From fany@noris.net

Created by fany@noris.net

I discovered that the pos() of a string does not get updated
under some conditions when running in taint mode.

This can be reproduced as follows​:

| $ echo foo | perl -le '$a = <>; a($a); sub a { $_[0] =~ m/\G./g; print pos $a }'
| 1
| $ echo foo | perl -le '$a = <>; a($a); sub a { $_[0] =~ m/\G./g; print pos $a }' -T
|

I discovered the bug, because Text​::Wrapper got into an endless
loop when running in taint mode.

I could reproduce it with various perl versions (5.005_03, 5.6.1
and 5.8.3) on different linux systems (RedHat 6.1 and 7.1, SuSE
9.0).

Flags:
    category=core
    severity=medium

Site configuration information for perl v5.8.3:

Configured by fany at Mon Jan 19 12:59:51 CET 2004.

Summary of my perl5 (revision 5.0 version 8 subversion 3) configuration:
  Platform:
    osname=linux, osvers=2.4.21-99-default, archname=i686-linux-64int-ld
    uname='linux fany 2.4.21-99-default #1 wed sep 24 13:30:51 utc 2003 i686 athlon i386 gnulinux '
    config_args=''
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=undef
    useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
    use64bitint=define use64bitall=undef uselongdouble=define
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-fno-strict-aliasing -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O3 -march=athlon-xp',
    cppflags='-fno-strict-aliasing -I/usr/local/include'
    ccversion='', gccversion='3.3.1 (SuSE Linux)', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long long', ivsize=8, nvtype='long double', nvsize=12, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lnsl -ldb -ldl -lm -lcrypt -lutil -lc
    perllibs=-lnsl -ldl -lm -lcrypt -lutil -lc
    libc=, so=so, useshrplib=false, libperl=libperl.a
    gnulibc_version='2.3.2'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-rdynamic'
    cccdlflags='-fpic', lddlflags='-shared -L/usr/local/lib'

Locally applied patches:
    


@INC for perl v5.8.3:
    /usr/local/lib/perl5/5.8.3/i686-linux-64int-ld
    /usr/local/lib/perl5/5.8.3
    /usr/local/lib/perl5/site_perl/5.8.3/i686-linux-64int-ld
    /usr/local/lib/perl5/site_perl/5.8.3
    /usr/local/lib/perl5/site_perl
    .


Environment for perl v5.8.3:
    HOME=/home/fany
    LANG=de_DE@euro
    LANGUAGE (unset)
    LC_COLLATE=POSIX
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/fany/bin:/usr/local/bin:/usr/bin:/usr/X11R6/bin:/bin:/usr/games:/opt/gnome/bin:/opt/kde3/bin:/usr/openwin/bin:/usr/lib/java/bin
    PERL_BADLANG (unset)
    SHELL=/bin/bash

From @iabyn

On Wed, Mar 03, 2004 at 10​:13​:17AM -0000, fany@​noris.net (via RT) wrote​:

I discovered that the pos() of a string does not get updated
under some conditions when running in taint mode.

This can be reproduced as follows​:

| $ echo foo | perl -le '$a = <>; a($a); sub a { $_[0] =~ m/\G./g; print pos $a }'
| 1
| $ echo foo | perl -le '$a = <>; a($a); sub a { $_[0] =~ m/\G./g; print pos $a }' -T
|

Thanks for the report.

P5Pers​: the error occurs in pp_alemfast(), which does the $_[0] in the
sub; the code looks like​:

  U32 lval = PL_op->op_flags & OPf_MOD;
  SV** svp = av_fetch(av, PL_op->op_private, lval);
  SV *sv = (svp ? *svp : &PL_sv_undef);
  EXTEND(SP, 1);
  if (!lval && SvGMAGICAL(sv)) /* see note in pp_helem() */
  sv = sv_mortalcopy(sv);

For some reason the aelemfast opcode isn't marked as OPf_MOD, and since
in the taint case $a is already magical due to the tainting, a mortal
copy is made which then gets matched against. Thus the copy gets the
pos() magic attached rather than $a.

It's too late in the evening for my poor brain to work out the correct
fix; I suspect the OPf_MOD flag needs setting, but I may be wrong...

Dave.

--
This email is confidential, and now that you have read it you are legally
obliged to shoot yourself. Or shoot a lawyer, if you prefer. If you have
received this email in error, place it in its original wrapping and return
for a full refund. By opening this email, you accept that Elvis lives.

The RT System itself - Status changed from 'new' to 'open'

From @rgs

Setting OPf_MOD on the aelemfast op isn't a good solution, because this
flag is here to denote operations that modify the value of the operand,
while in our case only magic will be modified. (and indeed, setting this
flag makes perl break.)

I don't think there is a good and efficient way to solve this problem
with the current architecture. We need to make a mortal copy in order to
avoid triggerring get magic more than once; but this doesn't matter for
taint magic, and other types of magic.

For example, here's another instance of the same bug, this time with
substr magic, not taint magic​: both invocations should print "1".

$ ./perl -le 'a(substr("fooo",0,3)); sub a { $_[0] =~ m/\G./g; print pos
$_[0]}'

$ ./perl -le 'a("".substr("fooo",0,3)); sub a { $_[0] =~ m/\G./g; print
pos $_[0]}'
1

From [Unknown Contact. See original ticket]

Setting OPf_MOD on the aelemfast op isn't a good solution, because this
flag is here to denote operations that modify the value of the operand,
while in our case only magic will be modified. (and indeed, setting this
flag makes perl break.)

I don't think there is a good and efficient way to solve this problem
with the current architecture. We need to make a mortal copy in order to
avoid triggerring get magic more than once; but this doesn't matter for
taint magic, and other types of magic.

For example, here's another instance of the same bug, this time with
substr magic, not taint magic​: both invocations should print "1".

$ ./perl -le 'a(substr("fooo",0,3)); sub a { $_[0] =~ m/\G./g; print pos
$_[0]}'

$ ./perl -le 'a("".substr("fooo",0,3)); sub a { $_[0] =~ m/\G./g; print
pos $_[0]}'
1

From @fany

Created by @fany

pos() and regex matching with \G does not work if a tainted value
is passed to a sub routine​:

$ perl -Tle '$_=shift; /\G(.*)/g; print pos || "-"' foo
3
$ perl -le 'x(shift); sub x { $_[0] =~ /\G(.*)/g; print pos $_[0] || "-" }' foo
3
$ perl -Tle 'x(shift); sub x { $_[0] =~ /\G(.*)/g; print pos $_[0] || "-" }' foo
-

This e.g. causes infinite loops in Locale​::Maketext​::Guts​::_compile().

It works, however, if the value is assigned to a variable first
and then this variable is used for the matching operation​:

$ perl -Tle 'x(shift); sub x { my $s = shift; $s =~ /\G(.*)/g; print pos $s || "-" }' foo
3

The issue not only affects the perl version mentioned below but
also the standard perl v5.8.8 interpreter built for
i486-linux-gnu-thread-multi on Debian/Etch and thus probably
other versions, too.

Regards,
fany

Flags:
    category=core
    severity=medium

Site configuration information for perl 5.10.0:

Configured by fany at Wed Dec 19 22:11:44 CET 2007.

Summary of my perl5 (revision 5 version 10 subversion 0) configuration:
  Platform:
    osname=linux, osvers=2.6.22.12-0.1-default, archname=i686-linux-64int
    uname='linux bigblue 2.6.22.12-0.1-default #1 smp 20071106 23:05:18 utc i686 i686 i386 gnulinux '
    config_args=''
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=undef, usemultiplicity=undef
    useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
    use64bitint=define, use64bitall=undef, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O2 -march=pentium4',
    cppflags='-fno-strict-aliasing -pipe -I/usr/local/include'
    ccversion='', gccversion='4.2.1 (SUSE Linux)', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lnsl -ldb -ldl -lm -lcrypt -lutil -lc
    perllibs=-lnsl -ldl -lm -lcrypt -lutil -lc
    libc=/lib/libc-2.6.1.so, so=so, useshrplib=false, libperl=libperl.a
    gnulibc_version='2.6.1'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
    cccdlflags='-fPIC', lddlflags='-shared -O2 -march=pentium4 -L/usr/local/lib'

Locally applied patches:
    


@INC for perl 5.10.0:
    /usr/local/lib/perl5/5.10.0/i686-linux-64int
    /usr/local/lib/perl5/5.10.0
    /usr/local/lib/perl5/site_perl/5.10.0/i686-linux-64int
    /usr/local/lib/perl5/site_perl/5.10.0
    .


Environment for perl 5.10.0:
    HOME=/home/fany
    LANG=de_DE.UTF-8
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/opt/kde3/bin:/home/fany/bin:/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/X11R6/bin:/usr/games:/usr/lib/jvm/jre/bin:/usr/lib/mit/bin:/usr/lib/mit/sbin:/usr/NX/bin:/usr/lib/qt3/bin
    PERL_BADLANG (unset)
    SHELL=/bin/bash

From module@renee-baecker.de

Thanks for your bug report! I think you have filed the same bug about
four years ago​: http​://rt.perl.org/rt3/Public/Bug/Display.html?id=27344

The RT System itself - Status changed from 'new' to 'open'

From @fany

Thanks for your bug report! I think you have filed the same bug about
four years ago​: http​://rt.perl.org/rt3/Public/Bug/Display.html?id=27344

Thanks! This is scary! :-) I didn't remember that one at all.
However, this IMHO shows that the bug is relevant for more than
one piece of code or mudule.

Regards,
fany

--
_________________________________________ _
Martin H. Sluka \ tel +49-700-19751024 / ASCII ribbon ( )
Breite Straße 3 \ <martin@​sluka.de> / campaign - against X
D-90552 Röthenbach \ <http​://unf.ug/> / HTML email & vcards / \

From @iabyn

Now fixed by commit fd69380
in branch davem/post-5.12, which should be merged back into blead
once 5.12 has been released, and thus appear in 5.13 onwards.

@iabyn - Status changed from 'open' to 'resolved'