Skip Menu |
Report information
Id: 123245
Status: resolved
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: x.fix [at] o2.pl
Cc:
AdminCc:

Operating System: Linux
PatchStatus: (no value)
Severity: low
Type: core
Perl Version: 5.20.1
Fixed In: 5.22.0

Attachments
0001-perl-123245-avoid-a-panic-in-sv_chop-in-formats.patch



Date: Tue, 18 Nov 2014 20:50:08 +0100
To: perlbug [...] perl.org
From: x.fix [...] o2.pl
Subject: panic: sv_chop on multiple ^* formats on one line
Download (untitled) / with headers
text/plain 3.8k
This is a bug report for perl from x.fix@o2.pl, generated with the help of perlbug 1.40 running under perl 5.20.1. ----------------------------------------------------------------- [Please describe your issue here] When the ^* format tries to write while multiple ^* formats are on the line, and the string is long enough, Perl crashes. Sample code: ``` format = ^*|^* $x = "dd" . write ``` Result: ``` panic: sv_chop ptr=21bc482, start=7f42ea84eb41, end=7f42ea84eb41 at - line 3. ``` [Please do not change anything below this line] ----------------------------------------------------------------- --- Flags: category=core severity=low --- Site configuration information for perl 5.20.1: Configured by nobody at Mon Sep 15 14:11:02 CEST 2014. Summary of my perl5 (revision 5 version 20 subversion 1) configuration: Platform: osname=linux, osvers=3.16.2-1-arch, archname=x86_64-linux-thread-multi uname='linux mnt-chroots-arch-extra-x86_64-flo-64 3.16.2-1-arch #1 smp preempt sat sep 6 13:12:51 cest 2014 x86_64 gnulinux ' config_args='-des -Dusethreads -Duseshrplib -Doptimize=-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4 -Dprefix=/usr -Dvendorprefix=/usr -Dprivlib=/usr/share/perl5/core_perl -Darchlib=/usr/lib/perl5/core_perl -Dsitelib=/usr/share/perl5/site_perl -Dsitearch=/usr/lib/perl5/site_perl -Dvendorlib=/usr/share/perl5/vendor_perl -Dvendorarch=/usr/lib/perl5/vendor_perl -Dscriptdir=/usr/bin/core_perl -Dsitescript=/usr/bin/site_perl -Dvendorscript=/usr/bin/vendor_perl -Dinc_version_list=none -Dman1ext=1perl -Dman3ext=3perl -Dcccdlflags='-fPIC' -Dlddlflags=-shared -Wl,-O1,--sort-common,--as-needed,-z,relro -Dldflags=-Wl,-O1,--sort-common,--as-needed,-z,relro' hint=recommended, useposix=true, d_sigaction=define useithreads=define, usemultiplicity=define use64bitint=define, use64bitall=define, uselongdouble=undef usemymalloc=n, bincompat5005=undef Compiler: cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -fwrapv -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64', optimize='-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4', cppflags='-D_REENTRANT -D_GNU_SOURCE -fwrapv -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include' ccversion='', gccversion='4.9.1', gccosandvers='' intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16 ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8 alignbytes=8, prototype=define Linker and Libraries: ld='cc', ldflags ='-Wl,-O1,--sort-common,--as-needed,-z,relro -fstack-protector -L/usr/local/lib' libpth=/usr/local/lib /usr/lib/gcc/x86_64-unknown-linux-gnu/4.9.1/include-fixed /usr/lib /lib/../lib /usr/lib/../lib /lib /lib64 /usr/lib64 libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lpthread -lc -lgdbm_compat perllibs=-lnsl -ldl -lm -lcrypt -lutil -lpthread -lc libc=libc-2.19.so, so=so, useshrplib=true, libperl=libperl.so gnulibc_version='2.19' Dynamic Linking: dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E -Wl,-rpath,/usr/lib/perl5/core_perl/CORE' cccdlflags='-fPIC', lddlflags='-shared -Wl,-O1,--sort-common,--as-needed,-z,relro -L/usr/local/lib -fstack-protector' --- @INC for perl 5.20.1: /usr/lib/perl5/site_perl /usr/share/perl5/site_perl /usr/lib/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib/perl5/core_perl /usr/share/perl5/core_perl . --- Environment for perl 5.20.1: HOME=/home/xfix LANG=pl_PL.UTF-8 LANGUAGE=pl LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/opt/android-ndk:/usr/lib/jvm/default/bin/:/opt/android-sdk/tools:/usr/bin PERL_BADLANG (unset) SHELL=/usr/bin/fish
