloca redzone​: cb
==11930==ABORTING

[p5pRT]

From @iabyn

On Mon, Mar 06, 2017 at 08​:25​:34AM -0800, via RT wrote​:

BEGIN{$SIG{__DIE__}=sub{$_=exit}}t=unpack

This is the same issue as RT #130917 - I'll merge the tickets.

--
Standards (n). Battle insignia or tribal totems.

[p5pRT]

From @iabyn

On Mon, Mar 06, 2017 at 08​:55​:51AM -0800, via RT wrote​:

BEGIN { print $SIG{__DIE__} = sub {$_=~ exit }; }te = substr

This is the same issue as RT #130917. I'll merge the tickets.

--
You live and learn (although usually you just live).

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From @tonycoz

On Thu, 09 Mar 2017 03​:44​:29 -0800, davem wrote​:

On Mon, Mar 06, 2017 at 08​:55​:51AM -0800, via RT wrote​:

BEGIN { print $SIG{__DIE__} = sub {$_=~ exit }; }te = substr

This is the same issue as RT #130917. I'll merge the tickets.

This doesn't look like a security issue, since it requires feeding code to the interpreter, I'll move it to the public queue in a couple of days unless someone disagrees (or beats me to it.)

Tony