Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Found some crashes of perl binary #19919

Closed
mimicria opened this issue Jul 4, 2022 · 4 comments
Closed

Found some crashes of perl binary #19919

mimicria opened this issue Jul 4, 2022 · 4 comments
Labels
Closable? We might be able to close this ticket, but we need to check with the reporter

Comments

@mimicria
Copy link

mimicria commented Jul 4, 2022

Description
Hi!
As a result of fuzz testing using AFL, several crashes were found for latest stable Perl 5.36.0.
These crashes probably can be exploited.

2022-07-04_082647_perl

Steps to Reproduce
So input files causing crashes attached with commands for GDB in gdb_script: checked-crashes-perl.tar.gz

Example 1:

(gdb) file /home/user/perl-5.36.0/perl
Reading symbols from /home/user/perl-5.36.0/perl...
(No debugging symbols found in /home/user/perl-5.36.0/perl)
(gdb) run < /home/user/fuzz/perl/out/checked_crashes/'s4:id:000000,sig:11,src:044897,time:26150018,execs:11980427,op:havoc,rep:2'
Starting program: /home/user/perl-5.36.0/perl < /home/user/fuzz/perl/out/checked_crashes/'s4:id:000000,sig:11,src:044897,time:26150018,execs:11980427,op:havoc,rep:2'
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Warning: Use of "-g-" without parentheses is ambiguous at - line 1.

Program received signal SIGSEGV, Segmentation fault.
0x00005555556784bf in S_sv_unmagicext_flags ()

Example 2:

(gdb) file /home/user/perl-5.36.0/perl
Reading symbols from /home/user/perl-5.36.0/perl...
(No debugging symbols found in /home/user/perl-5.36.0/perl)
(gdb) run < /home/user/fuzz/perl/out/checked_crashes/'s7:id:000000,sig:11,src:036046,time:20527870,execs:9932411,op:havoc,rep:4'
Starting program: /home/user/perl-5.36.0/perl < /home/user/fuzz/perl/out/checked_crashes/'s7:id:000000,sig:11,src:036046,time:20527870,execs:9932411,op:havoc,rep:4'
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
semi-panic: attempt to dup freed string at - line 1.

Program received signal SIGSEGV, Segmentation fault.
0x0000555555682822 in Perl_sv_mortalcopy_flags ()

Example 3:

(gdb) file /home/user/perl-5.36.0/perl
Reading symbols from /home/user/perl-5.36.0/perl...
(No debugging symbols found in /home/user/perl-5.36.0/perl)
(gdb) run < /home/user/fuzz/perl/out/checked_crashes/'s2:id:000001,sig:11,src:042743,time:27118936,execs:13285668,op:havoc,rep:2'
Starting program: /home/user/perl-5.36.0/perl < /home/user/fuzz/perl/out/checked_crashes/'s2:id:000001,sig:11,src:042743,time:27118936,execs:13285668,op:havoc,rep:2'
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Scalar found where operator expected at - line 1, near "9999$;"
        (Missing operator before $;?)

Program received signal SIGSEGV, Segmentation fault.
0x00005555556f73b5 in S_group_end ()

Example 4:

(gdb) file /home/user/perl-5.36.0/perl
Reading symbols from /home/user/perl-5.36.0/perl...
(No debugging symbols found in /home/user/perl-5.36.0/perl)
(gdb) run < /home/user/fuzz/perl/out/checked_crashes/'s11:id:000000,sig:11,src:013892,time:10250713,execs:6343019,op:havoc,rep:2'
Starting program: /home/user/perl-5.36.0/perl < /home/user/fuzz/perl/out/checked_crashes/'s11:id:000000,sig:11,src:013892,time:10250713,execs:6343019,op:havoc,rep:2'
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Bizarre copy of UNKNOWN in scalar assignment at - line 1.

Program received signal SIGSEGV, Segmentation fault.
0x0000555555678055 in Perl_sv_clean_objs ()
@jkeenan
Copy link
Contributor

jkeenan commented Jul 4, 2022

This problem should be reported by sending mail to:
perl-security@perl.org

@hvds
Copy link
Contributor

hvds commented Jul 5, 2022

Thanks for the report. Whenever you think you've found a bug that could potentially be exploited, please report it to the security list perl-security@perl.org rather than to the public bug tracker.

Example 3 is a duplicate of #16319, which was deemed not to be a significant security concern. This was recently fixed, but just too late to get into perl-5.36. The fix is expected to be in perl-5.38 and may be considered for backporting to 5.36 for a future maintenance release if it proves stable.

The other examples are all issues with reference counting on the stack - the first one, for example, simplifies to map { @x = -f(*D) } @x = 1..2. Please see the section "Stack not reference-counted issues" in perldoc perlsecpolicy for our policy on this long-standing problem. There is currently work in progress to develop a fix for this issue - in large part to reduce false positives for people running fuzzers - but it's a massive task and could take a while.

@hvds hvds removed the Needs Triage label Jul 5, 2022
@jkeenan
Copy link
Contributor

jkeenan commented Sep 21, 2022

@hvds this ticket looks closable to me; do you concur?

@jkeenan jkeenan added the Closable? We might be able to close this ticket, but we need to check with the reporter label Sep 21, 2022
@hvds
Copy link
Contributor

hvds commented Sep 21, 2022

Given that the OP has had nothing further to say since my response from July, I agree; closing it now.

@hvds hvds closed this as completed Sep 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Closable? We might be able to close this ticket, but we need to check with the reporter
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jkeenan @hvds @mimicria