Skip Menu |
Report information
Id: 128182
Status: resolved
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: dcollinsn [at] gmail.com
Cc:
AdminCc:

Operating System: Linux
PatchStatus: (no value)
Severity: low
Type: unknown
Perl Version: (no value)
Fixed In: (no value)



Subject: Segfault in Perl_pv_escape with assert fail, do qr/NUL/
Download (untitled) / with headers
text/plain 23.1k

Message body is not shown because it is too large.

RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 1.7k
On Wed May 18 15:26:10 2016, dcollinsn@gmail.com wrote: Show quoted text
> Greetings Porters, > > I have compiled bleadperl with the afl-gcc compiler using: > > ./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache > afl-gcc' -Uuselongdouble -Duse64bitall -Doptimize=-g -Uversiononly > -Uman1dir -Uman3dir -Dusequadmath -des > AFL_HARDEN=1 make && make test > > And then fuzzed the resulting binary using: > > AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @@ > > After reducing testcases using `afl-tmin` and performing additional > minimization by hand, I have located the following testcase that > triggers an segfault in the perl interpreter. The testcase is the file > below. On normal builds, this segfaults. On debug builds, this returns > an assert fail. > > dcollins@nightshade64:~$ cat f3i0 > do > qr//dcollins@nightshade64:~$ > dcollins@nightshade64:~$ od -c f3i0 > 0000000 d o \n q r / \0 / > 0000010 > dcollins@nightshade64:~$ ls -l f3i0 > -rw-r----- 1 dcollins afl 8 May 18 17:01 f3i0 > dcollins@nightshade64:~$ ./perl/perl f3i0 > Segmentation fault > dcollins@nightshade64:~$ ./perldebug/perl f3i0 > perl: pp_ctl.c:3690: S_require_file: Assertion > `PL_valid_types_PVX[((svtype)((_svcur)->sv_flags & 0xff)) & 0xf] || > ((svtype)((_svcur)->sv_flags & 0xff)) == SVt_REGEXP' failed. > Aborted
Some of the code added by v5.19.3-130-gc8028aa to pp_ctl.c:pp_require (now in S_require_file) uses SvPVX(sv) and SvCUR(sv) without making sure that the SV is a PV. I believe that is the culprit. In fact, the code in question could just use the name and len variables it already has, from stringifying the sv a few lines earlier. (I may be wrong here. I have not even run this through gdb or done a bisect. I simply looked at the code.) -- Father Chrysostomos
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 2.1k
On Wed May 18 16:58:27 2016, sprout wrote: Show quoted text
> On Wed May 18 15:26:10 2016, dcollinsn@gmail.com wrote:
> > Greetings Porters, > > > > I have compiled bleadperl with the afl-gcc compiler using: > > > > ./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache > > afl-gcc' -Uuselongdouble -Duse64bitall -Doptimize=-g -Uversiononly > > -Uman1dir -Uman3dir -Dusequadmath -des > > AFL_HARDEN=1 make && make test > > > > And then fuzzed the resulting binary using: > > > > AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @@ > > > > After reducing testcases using `afl-tmin` and performing additional > > minimization by hand, I have located the following testcase that > > triggers an segfault in the perl interpreter. The testcase is the > > file > > below. On normal builds, this segfaults. On debug builds, this > > returns > > an assert fail. > > > > dcollins@nightshade64:~$ cat f3i0 > > do > > qr//dcollins@nightshade64:~$ > > dcollins@nightshade64:~$ od -c f3i0 > > 0000000 d o \n q r / \0 / > > 0000010 > > dcollins@nightshade64:~$ ls -l f3i0 > > -rw-r----- 1 dcollins afl 8 May 18 17:01 f3i0 > > dcollins@nightshade64:~$ ./perl/perl f3i0 > > Segmentation fault > > dcollins@nightshade64:~$ ./perldebug/perl f3i0 > > perl: pp_ctl.c:3690: S_require_file: Assertion > > `PL_valid_types_PVX[((svtype)((_svcur)->sv_flags & 0xff)) & 0xf] || > > ((svtype)((_svcur)->sv_flags & 0xff)) == SVt_REGEXP' failed. > > Aborted
> > Some of the code added by v5.19.3-130-gc8028aa to pp_ctl.c:pp_require > (now in S_require_file) uses SvPVX(sv) and SvCUR(sv) without making > sure that the SV is a PV. > > I believe that is the culprit. > > In fact, the code in question could just use the name and len > variables it already has, from stringifying the sv a few lines > earlier. > > (I may be wrong here. I have not even run this through gdb or done a > bisect. I simply looked at the code.)
This is fixed in 08f800f85 and has a perldelta entry in f8591e08. I think these should be candidates for backporting to maint-5.24 and maint-5.22 (and maint-5.20 if we are still doing that). Thank you for the report. -- Father Chrysostomos
Download (untitled) / with headers
text/plain 313b
Thank you for filing this report. You have helped make Perl better. With the release today of Perl 5.26.0, this and 210 other issues have been resolved. Perl 5.26.0 may be downloaded via: https://metacpan.org/release/XSAWYERX/perl-5.26.0 If you find that the problem persists, feel free to reopen this ticket.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org