| Summary: | [PATCH] large string repeat count causes heap corruption | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Petr Pisar <ppisar> | ||||||
| Component: | perl | Assignee: | Petr Pisar <ppisar> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Martin Kyral <mkyral> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 6.2 | CC: | jim, jlieskov, mkyral, mmaslano, ppisar, psabata | ||||||
| Target Milestone: | rc | Keywords: | Patch | ||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | perl-5.10.1-129.el6 | Doc Type: | Bug Fix | ||||||
| Doc Text: |
Cause:
Repeating string with `x' operator more than 2^31 times
(e.g. "my $s = 'a' x (2**31+1);").
Consequence:
Computed string becomes corrupted or the interpreter crashes.
Fix:
The right site of `x' operator has been limited to 2^31 to
prevent from wrapping internal representation of the count.
Result:
It's not possible to repeat string more than 2^31 times and
thus corrupt memory or crash the interpreter. If user
supplies bigger count, the interpreter will raise an
exception.
|
Story Points: | --- | ||||||
| Clone Of: | 720610 | Environment: | |||||||
| Last Closed: | 2013-02-21 10:43:18 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 836160, 840699 | ||||||||
| Attachments: |
|
||||||||
|
Description
Petr Pisar
2011-07-12 11:16:27 UTC
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. If you would like it considered as an exception in the current release, please ask your support representative. *** Bug 720652 has been marked as a duplicate of this bug. *** The patch changes API. I will use different approach proposed in bug #862413. That means interpreter will abort instead of accepting so large numbers. Created attachment 625851 [details]
Fix refusing big numbers
The fix (In reply to comment #7) > Created attachment 625851 [details] > Fix refusing big numbers This is not sufficient on i686 because value there an explicit check before that wraps count number to IV_MAX which is 2 less than I32_MAX (for unknown reason), pp.c:1493: if (uv > IV_MAX) count = IV_MAX; /* The best we can do? */ We need to croak here too, otherwise all requiest bigger than 2^32-2 gets wrapped to this value and then not all bytes get initialized properly. Created attachment 657636 [details]
Fix case of 2^32±1 repeat counter.
This patch is needed on i686 to prevent silent data corruption.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0444.html |