Multiple crash with eval #16015
Comments
From @Mipu94I just try hongfuzz and found some samples that triggered crash by *eval* -- |
From @Mipu94 |
From @iabynOn Tue, Jun 13, 2017 at 01:28:29AM -0700, sung wrote:
Most of these seem to be fixed in blead. With threaded, debugging perl poc1 poc2 poc3 poc4 poc5 So it would appear that all except poc3 have been fixed. poc3 is: $^P = 0xA; It doesn't crash with $^P (debugging flags) being set, so I doubt that it -- |
|
The RT System itself - Status changed from 'new' to 'open' |
From @Mipu94My perl version is v5.22.1. 2017-06-13 18:43 GMT+07:00 Dave Mitchell via RT <
-- Phone:0905414043 |
From @tonycozOn Tue, 13 Jun 2017 04:43:13 -0700, davem wrote:
This isn't a security issue and is now public (it is a bug). It occurs while copying eval lines to the new @{"_<newfilename"} array from the old array. The code takes the very large line number and converts it to an I32 producing a negative number, then passes that as the index to av_store(). The attached should fix it, I don't think a test is practical as Tony |
From @tonycoz0001-perl-131562-correct-large-line-numbers-copying-eval-.patchFrom 4dc2acb7c6f86ab6ae2b157022d7c8cdbcfef1f2 Mon Sep 17 00:00:00 2001
From: Tony Cook <[email protected]>
Date: Wed, 23 Aug 2017 14:18:26 +1000
Subject: (perl #131562) correct large line numbers copying eval lines on #line
Previously this used I32 for line numbers, which takes half the range
of line_t and folds it into negative numbers, leading to trying to store
the lines at negative indexes.
The while loop was also modified to stop storing if/when the line number
no longer fits into cop_line, or no longer fits into SSize_t (as a
positive number) since the index parameter to av_store() is a SSize_t.
---
toke.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/toke.c b/toke.c
index 99b737b..cac88db 100644
--- a/toke.c
+++ b/toke.c
@@ -1817,14 +1817,14 @@ S_incline(pTHX_ const char *s)
}
else if (GvAV(cfgv)) {
AV * const av = GvAV(cfgv);
- const I32 start = CopLINE(PL_curcop)+1;
- I32 items = AvFILLp(av) - start;
+ const line_t start = CopLINE(PL_curcop)+1;
+ SSize_t items = AvFILLp(av) - start;
if (items > 0) {
AV * const av2 = GvAVn(gv2);
SV **svp = AvARRAY(av) + start;
- I32 l = (I32)line_num+1;
- while (items--)
- av_store(av2, l++, SvREFCNT_inc(*svp++));
+ Size_t l = line_num+1;
+ while (items-- && l < SSize_t_MAX && l == (line_t)l)
+ av_store(av2, (SSize_t)l++, SvREFCNT_inc(*svp++));
}
}
}
--
2.1.4
|
From @Mipu94I think this is a security bug because this bug can write out of bound. So 2017-08-23 11:19 GMT+07:00 Tony Cook via RT <perlbug-followup@perl.org>:
-- |
From @tonycozOn Thu, 28 Sep 2017 11:03:45 -0700, tadinhsung@gmail.com wrote:
Sorry, I missed this follow up. If an attacker can feed code to eval, they can feed code like C< system "rm -rf /" >, making other bugs irrelevant. Tony |
From @tonycozOn Tue, 22 Aug 2017 21:19:39 -0700, tonyc wrote:
Applied as 515c395. Tony |
|
@tonycoz - Status changed from 'open' to 'pending release' |
From @khwilliamsonThank you for filing this report. You have helped make Perl better. With the release today of Perl 5.30.0, this and 160 other issues have been Perl 5.30.0 may be downloaded via: If you find that the problem persists, feel free to reopen this ticket. |
|
@khwilliamson - Status changed from 'pending release' to 'resolved' |
Migrated from rt.perl.org#131562 (status was 'resolved')
Searchable as RT131562$
The text was updated successfully, but these errors were encountered: