Bug#689314: perl: segfaults when echoing a very long string [CVE-2012-5195]
Niko Tyni
ntyni at debian.org
Fri Jan 11 08:24:58 UTC 2013
On Sat, Jan 05, 2013 at 04:44:48PM +0000, Dominic Hargreaves wrote:
> Strangely, when I try and reproduce with a vanilla 5.14.3 build, I
> get:
>
> $ ./perl -e 'print "x"x(2**31)'
> $ echo $?
> 0
>
> which seems wrong in a different way...
FWIW, I can reproduce it with an unpatched 5.14.3 on current sid i386
(a personality=linux32 chroot on an amd64 kernel to be precise).
I copied config.over from the Debian package and then called its
'config.debian --static'. I haven't bisected which Configure options
actually count.
My guess is it's just going out of memory but doesn't handle it too
gracefully.
Core was generated by `./perl -e print "x"x(2**31)'.
Program terminated with signal 11, Segmentation fault.
#0 0xf75a2b4f in memcpy () from /lib/i386-linux-gnu/libc.so.6
(gdb) bt
#0 0xf75a2b4f in memcpy () from /lib/i386-linux-gnu/libc.so.6
#1 0x08162f9d in memcpy (__len=2002024496, __src=<optimized out>, __dest=<optimized out>)
at /usr/include/i386-linux-gnu/bits/string3.h:52
#2 PerlIOBuf_write (my_perl=0x8df0008, f=0x8e07d70, vbuf=0x77525008, count=<optimized out>)
at perlio.c:4184
#3 0x0813fefd in Perl_do_print (my_perl=my_perl at entry=0x8df0008, sv=0x8e0c13c, fp=fp at entry=0x8e07d70)
at doio.c:1257
#4 0x080e4ab3 in Perl_pp_print (my_perl=0x8df0008) at pp_hot.c:773
#5 0x080e2878 in Perl_runops_standard (my_perl=0x8df0008) at run.c:41
#6 0x0807eef0 in S_run_body (oldscope=0, my_perl=0x8df0008) at perl.c:2365
#7 perl_run (my_perl=0x8df0008) at perl.c:2283
#8 0x0806125f in main (argc=3, argv=0xffdefe94, env=0xffdefea4) at perlmain.c:120
Summary of my perl5 (revision 5 version 14 subversion 3) configuration:
Derived from:
Platform:
osname=linux, osvers=3.2.0-4-amd64, archname=i486-linux-gnu-thread-multi-64int
uname='linux madeleine 3.2.0-4-amd64 #1 smp debian 3.2.32-1 i686 gnulinux '
config_args='-Dusethreads -Duselargefiles -Dccflags=-DDEBIAN -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Dldflags= -Wl,-z,relro -Dlddlflags=-shared -Wl,-z,relro -Dcccdlflags=-fPIC -Darchname=i486-linux-gnu -Dprefix=/usr -Dprivlib=/usr/share/perl/5.14 -Darchlib=/usr/lib/perl/5.14 -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/perl5 -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.14.3 -Dsitearch=/usr/local/lib/perl/5.14.3 -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3 -Duse64bitint -Dman1ext=1 -Dman3ext=3perl -Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Ud_ualarm -Uusesfio -Uusenm -Ui_libutil -DDEBUGGING=-g -Doptimize=-O2 -Uuseshrplib -des'
hint=recommended, useposix=true, d_sigaction=define
useithreads=define, usemultiplicity=define
useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
use64bitint=define, use64bitall=undef, uselongdouble=undef
usemymalloc=n, bincompat5005=undef
Compiler:
cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
optimize='-O2 -g',
cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -fno-strict-aliasing -pipe -I/usr/local/include'
ccversion='', gccversion='4.7.2', gccosandvers=''
intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=12345678
d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
ivtype='long long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
alignbytes=4, prototype=define
Linker and Libraries:
ld='cc', ldflags =' -Wl,-z,relro -fstack-protector -L/usr/local/lib'
libpth=/usr/local/lib /lib/i386-linux-gnu /lib/../lib /usr/lib/i386-linux-gnu /usr/lib/../lib /lib /usr/lib
libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lpthread -lc -lgdbm_compat
perllibs=-lnsl -ldl -lm -lcrypt -lutil -lpthread -lc
libc=, so=so, useshrplib=false, libperl=libperl.a
gnulibc_version='2.13'
Dynamic Linking:
dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
cccdlflags='-fPIC', lddlflags='-shared -Wl,-z,relro -L/usr/local/lib -fstack-protector'
Characteristics of this binary (from libperl):
Compile-time options: MULTIPLICITY PERL_DONT_CREATE_GVSV
PERL_IMPLICIT_CONTEXT PERL_MALLOC_WRAP
PERL_PRESERVE_IVUV USE_64_BIT_INT USE_ITHREADS
USE_LARGE_FILES USE_PERLIO USE_PERL_ATOF
USE_REENTRANT_API
Locally applied patches:
uncommitted-changes
Built under linux
Compiled at Jan 11 2013 08:10:08
@INC:
lib
/usr/local/lib/perl/5.14.3
/usr/local/share/perl/5.14.3
/usr/lib/perl5
/usr/share/perl5
/usr/lib/perl/5.14
/usr/share/perl/5.14
.
More information about the Perl-maintainers
mailing list