Skip Menu |
Report information
Id: 129347
Status: resolved
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: brian.carpenter [at] gmail.com
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: low
Type: unknown
Perl Version: (no value)
Fixed In: (no value)



Subject: null pointer deref S_ft_return_false (pp_sys.c:3036)
Download (untitled) / with headers
text/plain 1.2k
Found with AFL+ASAN, triggered in Perl v5.25.5-8-g3c42ae1. ./perl -e '($0)=sort{-b-d}/()()/' ASAN:SIGSEGV ================================================================= ==24203==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x000000ae09f0 bp 0x00000023636c sp 0x7ffd31ec7a20 T0) #0 0xae09ef in S_ft_return_false /root/perl/pp_sys.c:3036:9 #1 0xae09ef in Perl_pp_ftrowned /root/perl/pp_sys.c:3310 #2 0x7f47d3 in Perl_runops_debug /root/perl/dump.c:2239:23 #3 0xca05fa in S_sortcv /root/perl/pp_sort.c:1800:5 #4 0xc908ce in dynprep /root/perl/pp_sort.c:197:14 #5 0xc908ce in S_mergesortsv /root/perl/pp_sort.c:379 #6 0xc908ce in Perl_sortsv_flags /root/perl/pp_sort.c:1464 #7 0xc9b847 in Perl_pp_sort /root/perl/pp_sort.c:1687:6 #8 0x7f47d3 in Perl_runops_debug /root/perl/dump.c:2239:23 #9 0x5a11c6 in S_run_body /root/perl/perl.c:2526:2 #10 0x5a11c6 in perl_run /root/perl/perl.c:2449 #11 0x4de5fd in main /root/perl/perlmain.c:123:9 #12 0x7feccecd4b44 in __libc_start_main /build/glibc-uPj9cH/glibc-2.19/csu/libc-start.c:287 #13 0x4de26c in _start (/root/perl/perl+0x4de26c) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /root/perl/pp_sys.c:3036 S_ft_return_false ==24203==ABORTING
From: Lukas Mai <plokinom [...] gmail.com>
Subject: Re: [perl #129347] null pointer deref S_ft_return_false (pp_sys.c:3036)
To: perl5-porters [...] perl.org
Date: Sat, 24 Sep 2016 15:17:48 +0200
Download (untitled) / with headers
text/plain 1.7k
Am 24.09.2016 um 14:59 schrieb Brian Carpenter (via RT): Show quoted text
> # New Ticket Created by Brian Carpenter > # Please include the string: [perl #129347] > # in the subject line of all future correspondence about this issue. > # <URL: https://rt.perl.org/Ticket/Display.html?id=129347 > > > > Found with AFL+ASAN, triggered in Perl v5.25.5-8-g3c42ae1. > > ./perl -e '($0)=sort{-b-d}/()()/' > > ASAN:SIGSEGV > ================================================================= > ==24203==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x000000ae09f0 bp 0x00000023636c sp 0x7ffd31ec7a20 T0) > #0 0xae09ef in S_ft_return_false /root/perl/pp_sys.c:3036:9 > #1 0xae09ef in Perl_pp_ftrowned /root/perl/pp_sys.c:3310 > #2 0x7f47d3 in Perl_runops_debug /root/perl/dump.c:2239:23 > #3 0xca05fa in S_sortcv /root/perl/pp_sort.c:1800:5 > #4 0xc908ce in dynprep /root/perl/pp_sort.c:197:14 > #5 0xc908ce in S_mergesortsv /root/perl/pp_sort.c:379 > #6 0xc908ce in Perl_sortsv_flags /root/perl/pp_sort.c:1464 > #7 0xc9b847 in Perl_pp_sort /root/perl/pp_sort.c:1687:6 > #8 0x7f47d3 in Perl_runops_debug /root/perl/dump.c:2239:23 > #9 0x5a11c6 in S_run_body /root/perl/perl.c:2526:2 > #10 0x5a11c6 in perl_run /root/perl/perl.c:2449 > #11 0x4de5fd in main /root/perl/perlmain.c:123:9 > #12 0x7feccecd4b44 in __libc_start_main /build/glibc-uPj9cH/glibc-2.19/csu/libc-start.c:287 > #13 0x4de26c in _start (/root/perl/perl+0x4de26c) > > AddressSanitizer can not provide additional info. > SUMMARY: AddressSanitizer: SEGV /root/perl/pp_sys.c:3036 S_ft_return_false > ==24203==ABORTING
'() = sort { -d -d } 1, 2' also crashes. The trigger seems to be stacked filetests in a sort comparator. (You need at least 2 list elements to invoke the comparator.) -- Lukas Mai <plokinom@gmail.com>
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 575b
This crashes because PL_op->op_next->op_next is NULL; I'm not sure if it's correct for it to be so (I don't see that for the vaguely analagous case of a map block) - if that is expected, the patch below is enough to fix it. Hugo --- a/pp_sys.c +++ b/pp_sys.c @@ -3046,7 +3046,7 @@ S_ft_return_false(pTHX_ SV *ret) { PUTBACK; if (PL_op->op_private & OPpFT_STACKING) { - while (OP_IS_FILETEST(next->op_type) + while (next && OP_IS_FILETEST(next->op_type) && next->op_private & OPpFT_STACKED) next = next->op_next; }
From: Zefram <zefram [...] fysh.org>
Subject: Re: [perl #129347] null pointer deref S_ft_return_false (pp_sys.c:3036)
To: perl5-porters [...] perl.org
Date: Wed, 6 Dec 2017 19:03:46 +0000
Download (untitled) / with headers
text/plain 214b
Hugo's patch is correct. (The sort comparator ends with a null op_next. sort's op structure is surprisingly different from map's.) Applied, with test, as commit 1af9149031d9f5d2d43b6df59b628a0f2c1041f6. -zefram
Download (untitled) / with headers
text/plain 317b
Thank you for filing this report. You have helped make Perl better. With the release yesterday of Perl 5.28.0, this and 185 other issues have been resolved. Perl 5.28.0 may be downloaded via: https://metacpan.org/release/XSAWYERX/perl-5.28.0 If you find that the problem persists, feel free to reopen this ticket.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org