Bug#689314: perl: segfaults when echoing a very long string [CVE-2012-5195]

Niko Tyni ntyni at debian.org
Fri Jan 11 08:24:58 UTC 2013 

On Sat, Jan 05, 2013 at 04:44:48PM +0000, Dominic Hargreaves wrote:

> Strangely, when I try and reproduce with a vanilla 5.14.3 build, I
> get:
> 
> $ ./perl -e 'print "x"x(2**31)'
> $ echo $?
> 0
> 
> which seems wrong in a different way...

FWIW, I can reproduce it with an unpatched 5.14.3 on current sid i386
(a personality=linux32 chroot on an amd64 kernel to be precise).  

I copied config.over from the Debian package and then called its
'config.debian --static'.  I haven't bisected which Configure options
actually count.

My guess is it's just going out of memory but doesn't handle it too
gracefully.

Core was generated by `./perl -e print "x"x(2**31)'.
Program terminated with signal 11, Segmentation fault.
#0  0xf75a2b4f in memcpy () from /lib/i386-linux-gnu/libc.so.6
(gdb) bt
#0  0xf75a2b4f in memcpy () from /lib/i386-linux-gnu/libc.so.6
#1  0x08162f9d in memcpy (__len=2002024496, __src=<optimized out>, __dest=<optimized out>)
    at /usr/include/i386-linux-gnu/bits/string3.h:52
#2  PerlIOBuf_write (my_perl=0x8df0008, f=0x8e07d70, vbuf=0x77525008, count=<optimized out>)
    at perlio.c:4184
#3  0x0813fefd in Perl_do_print (my_perl=my_perl at entry=0x8df0008, sv=0x8e0c13c, fp=fp at entry=0x8e07d70)
    at doio.c:1257
#4  0x080e4ab3 in Perl_pp_print (my_perl=0x8df0008) at pp_hot.c:773
#5  0x080e2878 in Perl_runops_standard (my_perl=0x8df0008) at run.c:41
#6  0x0807eef0 in S_run_body (oldscope=0, my_perl=0x8df0008) at perl.c:2365
#7  perl_run (my_perl=0x8df0008) at perl.c:2283
#8  0x0806125f in main (argc=3, argv=0xffdefe94, env=0xffdefea4) at perlmain.c:120


Summary of my perl5 (revision 5 version 14 subversion 3) configuration:
  Derived from: 
  Platform:
    osname=linux, osvers=3.2.0-4-amd64, archname=i486-linux-gnu-thread-multi-64int
    uname='linux madeleine 3.2.0-4-amd64 #1 smp debian 3.2.32-1 i686 gnulinux '
    config_args='-Dusethreads -Duselargefiles -Dccflags=-DDEBIAN -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Dldflags= -Wl,-z,relro -Dlddlflags=-shared -Wl,-z,relro -Dcccdlflags=-fPIC -Darchname=i486-linux-gnu -Dprefix=/usr -Dprivlib=/usr/share/perl/5.14 -Darchlib=/usr/lib/perl/5.14 -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/perl5 -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.14.3 -Dsitearch=/usr/local/lib/perl/5.14.3 -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3 -Duse64bitint -Dman1ext=1 -Dman3ext=3perl -Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Ud_ualarm -Uusesfio -Uusenm -Ui_libutil -DDEBUGGING=-g -Doptimize=-O2 -Uuseshrplib -des'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=define, usemultiplicity=define
    useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
    use64bitint=define, use64bitall=undef, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O2 -g',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -fno-strict-aliasing -pipe -I/usr/local/include'
    ccversion='', gccversion='4.7.2', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -Wl,-z,relro -fstack-protector -L/usr/local/lib'
    libpth=/usr/local/lib /lib/i386-linux-gnu /lib/../lib /usr/lib/i386-linux-gnu /usr/lib/../lib /lib /usr/lib
    libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lpthread -lc -lgdbm_compat
    perllibs=-lnsl -ldl -lm -lcrypt -lutil -lpthread -lc
    libc=, so=so, useshrplib=false, libperl=libperl.a
    gnulibc_version='2.13'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
    cccdlflags='-fPIC', lddlflags='-shared -Wl,-z,relro -L/usr/local/lib -fstack-protector'


Characteristics of this binary (from libperl): 
  Compile-time options: MULTIPLICITY PERL_DONT_CREATE_GVSV
                        PERL_IMPLICIT_CONTEXT PERL_MALLOC_WRAP
                        PERL_PRESERVE_IVUV USE_64_BIT_INT USE_ITHREADS
                        USE_LARGE_FILES USE_PERLIO USE_PERL_ATOF
                        USE_REENTRANT_API
  Locally applied patches:
    uncommitted-changes
  Built under linux
  Compiled at Jan 11 2013 08:10:08
  @INC:
    lib
    /usr/local/lib/perl/5.14.3
    /usr/local/share/perl/5.14.3
    /usr/lib/perl5
    /usr/share/perl5
    /usr/lib/perl/5.14
    /usr/share/perl/5.14
    .

More information about the Perl-maintainers mailing list