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 847b
On Tue Nov 18 11:50:39 2014, x.fix@o2.pl wrote: Show quoted text
> This is a bug report for perl from x.fix@o2.pl, > generated with the help of perlbug 1.40 running under perl 5.20.1. > > > ----------------------------------------------------------------- > [Please describe your issue here] > > When the ^* format tries to write while multiple ^* formats are on the > line, and the string is long enough, Perl crashes. > > Sample code: > > ``` > format = > ^*|^* > $x = "dd" > . > write > ``` > > Result: > > ``` > panic: sv_chop ptr=21bc482, start=7f42ea84eb41, end=7f42ea84eb41 at - > line 3. > ```
5.8.7 to 5.14.4: Modification of a read-only value attempted at - line 3. 5.18.3: panic: sv_chop ptr=7f94bbc0bdd2, start=10518ce45, end=10518ce45 at - line 3. Both answers are wrong. So this has been buggy for a long time. -- Father Chrysostomos
Subject: Re: [perl #123245] panic: sv_chop on multiple ^* formats on one line
To: perl5-porters [...] perl.org
From: "H.Merijn Brand" <h.m.brand [...] xs4all.nl>
Date: Wed, 19 Nov 2014 08:30:02 +0100
Download (untitled) / with headers
text/plain 2.3k
On Tue, 18 Nov 2014 11:50:39 -0800, Konrad Borowski (via RT) <perlbug-followup@perl.org> wrote: Show quoted text
> When the ^* format tries to write while multiple ^* formats are on the > line, and the string is long enough, Perl crashes.
Confirmed for all perl builds as of 5.8.4 === base/perl5.6.0 5.006 x86_64-linux dd^ === base/perl5.6.1 5.006001 x86_64-linux-perlio dd^ === base/tperl5.6.1 5.006001 x86_64-linux-thread-multi-ld-perlio dd^ === base/perl5.6.2 5.006002 x86_64-linux-perlio dd^ === base/tperl5.6.2 5.006002 x86_64-linux-thread-multi-ld-perlio dd^ === base/perl5.8.0 5.008 x86_64-linux dd^ === base/tperl5.8.0 5.008 x86_64-linux-thread-multi-ld dd^ === base/perl5.8.1 5.008001 x86_64-linux dd^ === base/tperl5.8.1 5.008001 x86_64-linux-thread-multi-ld dd^ === base/perl5.8.2 5.008002 x86_64-linux dd^ === base/tperl5.8.2 5.008002 x86_64-linux-thread-multi-ld dd^ === base/perl5.8.3 5.008003 x86_64-linux dd^ === base/tperl5.8.3 5.008003 x86_64-linux-thread-multi-ld dd^ === base/perl5.8.4 5.008004 x86_64-linux Modification of a read-only value attempted at test.pl line 3. Exit status: 65280 === base/tperl5.8.4 5.008004 x86_64-linux-thread-multi-ld Modification of a read-only value attempted at test.pl line 3. Exit status: 65280 === base/perl5.8.5 5.008005 x86_64-linux Modification of a read-only value attempted at test.pl line 3. Exit status: 65280 : : === base/perl5.15.3 5.015003 x86_64-linux Modification of a read-only value attempted at test.pl line 3. Exit status: 65280 === base/tperl5.15.3 5.015003 x86_64-linux-thread-multi-ld Modification of a read-only value attempted at test.pl line 3. Exit status: 65280 === base/perl5.15.4 5.015004 x86_64-linux panic: sv_chop ptr=1c812d2, start=1c72e00, end=1c72e10 at test.pl line 3. Exit status: 65280 === base/tperl5.15.4 5.015004 x86_64-linux-thread-multi-ld panic: sv_chop ptr=21a1732, start=21889c0, end=21889d0 at test.pl line 3. Exit status: 65280 : : === base/tperl5.21.5 5.021005 x86_64-linux-thread-multi-ld panic: sv_chop ptr=190ea32, start=6ce3c5, end=6ce3c5 at test.pl line 3. Exit status: 65280 -- H.Merijn Brand http://tux.nl Perl Monger http://amsterdam.pm.org/ using perl5.00307 .. 5.21 porting perl5 on HP-UX, AIX, and openSUSE http://mirrors.develooper.com/hpux/ http://www.test-smoke.org/ http://qa.perl.org http://www.goldmark.org/jeff/stupid-disclaimers/
Download (untitled)
application/pgp-signature 490b

Message body not shown because it is not plain text.

RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 1.2k
On Tue Nov 18 13:22:50 2014, sprout wrote: Show quoted text
> 5.8.7 to 5.14.4: > > Modification of a read-only value attempted at - line 3. > > 5.18.3: > > panic: sv_chop ptr=7f94bbc0bdd2, start=10518ce45, end=10518ce45 at - line 3. > > Both answers are wrong. So this has been buggy for a long time. >
Bisected with: perl ../bisect.pl --start=perl-5.8.0 --end=perl-5.10..0 --target=miniperl -- ./miniperl ../format-crash.pl to: a1b950687051c32e26de8681b0ed639ad32adfb4 is the first bad commit commit a1b950687051c32e26de8681b0ed639ad32adfb4 Author: LAUN Wolfgang <wolfgang.laun@alcatel.at> Date: Fri Jan 16 13:29:26 2004 +0000 format/write (version 2) Message-ID: <DF27CDCBD2581D4B88431901094E4B4D02B0C4D3@attmsx1> Fixes and additions to formats: Improvement: NULL chars in picture line Bugfix: C<@*> shown in output if not alone on a line New feature: C<^*> for variable-width, one-line-at-a-time text Improvement: Diagnostic on C<@#> and C<~~> Bugfix: Segmentation fault on big numbers Improvement (maybe): Truncation of numbers produces misleading output Bugfix: "}" terminates format Bugfix: Error when copying non-UTF to UTF (EBCDIC only) p4raw-id: //depot/perl@22161
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 425b
On Tue Nov 18 11:50:39 2014, x.fix@o2.pl wrote: Show quoted text
> When the ^* format tries to write while multiple ^* formats are on the > line, and the string is long enough, Perl crashes. > > Sample code: > > ``` > format = > ^*|^* > $x = "dd" > . > write > ``` > > Result: > > ``` > panic: sv_chop ptr=21bc482, start=7f42ea84eb41, end=7f42ea84eb41 at - > line 3. > ```
Candidate fix attached. I still need to write some tests. Tony
Subject: 0001-perl-123245-avoid-a-panic-in-sv_chop-in-formats.patch
From ffd87e202ed6b9c8d1f3b8888a980f6690a3bfa7 Mon Sep 17 00:00:00 2001 From: Tony Cook <tony@develop-help.com> Date: Tue, 2 Dec 2014 11:44:31 +1100 Subject: [perl #123245] avoid a panic in sv_chop() in formats This fixes two issues: 1) if you don't supply enough arguments to the format, pp_formline() uses &PL_sv_no as the sv, since we've already warned about the missing format argument, we don't need to produce a read only error for an SV the caller didn't supply 2) when the supplied string is empty for FF_LINESNGL and FF_LINEGLOB the case would skip most of its processing, including setting chophere, this meant that when the following FF_CHOP operator was processed it would pass a pointer into a different string, producing a panic. --- pp_ctl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pp_ctl.c b/pp_ctl.c index 0b7a6ec..dc80999 100644 --- a/pp_ctl.c +++ b/pp_ctl.c @@ -674,7 +674,7 @@ PP(pp_formline) goto append; case FF_CHOP: /* (for ^*) chop the current item */ - { + if (sv != &PL_sv_no) { const char *s = chophere; if (chopspace) { while (isSPACE(*s)) @@ -701,11 +701,11 @@ PP(pp_formline) const char *const send = s + len; item_is_utf8 = DO_UTF8(sv); + chophere = s + len; if (!len) break; trans = 0; gotsome = TRUE; - chophere = s + len; source = (U8 *) s; to_copy = len; while (s < send) { -- 1.7.10.4
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 397b
On Mon Dec 01 16:45:42 2014, tonyc wrote: Show quoted text
> On Tue Nov 18 11:50:39 2014, x.fix@o2.pl wrote:
> > panic: sv_chop ptr=21bc482, start=7f42ea84eb41, end=7f42ea84eb41 at - > > line 3. > > ```
> > Candidate fix attached. I still need to write some tests.
TODO tests pushed as fcaef4dc8ca94ff0fe27bf4a249a5583ca0e7af5 and the fix (unmarking the TODOs) as fb9282c3ccd3b3c2e184a3158c46c930c23f30fb. Tony
Subject: Your ticket against Perl 5 has been resolved
Download (untitled) / with headers
text/plain 263b
Thanks for submitting this ticket The issue should be resolved with the release today of Perl v5.22, available at http://www.perl.org/get.html If you find that the problem persists, feel free to reopen this ticket -- Karl Williamson for the Perl 5 porters team


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org