New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SIGBUS Perl_sv_peek (dump.c:367) #15539
Comments
From @geeknikThe following script triggers a Bus error (SIGBUS) in Perl v5.25.4 (v5.25.3-305-g8c6b0c7) with the -D. Removing it stifles the crash. #!perl -D2000002 Program received signal SIGBUS, Bus error. |
From @cpansproutOn Sat Aug 20 23:07:45 2016, brian.carpenter@gmail.com wrote:
This one I cannot reproduce. -- Father Chrysostomos |
The RT System itself - Status changed from 'new' to 'open' |
From @cpansproutOn Sat Aug 20 23:07:45 2016, brian.carpenter@gmail.com wrote:
This is probably equivalent to: #!perl -DvJRTDxms Being unable to reproduce the crash, I cannot confirm that it is equivalent. -- Father Chrysostomos |
From @geeknik
I've attached a test case that exhibits this behavior. Give it a try. |
From @cpansproutOn Sun Aug 21 15:12:21 2016, brian.carpenter@gmail.com wrote:
Still no difference (on darwin). I guess my machine is special. :-) -- Father Chrysostomos |
From @geeknikOn Sun Aug 21 17:23:39 2016, sprout wrote:
The machine I'm running my tests on is a Debian 8.5 x64 VM (512MB RAM, 20GB DISK, 1 vCPU). I've only seen 5 or 6 of these Perl `scripts` which trigger this `Bus error` and I've never encountered it while fuzzing other things on similar architectures (PHP, OpenSSL, Ruby, Python, Bash, GCC, CLANG, etc), and before this 48 hour Perl sprint, I hadn't seen it in previous Perl sessions. |
From [Unknown Contact. See original ticket]On Sun Aug 21 17:23:39 2016, sprout wrote:
The machine I'm running my tests on is a Debian 8.5 x64 VM (512MB RAM, 20GB DISK, 1 vCPU). I've only seen 5 or 6 of these Perl `scripts` which trigger this `Bus error` and I've never encountered it while fuzzing other things on similar architectures (PHP, OpenSSL, Ruby, Python, Bash, GCC, CLANG, etc), and before this 48 hour Perl sprint, I hadn't seen it in previous Perl sessions. |
From zefram@fysh.orgSIGBUS is very little used by the x86 architecture. The usual cause Please show us a register dump and disassembly from the point of the -zefram |
From @geeknikOn Sun Aug 21 18:09:14 2016, zefram@fysh.org wrote:
Program received signal SIGBUS, Bus error. (gdb) info all-registers |
From zefram@fysh.orgBrian Carpenter via RT wrote:
There's your proximate problem: segment register clear for a memory -zefram |
From @geeknik3350 lines of debugging output before the Bus error happens. On Sun, Aug 21, 2016 at 9:22 PM, Zefram via RT <perlbug-followup@perl.org>
|
From @dcollinsnIntrigued by some of the triage effort, I pulled out my AFL toolchain from a few months ago. I was still unable to reproduce this, on a Perl built with GCC 6.1.1-4 via AFL 2.13b in a 64 bit Debian VM. Brian, does this still crash on a non-instrumented Perl? Either way, can we have the output of the `perl -V` of a perl that reproduces this on your VM? I'd love to try to reproduce as closely as possible. For reference, I failed to reproduce with this perl: $ ./perl -Ilib -V Characteristics of this binary (from libperl): -- |
From @geeknik./perl -V ./afl-gcc -v On Sun, Aug 21, 2016 at 10:07 PM, Dan Collins via RT <
|
From @dcollinsnOn Sun Aug 21 20:13:04 2016, brian.carpenter@gmail.com wrote:
Sorry, you'll need to do `./perl -Ilib -V` if you're running that from the build directory of a perl you haven't installed. -- |
From zefram@fysh.orgBrian 'geeknik' Carpenter wrote:
No smoking gun there. Please try reducing the debugging flags, to find the minimum set that -zefram |
From @geeknik./perl -Ilib -V Characteristics of this binary (from libperl): ./afl-clang-fast -v clang --version |
From @geeknikMy command line for building Perl never changes either: ./Configure -des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast -Doptimize=-O2\ |
From @dcollinsnIt's not just Brian, I /can/ reproduce: LD_PRELOAD=/home/dcollins/toolchain/afl-2.32b/libdislocator/libdislocator.so ./perl ~/t.pl libdislocator is available as part of the afl source distribution. Here's a readme: https://github.com/mirrorer/afl/tree/master/libdislocator I got it as a one-liner and reduced by hand to the following: LD_PRELOAD=/home/dcollins/toolchain/afl-2.32b/libdislocator/libdislocator.so ./perl -Dvs -e '$_="aa"; s///ge' Removing the preload also removes the crash. I included some output from a GDB run showing that, as with Brian, the ds register is clear just before the crash. However, I wasn't trivially able to find any point in the program where `ds` had any value in it. Any requests for specific debugging information? Here's some interesting info: (gdb) bt %% WITH PRELOAD, RUN AND VALGRIND %% dcollins@nightshade64:~/toolchain/perldebug$ LD_PRELOAD=/home/dcollins/toolchain/afl-2.32b/libdislocator/libdislocator.so ./perl -Dvs -e '$_="aa"; s///ge' EXECUTING... STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN ==51966== at 0x4CE268: Perl_sv_peek (dump.c:367) %% WITHOUT PRELOAD, RUN AND VALGRIND %% EXECUTING... STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN ==52640== %% WITH PRELOAD, GDB %% Program received signal SIGSEGV, Segmentation fault. -- |
From [Unknown Contact. See original ticket]It's not just Brian, I /can/ reproduce: LD_PRELOAD=/home/dcollins/toolchain/afl-2.32b/libdislocator/libdislocator.so ./perl ~/t.pl libdislocator is available as part of the afl source distribution. Here's a readme: https://github.com/mirrorer/afl/tree/master/libdislocator I got it as a one-liner and reduced by hand to the following: LD_PRELOAD=/home/dcollins/toolchain/afl-2.32b/libdislocator/libdislocator.so ./perl -Dvs -e '$_="aa"; s///ge' Removing the preload also removes the crash. I included some output from a GDB run showing that, as with Brian, the ds register is clear just before the crash. However, I wasn't trivially able to find any point in the program where `ds` had any value in it. Any requests for specific debugging information? Here's some interesting info: (gdb) bt %% WITH PRELOAD, RUN AND VALGRIND %% dcollins@nightshade64:~/toolchain/perldebug$ LD_PRELOAD=/home/dcollins/toolchain/afl-2.32b/libdislocator/libdislocator.so ./perl -Dvs -e '$_="aa"; s///ge' EXECUTING... STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN ==51966== at 0x4CE268: Perl_sv_peek (dump.c:367) %% WITHOUT PRELOAD, RUN AND VALGRIND %% EXECUTING... STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN STACK 0: MAIN ==52640== %% WITH PRELOAD, GDB %% Program received signal SIGSEGV, Segmentation fault. -- |
From @tonycozOn Sun Aug 21 20:19:48 2016, zefram@fysh.org wrote:
I reduced the -D flags to -Dsv and FatherC's simplification also #!perl -Dsv tony@mars:.../git/perl$ LD_PRELOAD=/home/tony/local/afl-2.32b/lib/afl/libdislocator.so gdb --args ./perl ../129029b.pl valgrind reports: ... Tony |
From @tonycozOn Sun Aug 21 23:09:44 2016, tonyc wrote:
I forgot to say, this was uninstrumented, not even -fsanitize, just: config_args='-des -Dusedevel -DDEBUGGING -Doptimize=-g -O0' Tony |
From @geeknikFrom the author of AFL (Michal Zalewski): "From the non-optimized stack trace near the end: 0x0000000000544f5c in Perl_sv_peek (sv=0x4141414141414141) at dump.c:367 0x41 is a pattern used by libdislocator.so to initialize any memory Of course, it's possible that there's a bug in libdisloctor.so, too..." |
From [Unknown Contact. See original ticket]From the author of AFL (Michal Zalewski): "From the non-optimized stack trace near the end: 0x0000000000544f5c in Perl_sv_peek (sv=0x4141414141414141) at dump.c:367 0x41 is a pattern used by libdislocator.so to initialize any memory Of course, it's possible that there's a bug in libdisloctor.so, too..." |
From zefram@fysh.orgDan Collins via RT wrote:
It seems I was wrong about that bit. I know about x86, but not so In your case, the cause of the crash is clear. You have -zefram |
From @iabynOn Sun, Aug 21, 2016 at 11:09:44PM -0700, Tony Cook via RT wrote:
Now fixed with: commit 5ef7108 Perl_deb_stack_all() - handle CXt_SUBST better -- |
@iabyn - Status changed from 'open' to 'pending release' |
From @khwilliamsonThank you for filing this report. You have helped make Perl better. With the release today of Perl 5.26.0, this and 210 other issues have been Perl 5.26.0 may be downloaded via: If you find that the problem persists, feel free to reopen this ticket. |
@khwilliamson - Status changed from 'pending release' to 'resolved' |
Migrated from rt.perl.org#129029 (status was 'resolved')
Searchable as RT129029$
The text was updated successfully, but these errors were encountered: