Skip Menu |

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the Perl-Core CPAN distribution.

Report information
The Basics
Id: 124716
Status: open
Priority: 0/
Queue: Perl-Core
People
Owner: Nobody in particular
Requestors: hackyzh002 [...] gmail.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Wed Mar 07 20:29:14 2018 hackyzh002 [...] gmail.com - Ticket created
Subject: Use after free in sv.c:4860
From: hackyzh002 [...] gmail.com
hackyzh@hackyzh-virtual-machine:~/Desktop$ ./perl-5.27.9/perl poc2.pl ================================================================= ==20930==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200000e510 at pc 0x0000009fd4cc bp 0x7ffcc315cc40 sp 0x7ffcc315cc30 WRITE of size 1 at 0x60200000e510 thread T0 #0 0x9fd4cb in Perl_sv_setpv_bufsize /home/hackyzh/Desktop/perl-5.27.9/sv.c:4860 #1 0xbfee9b in Perl_do_vop /home/hackyzh/Desktop/perl-5.27.9/doop.c:1039 #2 0xa748c6 in Perl_pp_bit_or /home/hackyzh/Desktop/perl-5.27.9/pp.c:2391 #3 0x92c74a in Perl_runops_standard /home/hackyzh/Desktop/perl-5.27.9/run.c:41 #4 0x555b39 in S_run_body /home/hackyzh/Desktop/perl-5.27.9/perl.c:2750 #5 0x555b39 in perl_run /home/hackyzh/Desktop/perl-5.27.9/perl.c:2671 #6 0x42b6e5 in main /home/hackyzh/Desktop/perl-5.27.9/perlmain.c:122 #7 0x7fc92c42c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #8 0x42c6c8 in _start (/home/hackyzh/Desktop/perl-5.27.9/perl+0x42c6c8) 0x60200000e510 is located 0 bytes inside of 10-byte region [0x60200000e510,0x60200000e51a) freed by thread T0 here: #0 0x7fc92d1d02ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca) #1 0x999630 in Perl_sv_clear /home/hackyzh/Desktop/perl-5.27.9/sv.c:6732 previously allocated by thread T0 here: #0 0x7fc92d1d0602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x8372dc in Perl_safesysmalloc /home/hackyzh/Desktop/perl-5.27.9/util.c:153 SUMMARY: AddressSanitizer: heap-use-after-free /home/hackyzh/Desktop/perl-5.27.9/sv.c:4860 Perl_sv_setpv_bufsize Shadow bytes around the buggy address: 0x0c047fff9c50: fa fa 00 00 fa fa 00 02 fa fa 00 04 fa fa 00 02 0x0c047fff9c60: fa fa 05 fa fa fa 00 00 fa fa 00 07 fa fa 00 fa 0x0c047fff9c70: fa fa 00 02 fa fa 00 02 fa fa 00 04 fa fa 00 05 0x0c047fff9c80: fa fa 00 07 fa fa 00 02 fa fa 00 03 fa fa 00 05 0x0c047fff9c90: fa fa 00 01 fa fa 00 05 fa fa 00 01 fa fa 00 02 =>0x0c047fff9ca0: fa fa[fd]fd fa fa fd fa fa fa 00 02 fa fa 00 02 0x0c047fff9cb0: fa fa 00 02 fa fa 00 02 fa fa 00 06 fa fa 00 04 0x0c047fff9cc0: fa fa 00 02 fa fa 00 02 fa fa 00 fa fa fa 00 02 0x0c047fff9cd0: fa fa fd fa fa fa 00 02 fa fa 00 02 fa fa 00 02 0x0c047fff9ce0: fa fa 00 02 fa fa 00 02 fa fa 00 02 fa fa 00 02 0x0c047fff9cf0: fa fa 00 02 fa fa 00 02 fa fa 00 02 fa fa 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==20930==ABORTING
  Wed Mar 07 20:31:53 2018 hackyzh002 [...] gmail.com - Correspondence added
在2018-三月-07 20:29:14 星期三时,hackyzh002@gmail.com写到: Show quoted text
> hackyzh@hackyzh-virtual-machine:~/Desktop$ ./perl-5.27.9/perl poc2.pl > ================================================================= > ==20930==ERROR: AddressSanitizer: heap-use-after-free on address > 0x60200000e510 at pc 0x0000009fd4cc bp 0x7ffcc315cc40 sp > 0x7ffcc315cc30 > WRITE of size 1 at 0x60200000e510 thread T0 > #0 0x9fd4cb in Perl_sv_setpv_bufsize /home/hackyzh/Desktop/perl- > 5.27.9/sv.c:4860 > #1 0xbfee9b in Perl_do_vop /home/hackyzh/Desktop/perl- > 5.27.9/doop.c:1039 > #2 0xa748c6 in Perl_pp_bit_or /home/hackyzh/Desktop/perl- > 5.27.9/pp.c:2391 > #3 0x92c74a in Perl_runops_standard /home/hackyzh/Desktop/perl- > 5.27.9/run.c:41 > #4 0x555b39 in S_run_body /home/hackyzh/Desktop/perl- > 5.27.9/perl.c:2750 > #5 0x555b39 in perl_run /home/hackyzh/Desktop/perl- > 5.27.9/perl.c:2671 > #6 0x42b6e5 in main /home/hackyzh/Desktop/perl- > 5.27.9/perlmain.c:122 > #7 0x7fc92c42c82f in __libc_start_main (/lib/x86_64-linux- > gnu/libc.so.6+0x2082f) > #8 0x42c6c8 in _start (/home/hackyzh/Desktop/perl- > 5.27.9/perl+0x42c6c8) > > 0x60200000e510 is located 0 bytes inside of 10-byte region > [0x60200000e510,0x60200000e51a) > freed by thread T0 here: > #0 0x7fc92d1d02ca in __interceptor_free (/usr/lib/x86_64-linux- > gnu/libasan.so.2+0x982ca) > #1 0x999630 in Perl_sv_clear /home/hackyzh/Desktop/perl- > 5.27.9/sv.c:6732 > > previously allocated by thread T0 here: > #0 0x7fc92d1d0602 in malloc (/usr/lib/x86_64-linux- > gnu/libasan.so.2+0x98602) > #1 0x8372dc in Perl_safesysmalloc /home/hackyzh/Desktop/perl- > 5.27.9/util.c:153 > > SUMMARY: AddressSanitizer: heap-use-after-free > /home/hackyzh/Desktop/perl-5.27.9/sv.c:4860 Perl_sv_setpv_bufsize > Shadow bytes around the buggy address: > 0x0c047fff9c50: fa fa 00 00 fa fa 00 02 fa fa 00 04 fa fa 00 02 > 0x0c047fff9c60: fa fa 05 fa fa fa 00 00 fa fa 00 07 fa fa 00 fa > 0x0c047fff9c70: fa fa 00 02 fa fa 00 02 fa fa 00 04 fa fa 00 05 > 0x0c047fff9c80: fa fa 00 07 fa fa 00 02 fa fa 00 03 fa fa 00 05 > 0x0c047fff9c90: fa fa 00 01 fa fa 00 05 fa fa 00 01 fa fa 00 02 > =>0x0c047fff9ca0: fa fa[fd]fd fa fa fd fa fa fa 00 02 fa fa 00 02 > 0x0c047fff9cb0: fa fa 00 02 fa fa 00 02 fa fa 00 06 fa fa 00 04 > 0x0c047fff9cc0: fa fa 00 02 fa fa 00 02 fa fa 00 fa fa fa 00 02 > 0x0c047fff9cd0: fa fa fd fa fa fa 00 02 fa fa 00 02 fa fa 00 02 > 0x0c047fff9ce0: fa fa 00 02 fa fa 00 02 fa fa 00 02 fa fa 00 02 > 0x0c047fff9cf0: fa fa 00 02 fa fa 00 02 fa fa 00 02 fa fa 00 00 > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Heap right redzone: fb > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack partial redzone: f4 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > ==20930==ABORTING
Subject: poc2.pl
@3333333333=$0^=*0=cccccccccc xor{}
  Thu Mar 08 03:26:28 2018 hackyzh002 [...] gmail.com - Forwarded Transaction #1775369 to perl5-security-report@perl.org
  Thu Mar 08 03:26:42 2018 perl5-security-report-followup [...] perl.org - Correspondence added
Subject: [perl #132951] AutoReply: Fwd: [rt.cpan.org #124716] Use after free in sv.c:4860
Date: Thu, 08 Mar 2018 00:26:34 -0800
To: bug-Perl-Core [...] rt.cpan.org
From: perl5-security-report-followup [...] perl.org
Greetings, This message has been automatically generated in response to the creation of a perl security report regarding: "Fwd: [rt.cpan.org #124716] Use after free in sv.c:4860". There is no need to reply to this message right now. Your ticket has been assigned an ID of [perl #132951]. Please include the string: [perl #132951] in the subject line of all future correspondence about this issue. To do so, you may reply to this message (please delete unnecessary quotes and text.) Thank you, perl5-security-report-followup@perl.org ------------------------------------------------------------------------- X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2018.3.8.82116 X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2018.3.8.82116 Message-ID: <20180308082628.A2CE03B6@rtcpan.develooper.com> Received: from xx1.develooper.com (xx1.dev [10.0.100.115]) by rtperl.develooper.com (Postfix) with ESMTP id 2464F72D for <rt-perl5-security@rtperl.dev>; Thu, 8 Mar 2018 00:26:34 -0800 (PST) Received: from localhost (xx1.develooper.com [127.0.0.1]) by localhost (Postfix) with ESMTP id 5AC7A120A76 for <rt-perl5-security@rtperl.dev>; Thu, 8 Mar 2018 00:26:33 -0800 (PST) Received: from xx1.develooper.com (xx1.develooper.com [127.0.0.1]) by localhost (Postfix) with SMTP id AA023120BBF for <rt-perl5-security@rtperl.dev>; Thu, 8 Mar 2018 00:26:31 -0800 (PST) Received: from x6.develooper.com (x6.develooper.com [207.171.7.86]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by xx1.develooper.com (Postfix) with ESMTPS id 99AB6120A76 for <rt-perl5-security@rt.perl.org>; Thu, 8 Mar 2018 00:26:31 -0800 (PST) Received: by x6.develooper.com (Postfix, from userid 514) id 625E211FD; Thu, 8 Mar 2018 00:26:31 -0800 (PST) Received: (qmail 29563 invoked from network); 8 Mar 2018 08:26:31 -0000 Received: from xx1.develooper.com (207.171.7.115) by x6.develooper.com with SMTP; 8 Mar 2018 08:26:31 -0000 Received: from localhost (xx1.develooper.com [127.0.0.1]) by localhost (Postfix) with ESMTP id 173B2120A76 for <perlmail-perl5-security-report@onion.perl.org>; Thu, 8 Mar 2018 00:26:31 -0800 (PST) Received: from xx1.develooper.com (xx1.develooper.com [127.0.0.1]) by localhost (Postfix) with SMTP id 3B43C120BBF for <perlmail-perl5-security-report@onion.perl.org>; Thu, 8 Mar 2018 00:26:29 -0800 (PST) Received: from rtcpan.develooper.com (rtcpan.develooper.com [207.171.7.181]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by xx1.develooper.com (Postfix) with ESMTPS id 0A7FE120BA6 for <perl5-security-report@perl.org>; Thu, 8 Mar 2018 00:26:28 -0800 (PST) Received: by rtcpan.develooper.com (Postfix, from userid 536) id A2CE03B6; Thu, 8 Mar 2018 00:26:28 -0800 (PST) Date: Thu, 8 Mar 2018 03:26:28 -0500 X-Original-To: rt-perl5-security@rtperl.dev Content-Type: multipart/mixed; boundary="----------=_1520497588-23367-2" To: perl5-security-report@perl.org Subject: Fwd: [rt.cpan.org #124716] Use after free in sv.c:4860 From: bug-Perl-Core@rt.cpan.org From perlmail@x6.develooper.com Thu Mar 8 00:26:34 2018 Delivered-To: rt-perl5-security@rtperl.dev Delivered-To: perlmail-perl5-security-report@onion.perl.org X-RT-Mail-Extension: perl5-security X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mx3.develooper.com CC: Return-Path: <perlmail@x6.develooper.com> X-Spam-Status: No, score=-2.2 required=6.0 tests=ALL_TRUSTED,BAYES_00, MIME_HEADER_CTYPE_ONLY,T_TVD_MIME_NO_HEADERS,URIBL_BLOCKED autolearn=no version=3.3.1 X-RT-Interface: Email
  Thu Mar 08 03:26:43 2018 The RT System itself - Status changed from 'new' to 'open'
  Thu Mar 08 03:26:43 2018 The RT System itself - Subject changed from 'Use after free in sv.c:4860' to 'Use after free in sv.c:4860 [perl #132951]'
  Thu Mar 08 06:51:22 2018 perl5-security-report-followup [...] perl.org - Correspondence added
Subject: Re: [perl #132951] Fwd: [rt.cpan.org #124716] Use after free in sv.c:4860
Date: Thu, 08 Mar 2018 03:51:14 -0800
To: bug-Perl-Core [...] rt.cpan.org
From: "Dave Mitchell via RT" <perl5-security-report-followup [...] perl.org>
On Thu, Mar 08, 2018 at 12:26:35AM -0800, via RT wrote: Show quoted text
> ==20930==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200000e510 at pc 0x0000009fd4cc bp 0x7ffcc315cc40 sp 0x7ffcc315cc30 > WRITE of size 1 at 0x60200000e510 thread T0 > #0 0x9fd4cb in Perl_sv_setpv_bufsize /home/hackyzh/Desktop/perl-5.27.9/sv.c:4860 > #1 0xbfee9b in Perl_do_vop /home/hackyzh/Desktop/perl-5.27.9/doop.c:1039 > #2 0xa748c6 in Perl_pp_bit_or /home/hackyzh/Desktop/perl-5.27.9/pp.c:2391
... Show quoted text
> 0x60200000e510 is located 0 bytes inside of 10-byte region [0x60200000e510,0x60200000e51a)
The code reduces to $a ^= (*a = 'b'); Its a stack-not-refcounted issue, and not a security issue. -- The Enterprise is captured by a vastly superior alien intelligence which does not put them on trial. -- Things That Never Happen in "Star Trek" #10
  Mon Mar 12 19:06:35 2018 perlbug-followup [...] perl.org - Correspondence added
Subject: [perl #132951] Fwd: [rt.cpan.org #124716] Use after free in sv.c:4860
Date: Mon, 12 Mar 2018 16:06:30 -0700
To: bug-Perl-Core [...] rt.cpan.org
From: "Tony Cook via RT" <perlbug-followup [...] perl.org>
On Thu, 08 Mar 2018 03:51:14 -0800, davem wrote: Show quoted text
> On Thu, Mar 08, 2018 at 12:26:35AM -0800, via RT wrote:
> > ==20930==ERROR: AddressSanitizer: heap-use-after-free on address > > 0x60200000e510 at pc 0x0000009fd4cc bp 0x7ffcc315cc40 sp > > 0x7ffcc315cc30 > > WRITE of size 1 at 0x60200000e510 thread T0 > > #0 0x9fd4cb in Perl_sv_setpv_bufsize /home/hackyzh/Desktop/perl- > > 5.27.9/sv.c:4860 > > #1 0xbfee9b in Perl_do_vop /home/hackyzh/Desktop/perl- > > 5.27.9/doop.c:1039 > > #2 0xa748c6 in Perl_pp_bit_or /home/hackyzh/Desktop/perl- > > 5.27.9/pp.c:2391
> ...
> > 0x60200000e510 is located 0 bytes inside of 10-byte region > > [0x60200000e510,0x60200000e51a)
> > The code reduces to > > $a ^= (*a = 'b'); > > Its a stack-not-refcounted issue, and not a security issue.
Now public and linked to the stack-not-refcounted meta ticket. Tony