New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-use-after-free Perl_sv_setpv_bufsize (sv.c:4956) #15747
Comments
From @geeknikTriggered with Perl v5.25.7-26-g7332835. ./perl -e '@0=$0|=*0=H or()'==17224==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200000e630 is located 0 bytes inside of 10-byte region previously allocated by thread T0 here: SUMMARY: AddressSanitizer: heap-use-after-free /root/perl/sv.c:4956 |
From @tonycozOn Sun, 04 Dec 2016 01:53:36 -0800, brian.carpenter@gmail.com wrote:
Stack traces from valgrind: ==19883== Invalid write of size 1 This looks like another stack-not-refcounted issue. Tony |
The RT System itself - Status changed from 'new' to 'open' |
From @tonycozOn Sun, 04 Dec 2016 16:20:22 -0800, tonyc wrote:
Simplifies to: ./perl -e '$0|=*0="H"'
And so it is, now public. Tony |
From @demerphqOn 31 Jan 2017 1:04 p.m., "Tony Cook via RT" <perlbug-followup@perl.org> On Sun, 04 Dec 2016 16:20:22 -0800, tonyc wrote:
Simplifies to: ./perl -e '$0|=*0="H"'
And so it is, now public Is it *just* a stack not refcounted bug or is it more. What is supposed to Yves |
From @tonycozOn Tue, Jan 31, 2017 at 07:30:56AM +0100, demerphq wrote:
It looks like the same as: $0|=*0=*H Tony |
From @iabynOn Tue, Jan 31, 2017 at 07:30:56AM +0100, demerphq wrote:
It uses the string as the name of a typeglob. Sp *foo = "bar"; is equivalent to *foo = *bar; And both make the GP of *foo point to the GP of *bar, freeing the old GP -- |
From @demerphqOn 1 Feb 2017 22:29, "Dave Mitchell" <davem@iabyn.com> wrote: On Tue, Jan 31, 2017 at 07:30:56AM +0100, demerphq wrote:
It uses the string as the name of a typeglob. Sp *foo = "bar"; is equivalent to *foo = *bar; And both make the GP of *foo point to the GP of *bar, freeing the old GP Wow. Not what I expected. Do you happen to know where that is documented? Yves |
From @iabynOn Wed, Feb 01, 2017 at 05:21:47PM +0100, demerphq wrote:
No idea - I just looked at what it actually does.
No idea (I seem to keep saying that). There does seem to be a lot of readline 'FH' behaving like readline *FH I hate typeglobs. -- |
From @geeknikJust triggered this bug in v5.27.4-29-gdc41635. ./perl -e '$$.=*$=*$$' ================================================================= 0x60200000e1f0 is located 0 bytes inside of 10-byte region previously allocated by thread T0 here: SUMMARY: AddressSanitizer: heap-use-after-free /root/perl/sv.c:4958 And if I change it ever so slightly, we get a null pointer dereference ./perl -e '$$.=*$=0' ASAN:SIGSEGV==21206==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 AddressSanitizer can not provide additional info. |
This example of the same problem was submitted by Dominik Chylinski to the Perl security team:
|
Migrated from rt.perl.org#130256 (status was 'open')
Searchable as RT130256$
The text was updated successfully, but these errors were encountered: