Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

null ptr deref, segfault in Perl_pp_subtract pp.c:1894 #15578

Closed
p5pRT opened this issue Sep 1, 2016 · 8 comments
Closed

null ptr deref, segfault in Perl_pp_subtract pp.c:1894 #15578

p5pRT opened this issue Sep 1, 2016 · 8 comments
Labels
distro-All hasCoreDump type-core

Comments

@p5pRT
Copy link

p5pRT commented Sep 1, 2016

Migrated from rt.perl.org#129166 (status was 'resolved')

Searchable as RT129166$
@p5pRT
Copy link
Author

p5pRT commented Sep 1, 2016

From @geeknik

Perl v5.25.4-27-gf16e7fa

./perl -e '@​0=()-splice@​a,$#a=0or@​0'

==35420==ERROR​: AddressSanitizer​: SEGV on unknown address 0x00000000000c (pc 0x0000009bcd41 bp 0x0c32000012d2 sp 0x7ffe63e7dbd0 T0)
  #0 0x9bcd40 in Perl_pp_subtract /home/geeknik/perl/pp.c​:1894​:5
  #1 0x7f2623 in Perl_runops_debug /home/geeknik/perl/dump.c​:2234​:23
  #2 0x5a10c6 in S_run_body /home/geeknik/perl/perl.c​:2525​:2
  #3 0x5a10c6 in perl_run /home/geeknik/perl/perl.c​:2448
  #4 0x4de6cd in main /home/geeknik/perl/perlmain.c​:123​:9
  #5 0x7f501b7f1b44 in __libc_start_main /build/glibc-uPj9cH/glibc-2.19/csu/libc-start.c​:287
  #6 0x4de33c in _start (/home/geeknik/perl/perl+0x4de33c)

AddressSanitizer can not provide additional info.
SUMMARY​: AddressSanitizer​: SEGV /home/geeknik/perl/pp.c​:1894 Perl_pp_subtract
==35420==ABORTING

Program received signal SIGSEGV, Segmentation fault.
0x00000000009bcdc1 in Perl_pp_subtract () at pp.c​:1894
1894 tryAMAGICbin_MG(subtr_amg, AMGf_assign|AMGf_numeric);
(gdb) bt
#0 0x00000000009bcdc1 in Perl_pp_subtract () at pp.c​:1894
#1 0x00000000007f26a4 in Perl_runops_debug () at dump.c​:2234
#2 0x00000000005a10c7 in S_run_body (oldscope=<optimized out>) at perl.c​:2525
#3 perl_run (my_perl=<optimized out>) at perl.c​:2448
#4 0x00000000004de6ce in main (argc=<optimized out>, argv=<optimized out>, env=<optimized out>) at perlmain.c​:123

==17125== Invalid read of size 4
==17125== at 0x54A013​: Perl_pp_subtract (pp.c​:1894)
==17125== by 0x4D6261​: Perl_runops_debug (dump.c​:2234)
==17125== by 0x452E96​: S_run_body (perl.c​:2525)
==17125== by 0x452E96​: perl_run (perl.c​:2448)
==17125== by 0x421834​: main (perlmain.c​:123)
==17125== Address 0xc is not stack'd, malloc'd or (recently) free'd
==17125==
==17125==
==17125== Process terminating with default action of signal 11 (SIGSEGV)
==17125== Access not within mapped region at address 0xC
==17125== at 0x54A013​: Perl_pp_subtract (pp.c​:1894)
==17125== by 0x4D6261​: Perl_runops_debug (dump.c​:2234)
==17125== by 0x452E96​: S_run_body (perl.c​:2525)
==17125== by 0x452E96​: perl_run (perl.c​:2448)
==17125== by 0x421834​: main (perlmain.c​:123)
==17125== If you believe this happened as a result of a stack
==17125== overflow in your program's main thread (unlikely but
==17125== possible), you can try to increase the size of the
==17125== main thread stack using the --main-stacksize= flag.
==17125== The main thread stack size used in this run was 8388608.
Segmentation fault

@p5pRT
Copy link
Author

p5pRT commented Sep 1, 2016

From @dcollinsn

./perl -e '$#a=0;0-splice@​a'

Also segfaults.

The root cause of #129164, #129166, and #129167 is almost certainly something in Perl_pp_splice when called on a zero-length array.

$ ./perl -Ilib -MDevel​::Peek -e '$#a=0; Dump(splice @​a);'
SV = 0

Looks like a good starting point.

--
Respectfully,
Dan Collins

@p5pRT
Copy link
Author

p5pRT commented Sep 1, 2016

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Sep 2, 2016

From @cpansprout

On Thu Sep 01 11​:56​:00 2016, dcollinsn@​gmail.com wrote​:

./perl -e '$#a=0;0-splice@​a'

Also segfaults.

The root cause of #129164, #129166, and #129167 is almost certainly
something in Perl_pp_splice when called on a zero-length array.

Not zero-length, but one with a single null entry.

$ ./perl -Ilib -MDevel​::Peek -e '$#a=0; Dump(splice @​a);'
SV = 0

Looks like a good starting point.

I think splice needs to do the same null checks that other array functions do, and push &PL_sv_undef for null.

--

Father Chrysostomos

@p5pRT
Copy link
Author

p5pRT commented Sep 12, 2016

From @cpansprout

On Thu Sep 01 21​:30​:30 2016, sprout wrote​:

On Thu Sep 01 11​:56​:00 2016, dcollinsn@​gmail.com wrote​:

./perl -e '$#a=0;0-splice@​a'

Also segfaults.

The root cause of #129164, #129166, and #129167 is almost certainly
something in Perl_pp_splice when called on a zero-length array.

Not zero-length, but one with a single null entry.

$ ./perl -Ilib -MDevel​::Peek -e '$#a=0; Dump(splice @​a);'
SV = 0

Looks like a good starting point.

I think splice needs to do the same null checks that other array
functions do, and push &PL_sv_undef for null.

Now fixed in 92b69f6.

--

Father Chrysostomos

@p5pRT
Copy link
Author

p5pRT commented Sep 12, 2016

@cpansprout - Status changed from 'open' to 'pending release'

@p5pRT
Copy link
Author

p5pRT commented May 30, 2017

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release today of Perl 5.26.0, this and 210 other issues have been
resolved.

Perl 5.26.0 may be downloaded via​:
https://metacpan.org/release/XSAWYERX/perl-5.26.0

If you find that the problem persists, feel free to reopen this ticket.

@p5pRT
Copy link
Author

p5pRT commented May 30, 2017

@khwilliamson - Status changed from 'pending release' to 'resolved'

@p5pRT p5pRT closed this as completed May 30, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
distro-All hasCoreDump type-core
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@p5pRT