Bug #131024 for IPC-SysV: IPC::SharedMem does not constrain memory reads and writes to the mapped address space

This bug was originally reported to the rt.perl.org security queue as RT134373 by Michael Randrianantenaina. The Perl security team doesn't consider the reported behavior to represent a vulnerability in the IPC::SharedMem module, and the Perl core issue tracker isn't a good place to track this bug. In a nutshell, IPC::SharedMem does not verify that the POS arguments to read() and write() are withing the address range of the shared memory segment created with new(). Using negative values for POS or positive values greater than the size of the memory segment reads or writes unrelated memory. The following example code shows writes and reads outside of the shared memory area. This example is staying within the same memory page to avoid ASLR complications. use IPC::SysV qw(S_IWUSR IPC_CREAT IPC_PRIVATE); use IPC::SharedMem; my $shm = IPC::SharedMem->new(IPC_PRIVATE, 10, S_IRWXU & IPC_CREAT); $shm->attach(0); $shm->write("1" x 10, 0, 10); $shm->write("A" x 10, 40, 10); foreach (0..5) { my $offset = 10 * $_; print "shm($offset): " . $shm->read($offset,10) . "\n"; } $shm->remove;