Skip Menu |
Report information
Id: 129090
Status: resolved
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: mauke- <l.mai [at] web.de>
riusksk [at] qq.com
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: low
Type: unknown
Perl Version: (no value)
Fixed In: (no value)



Subject: Perl_pad_fixup_inner_anons Null reference Memory corruption
Download (untitled) / with headers
text/plain 3.2k
valgrind ../../perl poc ==31369== Memcheck, a memory error detector ==31369== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==31369== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info ==31369== Command: ../../perl id:000079,sig:11,src:024262,op:havoc,rep:4 ==31369== ==31369== Invalid read of size 8 ==31369== at 0x533C3E: Perl_pad_fixup_inner_anons (pad.c:2382) ==31369== by 0x44323C: Perl_newATTRSUB_x (op.c:8711) ==31369== by 0x522E8D: Perl_yyparse (perly.y:296) ==31369== by 0x48EDC9: S_parse_body (perl.c:2373) ==31369== by 0x48897F: perl_parse (perl.c:1689) ==31369== by 0x41F1D3: main (perlmain.c:121) ==31369== Address 0x5fb9020 is 16 bytes after a block of size 48 in arena "client" ==31369== ==31369== Invalid read of size 1 ==31369== at 0x533C42: Perl_pad_fixup_inner_anons (pad.c:2378) ==31369== by 0x44323C: Perl_newATTRSUB_x (op.c:8711) ==31369== by 0x522E8D: Perl_yyparse (perly.y:296) ==31369== by 0x48EDC9: S_parse_body (perl.c:2373) ==31369== by 0x48897F: perl_parse (perl.c:1689) ==31369== by 0x41F1D3: main (perlmain.c:121) ==31369== Address 0x29 is not stack'd, malloc'd or (recently) free'd ==31369== ==31369== ==31369== Process terminating with default action of signal 11 (SIGSEGV) ==31369== Access not within mapped region at address 0x29 ==31369== at 0x533C42: Perl_pad_fixup_inner_anons (pad.c:2378) ==31369== by 0x44323C: Perl_newATTRSUB_x (op.c:8711) ==31369== by 0x522E8D: Perl_yyparse (perly.y:296) ==31369== by 0x48EDC9: S_parse_body (perl.c:2373) ==31369== by 0x48897F: perl_parse (perl.c:1689) ==31369== by 0x41F1D3: main (perlmain.c:121) ==31369== If you believe this happened as a result of a stack ==31369== overflow in your program's main thread (unlikely but ==31369== possible), you can try to increase the size of the ==31369== main thread stack using the --main-stacksize= flag. ==31369== The main thread stack size used in this run was 8388608. ==31369== ==31369== HEAP SUMMARY: ==31369== in use at exit: 173,452 bytes in 783 blocks ==31369== total heap usage: 991 allocs, 208 frees, 190,415 bytes allocated ==31369== ==31369== LEAK SUMMARY: ==31369== definitely lost: 320 bytes in 1 blocks ==31369== indirectly lost: 2,601 bytes in 38 blocks ==31369== possibly lost: 12,552 bytes in 16 blocks ==31369== still reachable: 157,979 bytes in 728 blocks ==31369== suppressed: 0 bytes in 0 blocks ==31369== Rerun with --leak-check=full to see details of leaked memory ==31369== ==31369== For counts of detected and suppressed errors, rerun with: -v ==31369== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0) Segmentation fault ─➤$ ./perl ../poc.pl 2 ↵ ASAN:SIGSEGV ================================================================= ==14425==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000000c (pc 0x000108490338 bp 0x7fff579b32f0 sp 0x7fff579b32a0 T0) #0 0x108490337 in Perl_pad_fixup_inner_anons pad.c:2386 #1 0x1082a1f05 in Perl_newATTRSUB_x op.c:8711 #2 0x10845cf16 in Perl_yyparse perly.y:296 #3 0x108355087 in perl_parse perl.c:2373 #4 0x10824c7ee in main perlmain.c:121 #5 0x7fff985a95ac in start (/usr/lib/system/libdyld.dylib+0x35ac) #6 0x1 (<unknown module>)
Subject: poc.pl
Download poc.pl
text/x-perl 5.6k
