Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

null pointer deref S_ft_return_false (pp_sys.c:3036) #15626

Closed
p5pRT opened this issue Sep 24, 2016 · 8 comments
Closed

null pointer deref S_ft_return_false (pp_sys.c:3036) #15626

p5pRT opened this issue Sep 24, 2016 · 8 comments

Comments

@p5pRT
Copy link

p5pRT commented Sep 24, 2016

Migrated from rt.perl.org#129347 (status was 'resolved')

Searchable as RT129347$

@p5pRT
Copy link
Author

p5pRT commented Sep 24, 2016

From @geeknik

Found with AFL+ASAN, triggered in Perl v5.25.5-8-g3c42ae1.

./perl -e '($0)=sort{-b-d}/()()/'

ASAN​:SIGSEGV

==24203==ERROR​: AddressSanitizer​: SEGV on unknown address 0x000000000020 (pc 0x000000ae09f0 bp 0x00000023636c sp 0x7ffd31ec7a20 T0)
  #0 0xae09ef in S_ft_return_false /root/perl/pp_sys.c​:3036​:9
  #1 0xae09ef in Perl_pp_ftrowned /root/perl/pp_sys.c​:3310
  #2 0x7f47d3 in Perl_runops_debug /root/perl/dump.c​:2239​:23
  #3 0xca05fa in S_sortcv /root/perl/pp_sort.c​:1800​:5
  #4 0xc908ce in dynprep /root/perl/pp_sort.c​:197​:14
  #5 0xc908ce in S_mergesortsv /root/perl/pp_sort.c​:379
  #6 0xc908ce in Perl_sortsv_flags /root/perl/pp_sort.c​:1464
  #7 0xc9b847 in Perl_pp_sort /root/perl/pp_sort.c​:1687​:6
  #8 0x7f47d3 in Perl_runops_debug /root/perl/dump.c​:2239​:23
  #9 0x5a11c6 in S_run_body /root/perl/perl.c​:2526​:2
  #10 0x5a11c6 in perl_run /root/perl/perl.c​:2449
  #11 0x4de5fd in main /root/perl/perlmain.c​:123​:9
  #12 0x7feccecd4b44 in __libc_start_main /build/glibc-uPj9cH/glibc-2.19/csu/libc-start.c​:287
  #13 0x4de26c in _start (/root/perl/perl+0x4de26c)

AddressSanitizer can not provide additional info.
SUMMARY​: AddressSanitizer​: SEGV /root/perl/pp_sys.c​:3036 S_ft_return_false
==24203==ABORTING

@p5pRT
Copy link
Author

p5pRT commented Sep 24, 2016

From @mauke

Am 24.09.2016 um 14​:59 schrieb Brian Carpenter (via RT)​:

# New Ticket Created by Brian Carpenter
# Please include the string​: [perl #129347]
# in the subject line of all future correspondence about this issue.
# <URL​: https://rt-archive.perl.org/perl5/Ticket/Display.html?id=129347 >

Found with AFL+ASAN, triggered in Perl v5.25.5-8-g3c42ae1.

./perl -e '($0)=sort{-b-d}/()()/'

ASAN​:SIGSEGV

==24203==ERROR​: AddressSanitizer​: SEGV on unknown address 0x000000000020 (pc 0x000000ae09f0 bp 0x00000023636c sp 0x7ffd31ec7a20 T0)
#0 0xae09ef in S_ft_return_false /root/perl/pp_sys.c​:3036​:9
#1 0xae09ef in Perl_pp_ftrowned /root/perl/pp_sys.c​:3310
#2 0x7f47d3 in Perl_runops_debug /root/perl/dump.c​:2239​:23
#3 0xca05fa in S_sortcv /root/perl/pp_sort.c​:1800​:5
#4 0xc908ce in dynprep /root/perl/pp_sort.c​:197​:14
#5 0xc908ce in S_mergesortsv /root/perl/pp_sort.c​:379
#6 0xc908ce in Perl_sortsv_flags /root/perl/pp_sort.c​:1464
#7 0xc9b847 in Perl_pp_sort /root/perl/pp_sort.c​:1687​:6
#8 0x7f47d3 in Perl_runops_debug /root/perl/dump.c​:2239​:23
#9 0x5a11c6 in S_run_body /root/perl/perl.c​:2526​:2
#10 0x5a11c6 in perl_run /root/perl/perl.c​:2449
#11 0x4de5fd in main /root/perl/perlmain.c​:123​:9
#12 0x7feccecd4b44 in __libc_start_main /build/glibc-uPj9cH/glibc-2.19/csu/libc-start.c​:287
#13 0x4de26c in _start (/root/perl/perl+0x4de26c)

AddressSanitizer can not provide additional info.
SUMMARY​: AddressSanitizer​: SEGV /root/perl/pp_sys.c​:3036 S_ft_return_false
==24203==ABORTING

'() = sort { -d -d } 1, 2' also crashes. The trigger seems to be stacked
filetests in a sort comparator. (You need at least 2 list elements to
invoke the comparator.)

--
Lukas Mai <plokinom@​gmail.com>

@p5pRT
Copy link
Author

p5pRT commented Sep 24, 2016

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Nov 25, 2016

From @hvds

This crashes because PL_op->op_next->op_next is NULL; I'm not sure if it's correct for it to be so (I don't see that for the vaguely analagous case of a map block) - if that is expected, the patch below is enough to fix it.

Hugo
--- a/pp_sys.c
+++ b/pp_sys.c
@​@​ -3046,7 +3046,7 @​@​ S_ft_return_false(pTHX_ SV *ret) {
  PUTBACK;

  if (PL_op->op_private & OPpFT_STACKING) {
- while (OP_IS_FILETEST(next->op_type)
+ while (next && OP_IS_FILETEST(next->op_type)
  && next->op_private & OPpFT_STACKED)
  next = next->op_next;
  }

@p5pRT
Copy link
Author

p5pRT commented Dec 6, 2017

From zefram@fysh.org

Hugo's patch is correct. (The sort comparator ends with a null op_next.
sort's op structure is surprisingly different from map's.) Applied,
with test, as commit 1af9149.

-zefram

@p5pRT
Copy link
Author

p5pRT commented Dec 6, 2017

@cpansprout - Status changed from 'open' to 'pending release'

@p5pRT
Copy link
Author

p5pRT commented Jun 23, 2018

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release yesterday of Perl 5.28.0, this and 185 other issues have been
resolved.

Perl 5.28.0 may be downloaded via​:
https://metacpan.org/release/XSAWYERX/perl-5.28.0

If you find that the problem persists, feel free to reopen this ticket.

@p5pRT
Copy link
Author

p5pRT commented Jun 23, 2018

@khwilliamson - Status changed from 'pending release' to 'resolved'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant