Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[perl #131526] heap-buffer-overflow (READ of size 1) in Perl_my_atof2()
0 views
Skip to first unread message
Tony Cook via RT
Jun 13, 2017, 8:00:03 PM6/13/17
to perl5-...@perl.org
On Mon, 12 Jun 2017 23:30:52 -0700, tonyc wrote:
> On Wed, 07 Jun 2017 00:59:50 -0700, brian.c...@gmail.com wrote:
> > Triggered with v5.27.0-97-gd555ed0, compiled with afl-clang-fast on
> > Debian
> > 8 x64.
> >
> > ==11137==ERROR: AddressSanitizer: heap-buffer-overflow on address
> > 0x60300000e87a at pc 0x10cfcad bp 0x7ffff61acd30 sp 0x7ffff61acd28
> > READ of size 1 at 0x60300000e87a thread T0
> > #0 0x10cfcac in Perl_my_atof2 /root/perl/numeric.c:1490
> > #1 0x10d08e1 in Perl_my_atof /root/perl/numeric.c:1244
> > #2 0xb01bf4 in S_sv_setnv /root/perl/sv.c:2111
> > #3 0xbc07a9 in S_sv_2iuv_common /root/perl/sv.c:2313
> > #4 0xbc7b77 in Perl_sv_2iv_flags /root/perl/sv.c:2506
> > #5 0xc98ec0 in Perl_pp_subtract /root/perl/pp.c:1950
> > #6 0x926e76 in Perl_runops_debug /root/perl/dump.c:2451
> > #7 0x59f02a in S_run_body /root/perl/perl.c:2543
> > #8 0x59f02a in perl_run /root/perl/perl.c:2471
> > #9 0x43506d in main /root/perl/perlmain.c:123
> > #10 0x7f5015730b44 in __libc_start_main
> > (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
> > #11 0x436015 (/root/perl/perl+0x436015)
> >
> > 0x60300000e87a is located 0 bytes to the right of 26-byte region
> > [0x60300000e860,0x60300000e87a)
> > allocated by thread T0 here:
> > #0 0x7f50168829f6 in __interceptor_realloc
> > (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x549f6)
> > #1 0x96d481 in Perl_safesysrealloc /root/perl/util.c:274
> >
> > SUMMARY: AddressSanitizer: heap-buffer-overflow
> > /root/perl/numeric.c:1490
> > Perl_my_atof2
>
> This tries to read from a file, using the script as its own input
> worked for me.
>
> This is caused by this code:
>
> else if (!seen_dp && GROK_NUMERIC_RADIX(&s, send)) {
> seen_dp = 1;
> if (sig_digits > MAX_SIG_DIGITS) {
> do {
> ++s;
> } while (isDIGIT(*s));
> break;
> }
> }
>
> GROK_NUMERIC_RADIX() increments s past the decimal point, which is at
> the end of string in this case, so the following ++s steps past the
> NUL.
>
> I have a fix testing now.
Fixed in 9604fbf0722bd97ca6031a263c50ad52b6633db7.
Tony
---
via perlbug: queue: perl5 status: open
https://rt.perl.org/Ticket/Display.html?id=131526
> On Wed, 07 Jun 2017 00:59:50 -0700, brian.c...@gmail.com wrote:
> > Triggered with v5.27.0-97-gd555ed0, compiled with afl-clang-fast on
> > Debian
> > 8 x64.
> >
> > ==11137==ERROR: AddressSanitizer: heap-buffer-overflow on address
> > 0x60300000e87a at pc 0x10cfcad bp 0x7ffff61acd30 sp 0x7ffff61acd28
> > READ of size 1 at 0x60300000e87a thread T0
> > #0 0x10cfcac in Perl_my_atof2 /root/perl/numeric.c:1490
> > #1 0x10d08e1 in Perl_my_atof /root/perl/numeric.c:1244
> > #2 0xb01bf4 in S_sv_setnv /root/perl/sv.c:2111
> > #3 0xbc07a9 in S_sv_2iuv_common /root/perl/sv.c:2313
> > #4 0xbc7b77 in Perl_sv_2iv_flags /root/perl/sv.c:2506
> > #5 0xc98ec0 in Perl_pp_subtract /root/perl/pp.c:1950
> > #6 0x926e76 in Perl_runops_debug /root/perl/dump.c:2451
> > #7 0x59f02a in S_run_body /root/perl/perl.c:2543
> > #8 0x59f02a in perl_run /root/perl/perl.c:2471
> > #9 0x43506d in main /root/perl/perlmain.c:123
> > #10 0x7f5015730b44 in __libc_start_main
> > (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
> > #11 0x436015 (/root/perl/perl+0x436015)
> >
> > 0x60300000e87a is located 0 bytes to the right of 26-byte region
> > [0x60300000e860,0x60300000e87a)
> > allocated by thread T0 here:
> > #0 0x7f50168829f6 in __interceptor_realloc
> > (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x549f6)
> > #1 0x96d481 in Perl_safesysrealloc /root/perl/util.c:274
> >
> > SUMMARY: AddressSanitizer: heap-buffer-overflow
> > /root/perl/numeric.c:1490
> > Perl_my_atof2
>
> This tries to read from a file, using the script as its own input
> worked for me.
>
> This is caused by this code:
>
> else if (!seen_dp && GROK_NUMERIC_RADIX(&s, send)) {
> seen_dp = 1;
> if (sig_digits > MAX_SIG_DIGITS) {
> do {
> ++s;
> } while (isDIGIT(*s));
> break;
> }
> }
>
> GROK_NUMERIC_RADIX() increments s past the decimal point, which is at
> the end of string in this case, so the following ++s steps past the
> NUL.
>
> I have a fix testing now.
Fixed in 9604fbf0722bd97ca6031a263c50ad52b6633db7.
Tony
---
via perlbug: queue: perl5 status: open
https://rt.perl.org/Ticket/Display.html?id=131526
0 new messages