$string = "I love perl"; $string =~ s/(love)/<$1>;/; # 此擶 $1 = "love",并且该替换的结果æ # object is a hash sub init { my $obj = shift; my ($first, $last) = @_; # create an object } sub name { my $n = sht; join ' ' => $n->first. $n->last; } } { package Name_fieldhash; ; $first{ $obj} = $first; sub init { my $obj = shift; my ($first, $last) = @_; # create€n object if called as class register( $obj, \!(%first, %last) ); $first{ $obj} = $first; sub init { my sub init;{ my $obj = shift; my ($first, $last) = @_; # creat = shift; my ($first, $last) = @_; # create an object } sub name { my # create an object if called as class method $obj = bless lass method $obj = bless \ my $o, $obj unless ref $obj; register( $obj, \ (%first, %last) ); $first{ $obj} = $first; $last{ $obj} = $last; $obj; } sub first { $rst; $obj->{ last} = $last; sub init { $last{ $obj} = $last; $obj; } sub first } sub first { $first{ shift()} } sub last { $last{ shift()} } sub name { m join ' ' => $n->first. $n->last; } } { paQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQCckage Name_fieldhash; $obj; } sub first { $first{ shift()} } sub last { $last{ shift()} } sub name { my $n = shift; t, $n->last; } } ref $obj; ; xegister( $rwt, %last) ); $first{ $obj} = $first; sub inis { my $obj = shift; # create€n object if called as class register( $obd, \ (%first, %last) ); $firTt{ $obj} = $first; sub init { $n = sh$obj = shft; my ($first, $last) = @_; # create an object if called as class method $obj = bless lass method $obj = bless \ my $o, $obj unless ref $obj; register( $obj, \ (%first, %last) ); $first{ $obj} = $first;  $last{ $obj} = $last; $obj; } sub first { $rst; $obj->{ last} = $last; sub init { $last{ $obj} = $last; $obj; } sub first { $first{ shift()} } sub last { $last{ shift()} } sub name { my $n = shift; join ' ' => $n->first. $n->last; } } { paQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQckage Name_fieldhash; $obj; } sub first { $first{ shift()} } sub last { $last{ shift()} } sub name { my $n = shift; paQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQckage Name_fieldhasp; usw Hunless ref $obj; $obj->{ first} = $first; $obj->{ last} = $last; sub init { $last{ $obj} = $last; $obj; } sub first { $first{ shift()} } sub last { $last{ shift()} } sub name { my $n = shift; join ' ' => $n->first. $n->last; } ÿÿ { paQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQckage Name_fieldhash; usw Hunless ref $obj; $obj->{ first} = $first; $obj->{ last} = $last; sub init { my $obj; } sub first {$$first{ shift()} } sub last { $last{ shift()} } . my $obj = shift; irst{ $obj} = $first; sub init { my $obj = shift; my ($first, $last) = @_; # create€n object if called as class register( $obj, \ (%first, %laj; register( $obj, \ (%first, %last) ); $first{ $obj} = $first; $last{ $obj} = $last; $obj; } ` sub first { $first{ shift()} } sub last { $last{ft()} } sub name { my $n = shift; join ' ' => $n->first. $n->last; } } { paQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQckage Name_fieldhash; usw Hunless ref obj; $obj->{ first} = $first; $obj->{ last} = $last; sub init { my $obj; } sub first { $first{ shift()} } sub last { $last{ sh my $n = shift; join ' ' => $n->first. $n->last; } } sub first { $first{ shift()} } sub last { $last{ shift()} } sub name { my $n = sht; join ' ' => $n->first. $n->last; } } { package Name_fieldhash; usw Hunless ref $obj; $obj->{ first} = $fxrst; $obj->r last} = $last; sub init { my $obj = shift; my ($first, $last) = @_; # create an object if called as class method $obj = bless \ my $o, $obj uunless ref $obj; $obj-> $obj} = $first; $last{ $obj} = $last; ÿ $obj; } t; $obj; } sub first { $first{ shift()} } sub las $n->first, $n->last; } } 1;
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 2.2k
dcollins@nightshade64:~/toolchain/perl$ afl-tmin -i poc.pl -o pocmin.pl -- ./perl -Ilib @@ afl-tmin 2.32b by <lcamtuf@google.com> [+] Read 5780 bytes from 'poc.pl'. [*] Performing dry run (mem limit = 50 MB, timeout = 1000 ms)... [+] Program exits with a signal, minimizing in crash mode. [*] Stage #0: One-time block normalization... [+] Block normalization complete, 4564 bytes replaced. [*] --- Pass #1 --- [*] Stage #1: Removing blocks of data... Block length = 512, remaining size = 5780 Block length = 256, remaining size = 1536 Block length = 128, remaining size = 1280 Block length = 64, remaining size = 1024 Block length = 32, remaining size = 832 Block length = 16, remaining size = 576 Block length = 8, remaining size = 384 Block length = 4, remaining size = 232 Block length = 2, remaining size = 164 Block length = 1, remaining size = 104 [+] Block removal complete, 5702 bytes deleted. [*] Stage #2: Minimizing symbols (24 code points)... [+] Symbol minimization finished, 5 symbols (15 bytes) replaced. [*] Stage #3: Character minimization... [+] Character minimization done, 3 bytes replaced. [*] --- Pass #2 --- [*] Stage #1: Removing blocks of data... Block length = 4, remaining size = 78 Block length = 2, remaining size = 74 Block length = 1, remaining size = 70 [+] Block removal complete, 9 bytes deleted. [*] Stage #2: Minimizing symbols (19 code points)... [+] Symbol minimization finished, 0 symbols (0 bytes) replaced. [*] Stage #3: Character minimization... [+] Character minimization done, 0 bytes replaced. [*] --- Pass #3 --- [*] Stage #1: Removing blocks of data... Block length = 4, remaining size = 69 Block length = 2, remaining size = 69 Block length = 1, remaining size = 69 [+] Block removal complete, 0 bytes deleted. File size reduced by : 98.81% (to 69 bytes) Characters simplified : 6640.58% Number of execs done : 893 Fruitless execs : path=666 crash=0 hang=15 [*] Writing output to 'pocmin.pl'... [+] We're done here. Have a nice day! dcollins@nightshade64:~/toolchain/perl$ cat pocmin.pl $0=s()0<$>;0;my sub i0i0;()=((%fi0s0));sub fi0s0{sub i0i0{}sub fi0s0} Further minimized by hand to: $ ./perl -Ilib -wle '$a="a$a";my sub b;%c;sub c{sub b;sub c}' Segmentation fault -- Respectfully, Dan Collins
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 3.9k
在2016-八月-26 06:01:53 星期五时,dcollinsn@gmail.com写到: Show quoted text
> dcollins@nightshade64:~/toolchain/perl$ afl-tmin -i poc.pl -o > pocmin.pl -- ./perl -Ilib @@ > afl-tmin 2.32b by <lcamtuf@google.com> > > [+] Read 5780 bytes from 'poc.pl'. > [*] Performing dry run (mem limit = 50 MB, timeout = 1000 ms)... > [+] Program exits with a signal, minimizing in crash mode. > [*] Stage #0: One-time block normalization... > [+] Block normalization complete, 4564 bytes replaced. > [*] --- Pass #1 --- > [*] Stage #1: Removing blocks of data... > Block length = 512, remaining size = 5780 > Block length = 256, remaining size = 1536 > Block length = 128, remaining size = 1280 > Block length = 64, remaining size = 1024 > Block length = 32, remaining size = 832 > Block length = 16, remaining size = 576 > Block length = 8, remaining size = 384 > Block length = 4, remaining size = 232 > Block length = 2, remaining size = 164 > Block length = 1, remaining size = 104 > [+] Block removal complete, 5702 bytes deleted. > [*] Stage #2: Minimizing symbols (24 code points)... > [+] Symbol minimization finished, 5 symbols (15 bytes) replaced. > [*] Stage #3: Character minimization... > [+] Character minimization done, 3 bytes replaced. > [*] --- Pass #2 --- > [*] Stage #1: Removing blocks of data... > Block length = 4, remaining size = 78 > Block length = 2, remaining size = 74 > Block length = 1, remaining size = 70 > [+] Block removal complete, 9 bytes deleted. > [*] Stage #2: Minimizing symbols (19 code points)... > [+] Symbol minimization finished, 0 symbols (0 bytes) replaced. > [*] Stage #3: Character minimization... > [+] Character minimization done, 0 bytes replaced. > [*] --- Pass #3 --- > [*] Stage #1: Removing blocks of data... > Block length = 4, remaining size = 69 > Block length = 2, remaining size = 69 > Block length = 1, remaining size = 69 > [+] Block removal complete, 0 bytes deleted. > > File size reduced by : 98.81% (to 69 bytes) > Characters simplified : 6640.58% > Number of execs done : 893 > Fruitless execs : path=666 crash=0 hang=15 > > [*] Writing output to 'pocmin.pl'... > [+] We're done here. Have a nice day! > > dcollins@nightshade64:~/toolchain/perl$ cat pocmin.pl > $0=s()0<$>;0;my sub i0i0;()=((%fi0s0));sub fi0s0{sub i0i0{}sub fi0s0} > > Further minimized by hand to: > > $ ./perl -Ilib -wle '$a="a$a";my sub b;%c;sub c{sub b;sub c}' > Segmentation fault
thank dcollinsn for min poc, I run it with asan: ╭─riusksk@MacBook ~/Downloads/perl ‹› ‹blead*› ╰─➤$ ./perl -Ilib -wle '$a="a$a";my sub b;%c;sub c{sub b;sub c}' ================================================================= ==3513==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000d378 at pc 0x0001056791e0 bp 0x7fff5a7cb250 sp 0x7fff5a7cb248 READ of size 8 at 0x60300000d378 thread T0 #0 0x1056791df in Perl_pad_fixup_inner_anons pad.c:2382 #1 0x105489f05 in Perl_newATTRSUB_x op.c:8711 #2 0x105644f16 in Perl_yyparse perly.y:296 #3 0x10553d087 in perl_parse perl.c:2373 #4 0x1054347ee in main perlmain.c:121 #5 0x7fff965865ac in start (/usr/lib/system/libdyld.dylib+0x35ac) #6 0x3 (<unknown module>) 0x60300000d378 is located 0 bytes to the right of 24-byte region [0x60300000d360,0x60300000d378) allocated by thread T0 here: #0 0x105f732f7 in wrap_realloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/7.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x432f7) #1 0x1057d438c in Perl_safesysrealloc util.c:274 #2 0x1058ad808 in Perl_av_extend_guts av.c:163 #3 0x1056646bb in Perl_pad_add_weakref pad.c:2665 #4 0x10548cadc in Perl_newATTRSUB_x op.c:8846 #5 0x105644f16 in Perl_yyparse perly.y:296 #6 0x10553d087 in perl_parse perl.c:2373 #7 0x1054347ee in main perlmain.c:121 #8 0x7fff965865ac in start (/usr/lib/system/libdyld.dylib+0x35ac) #9 0x3 (<unknown module>)
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 198b
On Fri Aug 26 06:01:53 2016, dcollinsn@gmail.com wrote: Show quoted text
> $ ./perl -Ilib -wle '$a="a$a";my sub b;%c;sub c{sub b;sub c}' > Segmentation fault
Thank you. Fixed in 95c0a76. -- Father Chrysostomos
To: perlbug [...] perl.org
From: l.mai [...] web.de
Subject: infinite loop in compiler with subs (CvOUTSIDE)
Date: Thu, 13 Apr 2017 23:18:39 +0200
Download (untitled) / with headers
text/plain 3.2k
This is a bug report for perl from l.mai@web.de, generated with the help of perlbug 1.40 running under perl 5.24.1. ----------------------------------------------------------------- [Please describe your issue here] The following code loops forever (in the compiler): $ perl -e '\&f2; sub f2 { sub f2; eval "" }' The loop happens in Perl_pad_tidy because somehow cv == CvOUTSIDE(cv). Instead of eval "" you can also use the -d switch: $ perl -d -e '\&f2; sub f2 { sub f2; }' This means Devel::Confess, Devel::Cover, etc are also affected. [Please do not change anything below this line] ----------------------------------------------------------------- --- Flags: category=core severity=low --- Site configuration information for perl 5.24.1: Configured by mauke at Sun Feb 19 23:06:44 CET 2017. Summary of my perl5 (revision 5 version 24 subversion 1) configuration: Platform: osname=linux, osvers=4.9.6-1-arch, archname=i686-linux uname='linux simplicio 4.9.6-1-arch #1 smp preempt thu jan 26 09:41:20 cet 2017 i686 gnulinux ' config_args='' hint=recommended, useposix=true, d_sigaction=define useithreads=undef, usemultiplicity=undef use64bitint=undef, use64bitall=undef, uselongdouble=undef usemymalloc=n, bincompat5005=undef Compiler: cc='cc', ccflags ='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64', optimize='-O2 -flto', cppflags='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include' ccversion='', gccversion='6.3.1 20170109', gccosandvers='' intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234, doublekind=3 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12, longdblkind=3 ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8 alignbytes=4, prototype=define Linker and Libraries: ld='cc', ldflags ='-fstack-protector-strong -L/usr/local/lib' libpth=/usr/local/lib /usr/lib/gcc/i686-pc-linux-gnu/6.3.1/include-fixed /usr/lib /lib libs=-lpthread -lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc -lgdbm_compat perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc libc=libc-2.24.so, so=so, useshrplib=false, libperl=libperl.a gnulibc_version='2.24' Dynamic Linking: dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E' cccdlflags='-fPIC', lddlflags='-shared -O2 -flto -L/usr/local/lib -fstack-protector-strong' --- @INC for perl 5.24.1: /home/mauke/usr/lib/perl5/site_perl/5.24.1/i686-linux /home/mauke/usr/lib/perl5/site_perl/5.24.1 /home/mauke/usr/lib/perl5/5.24.1/i686-linux /home/mauke/usr/lib/perl5/5.24.1 --- Environment for perl 5.24.1: HOME=/home/mauke LANG=en_US.UTF-8 LANGUAGE=en_US LC_COLLATE=C LC_MONETARY=de_DE.UTF-8 LC_TIME=de_DE.UTF-8 LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/home/mauke/perl5/perlbrew/bin:/home/mauke/bin:/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl PERLBREW_BASHRC_VERSION=0.73 PERLBREW_HOME=/home/mauke/.perlbrew PERLBREW_ROOT=/home/mauke/perl5/perlbrew PERL_BADLANG (unset) PERL_UNICODE=SAL SHELL=/bin/bash
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 361b
On Thu, 13 Apr 2017 14:19:18 -0700, mauke- wrote: Show quoted text
> > The following code loops forever (in the compiler): > > $ perl -e '\&f2; sub f2 { sub f2; eval "" }' > > The loop happens in Perl_pad_tidy because somehow cv == CvOUTSIDE(cv).
This might be fixed in blead: <Zefram> only happened from 5.21.7 to 5.25.4 I can reproduce it on 5.22 and 5.24, but not 5.20.
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 553b
On Thu, 13 Apr 2017 14:28:53 -0700, mauke- wrote: Show quoted text
> On Thu, 13 Apr 2017 14:19:18 -0700, mauke- wrote:
> > > > The following code loops forever (in the compiler): > > > > $ perl -e '\&f2; sub f2 { sub f2; eval "" }' > > > > The loop happens in Perl_pad_tidy because somehow cv == CvOUTSIDE(cv).
> > This might be fixed in blead: > > <Zefram> only happened from 5.21.7 to 5.25.4 > > I can reproduce it on 5.22 and 5.24, but not 5.20.
I was able to bisect the fix to commit 6da13066b6bca, which means this ticket might be a duplicate of bug #129090.
Download (untitled) / with headers
text/plain 313b
Thank you for filing this report. You have helped make Perl better. With the release today of Perl 5.26.0, this and 210 other issues have been resolved. Perl 5.26.0 may be downloaded via: https://metacpan.org/release/XSAWYERX/perl-5.26.0 If you find that the problem persists, feel free to reopen this ticket.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org