Bug#628817: perl NULL pointer dereference
Niko Tyni
ntyni at debian.org
Thu Jun 2 11:39:35 UTC 2011
On Wed, Jun 01, 2011 at 05:52:17PM +0200, Thijs Kinkhorst wrote:
> Package: perl
> Severity: serious
> Tags: security
> CVE-2011-0761[0]:
> | Perl 5.10.x allows context-dependent attackers to cause a denial of
> | service (NULL pointer dereference and application crash) by leveraging
> | an ability to inject arguments into a (1) getpeername, (2) readdir,
> | (3) closedir, (4) getsockname, (5) rewinddir, (6) tell, or (7) telldir
> | function call.
Some observations:
- the crash can be reproduced with just
perl -e 'getsockname(1,1)'
- the functions (at least getsockname) don't seem to check their argument
count, they only use the last one. This is still the case in 5.12.
I haven't found any indication of the Perl stack corrupting on 5.12
though so this seems harmless.
- the crash is at gv.c:89 (as of 5.10.1):
if (!gv || SvTYPE((const SV *)gv) != SVt_PVGV) {
- compiler optimization of gv.c affects the behaviour:
+ a regular perl built with -O0 gives the intended
Bad symbol for filehandle at -e line 1
+ a debugging version (-DDEBUGGING) with -O0 gives an expected
assertion failure:
Assertion gv failed: file "gv.c", line 87 at -e line 1.
+ -DDEBUGGING at -O2 (i.e. what's in the perl-debug package)
crashes the same way as the regular perl so the assertion check
is bypassed.
I don't quite understand yet what happens in the optimized version of
Perl_gv_IOadd(); the gv is NULL so the !gv check above should prevent
referencing it AIUI.
--
Niko Tyni ntyni at debian.org
More information about the Perl-maintainers
mailing list