Skip Menu |

This queue is for tickets about the IPC-SysV CPAN distribution.

Report information
The Basics
Id: 131024
Status: new
Priority: 0/
Queue: IPC-SysV

Owner: Nobody in particular
Requestors: lightsey [...]
Cc: randrianantenaina.michael [...]

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

CC: randrianantenaina.michael [...]
Subject: IPC::SharedMem does not constrain memory reads and writes to the mapped address space
This bug was originally reported to the security queue as RT134373 by Michael Randrianantenaina. The Perl security team doesn't consider the reported behavior to represent a vulnerability in the IPC::SharedMem module, and the Perl core issue tracker isn't a good place to track this bug. In a nutshell, IPC::SharedMem does not verify that the POS arguments to read() and write() are withing the address range of the shared memory segment created with new(). Using negative values for POS or positive values greater than the size of the memory segment reads or writes unrelated memory. The following example code shows writes and reads outside of the shared memory area. This example is staying within the same memory page to avoid ASLR complications. use IPC::SysV qw(S_IWUSR IPC_CREAT IPC_PRIVATE); use IPC::SharedMem; my $shm = IPC::SharedMem->new(IPC_PRIVATE, 10, S_IRWXU & IPC_CREAT); $shm->attach(0); $shm->write("1" x 10, 0, 10); $shm->write("A" x 10, 40, 10); foreach (0..5) { my $offset = 10 * $_; print "shm($offset): " . $shm->read($offset,10) . "\n"; } $shm->remove;

This service is sponsored and maintained by Best Practical Solutions and runs on infrastructure.

Please report any issues with to