Bug#628817: perl NULL pointer dereference

Dominic Hargreaves dom at earth.li
Mon Jun 13 17:48:46 UTC 2011 

On Thu, Jun 02, 2011 at 02:39:35PM +0300, Niko Tyni wrote:
> On Wed, Jun 01, 2011 at 05:52:17PM +0200, Thijs Kinkhorst wrote:
> > Package: perl
> > Severity: serious
> > Tags: security
> 
> > CVE-2011-0761[0]:
> > | Perl 5.10.x allows context-dependent attackers to cause a denial of
> > | service (NULL pointer dereference and application crash) by leveraging
> > | an ability to inject arguments into a (1) getpeername, (2) readdir,
> > | (3) closedir, (4) getsockname, (5) rewinddir, (6) tell, or (7) telldir
> > | function call.
> 
> Some observations:
> 
> - the crash can be reproduced with just 
>    perl -e 'getsockname(1,1)'
> 
> - the functions (at least getsockname) don't seem to check their argument
>   count, they only use the last one. This is still the case in 5.12.
>   I haven't found any indication of the Perl stack corrupting on 5.12
>   though so this seems harmless.
> 
> - the crash is at gv.c:89 (as of 5.10.1):
>     if (!gv || SvTYPE((const SV *)gv) != SVt_PVGV) {
> 
> - compiler optimization of gv.c affects the behaviour:
>   + a regular perl built with -O0 gives the intended
>       Bad symbol for filehandle at -e line 1
> 
>   + a debugging version (-DDEBUGGING) with -O0 gives an expected
>     assertion failure:
>       Assertion gv failed: file "gv.c", line 87 at -e line 1.
> 
>   + -DDEBUGGING at -O2 (i.e. what's in the perl-debug package)
>     crashes the same way as the regular perl so the assertion check
>     is bypassed.
> 
> I don't quite understand yet what happens in the optimized version of
> Perl_gv_IOadd(); the gv is NULL so the !gv check above should prevent
> referencing it AIUI.

Niko,

In your opinion, based on the above and the (only) upstream response
on
<http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2011-06/msg00027.html>
do you think that this bug should be downgraded from serious, since
apps should not (according to upstream, and I'm inclined to agree) be
passing unsanitised untrusted input into those functions?

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

More information about the Perl-maintainers mailing list