Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference + segfault in Perl_pp_subst (pp_hot.c:3368) #15756

Open
p5pRT opened this issue Dec 11, 2016 · 4 comments
Open

Null pointer dereference + segfault in Perl_pp_subst (pp_hot.c:3368) #15756

p5pRT opened this issue Dec 11, 2016 · 4 comments

Comments

@p5pRT
Copy link

p5pRT commented Dec 11, 2016

Migrated from rt.perl.org#130315 (status was 'open')

Searchable as RT130315$

@p5pRT
Copy link
Author

p5pRT commented Dec 11, 2016

From @geeknik

Triggered with Perl v5.25.7-98-gdf13534 while fuzzing with AFL.

od -tx1 test114
0000000 6d 61 70 24 53 3d 25 5d 3d 73 2e 2e 54 0e 4d 2c
0000020 25 5f 42 44 2e 72 72 72 72 2c 4d 2c 25 5f 3d 44
0000040 2e 2e 54 2c 4d 2c 25 5f 3d 44 2e 2e 54 2c 4d 2c
0000060 04 22 04 3d 25 5d 3d 52 2e 2e 54 2c 54 2c 25 5f
0000100 3d 44 2e 2e 54 2c 4d 22 04 1d 22 6e 6e 70 67 1d
0000120 22 6c 6e 67 67 00 1b 02 00 7f 00 00 00 b9 9f
0000137

semi-panic​: attempt to dup freed string at test114 line 1.
ASAN​:SIGSEGV

==29301==ERROR​: AddressSanitizer​: SEGV on unknown address 0x00000000000c
(pc 0x0000008d5abd bp 0x7ffdebe9de60 sp 0x7ffdebe9dc80 T0)
  #0 0x8d5abc in Perl_pp_subst /root/perl/pp_hot.c​:3368​:6
  #1 0x7f81fb in Perl_runops_debug /root/perl/dump.c​:2260​:23
  #2 0x5a0ab3 in S_run_body /root/perl/perl.c​:2526​:2
  #3 0x5a0ab3 in perl_run /root/perl/perl.c​:2449
  #4 0x4de6dd in main /root/perl/perlmain.c​:123​:9
  #5 0x7ff28cd26b44 in __libc_start_main
/build/glibc-daoqzt/glibc-2.19/csu/libc-start.c​:287
  #6 0x4de34c in _start (/root/perl/perl+0x4de34c)

AddressSanitizer can not provide additional info.
SUMMARY​: AddressSanitizer​: SEGV /root/perl/pp_hot.c​:3368 Perl_pp_subst
==29301==ABORTING

@p5pRT
Copy link
Author

p5pRT commented Dec 11, 2016

From @geeknik

test114.gz

@p5pRT
Copy link
Author

p5pRT commented Dec 12, 2016

From @iabyn

On Sun, Dec 11, 2016 at 12​:39​:15PM -0800, Brian Carpenter wrote​:

# New Ticket Created by Brian Carpenter
# Please include the string​: [perl #130315]
# in the subject line of all future correspondence about this issue.
# <URL​: https://rt-archive.perl.org/perl5/Ticket/Display.html?id=130315 >

Triggered with Perl v5.25.7-98-gdf13534 while fuzzing with AFL.

od -tx1 test114
0000000 6d 61 70 24 53 3d 25 5d 3d 73 2e 2e 54 0e 4d 2c
0000020 25 5f 42 44 2e 72 72 72 72 2c 4d 2c 25 5f 3d 44
0000040 2e 2e 54 2c 4d 2c 25 5f 3d 44 2e 2e 54 2c 4d 2c
0000060 04 22 04 3d 25 5d 3d 52 2e 2e 54 2c 54 2c 25 5f
0000100 3d 44 2e 2e 54 2c 4d 22 04 1d 22 6e 6e 70 67 1d
0000120 22 6c 6e 67 67 00 1b 02 00 7f 00 00 00 b9 9f
0000137

semi-panic​: attempt to dup freed string at test114 line 1.
ASAN​:SIGSEGV

==29301==ERROR​: AddressSanitizer​: SEGV on unknown address 0x00000000000c
(pc 0x0000008d5abd bp 0x7ffdebe9de60 sp 0x7ffdebe9dc80 T0)
#0 0x8d5abc in Perl_pp_subst /root/perl/pp_hot.c​:3368​:6
#1 0x7f81fb in Perl_runops_debug /root/perl/dump.c​:2260​:23
#2 0x5a0ab3 in S_run_body /root/perl/perl.c​:2526​:2
#3 0x5a0ab3 in perl_run /root/perl/perl.c​:2449
#4 0x4de6dd in main /root/perl/perlmain.c​:123​:9
#5 0x7ff28cd26b44 in __libc_start_main
/build/glibc-daoqzt/glibc-2.19/csu/libc-start.c​:287
#6 0x4de34c in _start (/root/perl/perl+0x4de34c)

This is a stack-not-ref-counted issue. It can be reduced to​:

  map 1, (%x) = (1..3), (%x) = ();

  perl​: sv.c​:6540​: Perl_sv_clear​: Assertion `((svtype)((sv)->sv_flags & 0xff)) != (svtype)0xff' failed.

or using a for loop instead, which has a hack that checks whether the
value about be iterated on has been freed​:

  1 for (%x) = (1..3), (%x) = ();

  Use of freed value in iteration at /tmp/test114 line 1.

--
Never work with children, animals, or actors.

@p5pRT
Copy link
Author

p5pRT commented Dec 12, 2016

The RT System itself - Status changed from 'new' to 'open'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants