Bug #72700 for Scalar-List-Utils: [perl #104462] [PATCH] Copy&paste List::Util BOOT bug, reading past 2 bytes

Thu Nov 24 11:17:33 2011 perlbug-followup [...] perl.org - Ticket created

CC:	bug-Scalar-List-Utils [...] rt.cpan.org
Subject:	[perl #104462] [PATCH] Copy&paste List::Util BOOT bug, reading past 2 bytes
Date:	Thu, 24 Nov 2011 08:17:25 -0800
To:	"OtherRecipients of perl Ticket #104462":;
From:	"Father Chrysostomos via RT" <perlbug-followup [...] perl.org>

CPAN is upstream for List::Util. I’m forwarding it there. On Wed Nov 23 16:50:18 2011, rurban wrote: Show quoted text

> This is a bug report for perl from rurban@cpan.org, > generated with the help of perlbug 1.39 running under perl 5.15.5. > > See http://blogs.perl.org/users/rurban/2011/11/adventures-with-clang- > and-asan.html > how I found these and many more invalid memory read+write bugs with > clang and Google ASan. > > This does not look security relevant to me. > --- > cpan/List-Util/ListUtil.xs | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > --- > Flags: > category=library > severity=high > module=List::Util > --- > This perlbug was built using Perl 5.15.5 - Mon Nov 21 11:51:57 CST > 2011 > It is being executed now by Perl 5.15.5 - Wed Nov 23 15:43:38 CST > 2011. > > Site configuration information for perl 5.15.5: > > Configured by rurban at Wed Nov 23 15:43:38 CST 2011. > > Summary of my perl5 (revision 5 version 15 subversion 5) > configuration: > Derived from: a7d2e0de32269f812d90519e6c9c554b40df8dca > Platform: > osname=linux, osvers=3.0.0-1-amd64, archname=x86_64-linux-debug- > asan@a7d2e0 > uname='linux reini 3.0.0-1-amd64 #1 smp sun jul 24 02:24:44 utc > 2011 x86_64 gnulinux ' > config_args='-de -Dusedevel -Dinstallman1dir=none > -Dinstallman3dir=none -Dinstallsiteman1dir=none > -Dinstallsiteman3dir=none -Dmksymlinks -DEBUGGING -Doptimize=-g3 > -Uuseithreads >

-D'cc=/home/rurban/Software/address-sanitizer/clang_build_Linux/Release+Asserts/bin/clang' Show quoted text

> -A'ccflags=-faddress-sanitizer' -A'ldflags=-g3\ -O2\ > -faddress-sanitizer' -Dcf_email='rurban@cpanel.net' > -Dperladmin='rurban@cpanel.net' -Duseshrplib' > hint=recommended, useposix=true, d_sigaction=define > useithreads=undef, usemultiplicity=undef > useperlio=define, d_sfio=undef, uselargefiles=define, > usesocks=undef > use64bitint=define, use64bitall=define, uselongdouble=undef > usemymalloc=n, bincompat5005=undef > Compiler: > cc='/home/rurban/Software/address- > sanitizer/clang_build_Linux/Release+Asserts/bin/clang', > ccflags ='-faddress-sanitizer -DDEBUGGING -fno-strict-aliasing -pipe > -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE > -D_FILE_OFFSET_BITS=64', > optimize='-g3 -O2', > cppflags='-faddress-sanitizer -DDEBUGGING -fno-strict-aliasing > -pipe -fstack-protector -I/usr/local/include' > ccversion='', gccversion='4.2.1 Compatible Clang 3.1 (trunk)', > gccosandvers='' > intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678 > d_longlong=define, longlongsize=8, d_longdbl=define, > longdblsize=16 > ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', > lseeksize=8 > alignbytes=8, prototype=define > Linker and Libraries: > ld='/home/rurban/Software/address- > sanitizer/clang_build_Linux/Release+Asserts/bin/clang', > ldflags =' -g3 -O2 -faddress-sanitizer -fstack-protector > -L/usr/local/lib' > libpth=/usr/local/lib /lib /usr/lib /usr/lib/x86_64-linux-gnu > /lib64 /usr/lib64 > libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc -lgdbm_compat > perllibs=-lnsl -ldl -lm -lcrypt -lutil -lc > libc=, so=so, useshrplib=true, libperl=libperl.so > gnulibc_version='2.13' > Dynamic Linking: > dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E >

-Wl,-rpath,/usr/local/lib/perl5/5.15.5/x86_64-linux-debug-asan@a7d2e0/CORE' Show quoted text

> cccdlflags='-fPIC', lddlflags='-shared -g3 -L/usr/local/lib > -fstack-protector' > > Locally applied patches: > > > --- > @INC for perl 5.15.5: > lib > /usr/local/lib/perl5/site_perl/5.15.5/x86_64-linux-debug- > asan@a7d2e0 > /usr/local/lib/perl5/site_perl/5.15.5 > /usr/local/lib/perl5/5.15.5/x86_64-linux-debug-asan@a7d2e0 > /usr/local/lib/perl5/5.15.5 > /usr/local/lib/perl5/site_perl > . > > --- > Environment for perl 5.15.5: > HOME=/home/rurban > LANG=en_US.utf8 > LANGUAGE (unset) > LD_LIBRARY_PATH=/home/rurban/Perl/src/build-5.15.5d-nt-asan@a7d2e0 > LOGDIR (unset) >

PATH=/home/rurban/bin:/home/rurban/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games Show quoted text

> PERL_BADLANG (unset) > SHELL=/bin/bash >

-- Father Chrysostomos

Tue Mar 06 12:35:16 2012 RURBAN [...] cpan.org - Correspondence added

What's up? Still a critical CORE bug with a patch. May I take over? On Thu Nov 24 11:17:33 2011, perlbug-followup@perl.org wrote: Show quoted text

> CPAN is upstream for List::Util. I’m forwarding it there. > > On Wed Nov 23 16:50:18 2011, rurban wrote:

> > This is a bug report for perl from rurban@cpan.org, > > generated with the help of perlbug 1.39 running under perl 5.15.5. > > > > See http://blogs.perl.org/users/rurban/2011/11/adventures-with-

> clang-

> > and-asan.html > > how I found these and many more invalid memory read+write bugs with > > clang and Google ASan. > > > > This does not look security relevant to me. > > --- > > cpan/List-Util/ListUtil.xs | 2 +- > > 1 files changed, 1 insertions(+), 1 deletions(-) > > --- > > Flags: > > category=library > > severity=high > > module=List::Util > > --- > > This perlbug was built using Perl 5.15.5 - Mon Nov 21 11:51:57 CST > > 2011 > > It is being executed now by Perl 5.15.5 - Wed Nov 23 15:43:38 CST > > 2011. > > > > Site configuration information for perl 5.15.5: > > > > Configured by rurban at Wed Nov 23 15:43:38 CST 2011. > > > > Summary of my perl5 (revision 5 version 15 subversion 5) > > configuration: > > Derived from: a7d2e0de32269f812d90519e6c9c554b40df8dca > > Platform: > > osname=linux, osvers=3.0.0-1-amd64, archname=x86_64-linux-debug- > > asan@a7d2e0 > > uname='linux reini 3.0.0-1-amd64 #1 smp sun jul 24 02:24:44 utc > > 2011 x86_64 gnulinux ' > > config_args='-de -Dusedevel -Dinstallman1dir=none > > -Dinstallman3dir=none -Dinstallsiteman1dir=none > > -Dinstallsiteman3dir=none -Dmksymlinks -DEBUGGING -Doptimize=-g3 > > -Uuseithreads > >

> -D'cc=/home/rurban/Software/address-

sanitizer/clang_build_Linux/Release+Asserts/bin/clang' Show quoted text

> > -A'ccflags=-faddress-sanitizer' -A'ldflags=-g3\ -O2\ > > -faddress-sanitizer' -Dcf_email='rurban@cpanel.net' > > -Dperladmin='rurban@cpanel.net' -Duseshrplib' > > hint=recommended, useposix=true, d_sigaction=define > > useithreads=undef, usemultiplicity=undef > > useperlio=define, d_sfio=undef, uselargefiles=define, > > usesocks=undef > > use64bitint=define, use64bitall=define, uselongdouble=undef > > usemymalloc=n, bincompat5005=undef > > Compiler: > > cc='/home/rurban/Software/address- > > sanitizer/clang_build_Linux/Release+Asserts/bin/clang', > > ccflags ='-faddress-sanitizer -DDEBUGGING -fno-strict-aliasing -pipe > > -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE > > -D_FILE_OFFSET_BITS=64', > > optimize='-g3 -O2', > > cppflags='-faddress-sanitizer -DDEBUGGING -fno-strict-aliasing > > -pipe -fstack-protector -I/usr/local/include' > > ccversion='', gccversion='4.2.1 Compatible Clang 3.1 (trunk)', > > gccosandvers='' > > intsize=4, longsize=8, ptrsize=8, doublesize=8,

> byteorder=12345678

> > d_longlong=define, longlongsize=8, d_longdbl=define, > > longdblsize=16 > > ivtype='long', ivsize=8, nvtype='double', nvsize=8,

> Off_t='off_t',

> > lseeksize=8 > > alignbytes=8, prototype=define > > Linker and Libraries: > > ld='/home/rurban/Software/address- > > sanitizer/clang_build_Linux/Release+Asserts/bin/clang', > > ldflags =' -g3 -O2 -faddress-sanitizer -fstack-protector > > -L/usr/local/lib' > > libpth=/usr/local/lib /lib /usr/lib /usr/lib/x86_64-linux-gnu > > /lib64 /usr/lib64 > > libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc -lgdbm_compat > > perllibs=-lnsl -ldl -lm -lcrypt -lutil -lc > > libc=, so=so, useshrplib=true, libperl=libperl.so > > gnulibc_version='2.13' > > Dynamic Linking: > > dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E > >

> -Wl,-rpath,/usr/local/lib/perl5/5.15.5/x86_64-linux-debug-

asan@a7d2e0/CORE' Show quoted text

> > cccdlflags='-fPIC', lddlflags='-shared -g3 -L/usr/local/lib > > -fstack-protector' > > > > Locally applied patches: > > > > > > --- > > @INC for perl 5.15.5: > > lib > > /usr/local/lib/perl5/site_perl/5.15.5/x86_64-linux-debug- > > asan@a7d2e0 > > /usr/local/lib/perl5/site_perl/5.15.5 > > /usr/local/lib/perl5/5.15.5/x86_64-linux-debug-asan@a7d2e0 > > /usr/local/lib/perl5/5.15.5 > > /usr/local/lib/perl5/site_perl > > . > > > > --- > > Environment for perl 5.15.5: > > HOME=/home/rurban > > LANG=en_US.utf8 > > LANGUAGE (unset) > > LD_LIBRARY_PATH=/home/rurban/Perl/src/build-5.15.5d-nt-

> asan@a7d2e0

> > LOGDIR (unset) > >

>

PATH=/home/rurban/bin:/home/rurban/bin:/usr/local/bin:/usr/bin:/bin:/usr /local/games:/usr/games Show quoted text

> > PERL_BADLANG (unset) > > SHELL=/bin/bash > >

> >

-- Reini Urban

Tue Mar 06 12:35:17 2012 The RT System itself - Status changed from 'new' to 'open'

Thu Mar 08 11:04:57 2012 RURBAN [...] cpan.org - Correspondence added

re-attach patch -- Reini Urban

Subject:

0001-Copy-paste-List-Util-BOOT-bug-reading-past-2-bytes.patch

[#CPAN 72700] https://rt.cpan.org/Public/Bug/Display.html?id=72700 From fcda72764b78c8512a04347f3f18fb7549582f0a Mon Sep 17 00:00:00 2001 From: Reini Urban <rurban@x-ray.at> Date: Wed, 23 Nov 2011 18:10:26 -0600 Subject: [PATCH] Copy&paste List::Util BOOT bug, reading past 2 bytes MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="------------1.7.5.4" This is a multi-part message in MIME format. --------------1.7.5.4 Content-Type: text/plain; charset=UTF-8; format=fixed Content-Transfer-Encoding: 8bit See http://blogs.perl.org/users/rurban/2011/11/adventures-with-clang-and-asan.html how I found these and many more invalid memory read+write bugs with clang and Google ASan. This does not look security relevant to me. --- cpan/List-Util/ListUtil.xs | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) --------------1.7.5.4 Content-Type: text/x-patch; name="0001-Copy-paste-List-Util-BOOT-bug-reading-past-2-bytes.patch" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="0001-Copy-paste-List-Util-BOOT-bug-reading-past-2-bytes.patch" diff --git a/cpan/List-Util/ListUtil.xs b/cpan/List-Util/ListUtil.xs index 7da9b95..eacdde4 100644 --- a/cpan/List-Util/ListUtil.xs +++ b/cpan/List-Util/ListUtil.xs @@ -595,7 +595,7 @@ BOOT: varav = GvAVn(vargv); #endif if (SvTYPE(rmcgv) != SVt_PVGV) - gv_init(rmcgv, lu_stash, "List::Util", 12, TRUE); + gv_init(rmcgv, lu_stash, "List::Util", 10, TRUE); rmcsv = GvSVn(rmcgv); #ifndef SvWEAKREF av_push(varav, newSVpv("weaken",6)); --------------1.7.5.4--

Thu Mar 08 13:20:40 2012 leonerd-cpan [...] leonerd.org.uk - Correspondence added

By the way, I can't see an actual patch here, either attached as a file or inline in any of the messages. Can you please provide one, ideally attached as a file so I can easily apply it? Thanks, -- Paul Evans

Sat Mar 10 07:12:55 2012 leonerd-cpan [...] leonerd.org.uk - Correspondence added

Released in 1.23_04. If this makes it past the smokers OK, I'll consider bumping it to 1.24, because there's quite a bit of change since 1.23 overall, and there hasn't been a non-dev release in 2 years. (!) -- Paul Evans

Sat Mar 10 07:12:57 2012 leonerd-cpan [...] leonerd.org.uk - Status changed from 'open' to 'resolved'

Sat Mar 10 07:13:11 2012 leonerd-cpan [...] leonerd.org.uk - Status changed from 'resolved' to 'patched'

Sat Mar 10 07:13:11 2012 leonerd-cpan [...] leonerd.org.uk - Fixed in 1.23_04 added

Wed Mar 28 14:38:14 2012 leonerd-cpan [...] leonerd.org.uk - Fixed in 1.24 added

Wed Mar 28 14:38:19 2012 leonerd-cpan [...] leonerd.org.uk - Status changed from 'patched' to 'resolved'

Wed Mar 28 14:38:44 2012 leonerd-cpan [...] leonerd.org.uk - Correspondence added

On Sat Mar 10 07:12:55 2012, PEVANS wrote: Show quoted text

> Released in 1.23_04. > > If this makes it past the smokers OK, I'll consider bumping it to 1.24, > because there's quite a bit of change since 1.23 overall, and there > hasn't been a non-dev release in 2 years. (!)

This was released for real as 1.24. -- Paul Evans

Wed Mar 28 14:38:45 2012 The RT System itself - Status changed from 'resolved' to 'open'

Wed Mar 28 14:38:45 2012 leonerd-cpan [...] leonerd.org.uk - Status changed from 'open' to 'resolved'

Wed Apr 04 22:04:50 2012 perl.p5p [...] rjbs.manxome.org - Correspondence added

CC:	perlbug-followup [...] perl.org
Subject:	Re: [rt.cpan.org #72700] [perl #104462] [PATCH] Copy&paste List::Util BOOT bug, reading past 2 bytes
Date:	Wed, 4 Apr 2012 22:04:33 -0400
To:	Paul Evans via RT <bug-Scalar-List-Utils [...] rt.cpan.org>
From:	Ricardo Signes <perl.p5p [...] rjbs.manxome.org>

* Paul Evans via RT <bug-Scalar-List-Utils@rt.cpan.org> [2012-03-28T14:38:44] Show quoted text

> <URL: https://rt.cpan.org/Ticket/Display.html?id=72700 > > > On Sat Mar 10 07:12:55 2012, PEVANS wrote:

> > Released in 1.23_04. > > > > If this makes it past the smokers OK, I'll consider bumping it to 1.24, > > because there's quite a bit of change since 1.23 overall, and there > > hasn't been a non-dev release in 2 years. (!)

> > This was released for real as 1.24.

It looked like there were quite a lot of changes between the last stable release of Scalar-List-Utils and this. How much test coverage have we seen? -- rjbs

Download signature.asc
application/pgp-signature 490b

Message body not shown because it is not plain text.

Wed Apr 04 22:04:51 2012 The RT System itself - Status changed from 'resolved' to 'open'

Mon Apr 09 09:10:24 2012 leonerd-cpan [...] leonerd.org.uk - Correspondence added

Show quoted text

> It looked like there were quite a lot of changes between the last > stable > release of Scalar-List-Utils and this. How much test coverage have we > seen?

There was quite a lot of history of smoke tests and the like on the devel releases in between; mostly at: http://matrix.cpantesters.org/?dist=Scalar-List-Utils+1.23_03 (also a little at _01, _02 and _04). This covered a wide range of OS platforms and Perl versions, though didn't include the "rare" ones like VMS, IRIX or HP-UX. That said, given it worked entirely without a FAIL across all these platforms already, and there wasn't any OS-specific code change included, I felt it safe enough to call 1.24 without reference here. -- Paul Evans

Sun May 20 17:01:41 2012 leonerd-cpan [...] leonerd.org.uk - Status changed from 'open' to 'resolved'