Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

null pointer deref Perl_re_intuit_start (regexec.c:1049) #15628

Closed
p5pRT opened this issue Sep 25, 2016 · 12 comments
Closed

null pointer deref Perl_re_intuit_start (regexec.c:1049) #15628

p5pRT opened this issue Sep 25, 2016 · 12 comments

Comments

@p5pRT
Copy link

p5pRT commented Sep 25, 2016

Migrated from rt.perl.org#129350 (status was 'resolved')

Searchable as RT129350$

@p5pRT
Copy link
Author

p5pRT commented Sep 25, 2016

From @geeknik

This one crashes both Perl 5.20.2 and Perl v5.25.5-8-g3c42ae1. Found with AFL+ASAN.

od -tx1 test32
0000000 73 25 25 22 22 26 28 22 18 5c 37 30 30 22 3d 7e
0000020 2f 5c 62 5c 7a 30 2a 5c 37 30 30 2f 29 25 65
0000037

Perl v5.25.5-8-g3c42ae1​:
==16060==ERROR​: AddressSanitizer​: SEGV on unknown address 0x00000000000c (pc 0x000000b51e90 bp 0x7ffc641c93f0 sp 0x7ffc641c9180 T0)
  #0 0xb51e8f in Perl_re_intuit_start /root/perl/regexec.c​:1049​:9
  #1 0xb439a1 in Perl_regexec_flags /root/perl/regexec.c​:2988​:6
  #2 0x8c2ef8 in Perl_pp_match /root/perl/pp_hot.c​:1836​:10
  #3 0x7f47d3 in Perl_runops_debug /root/perl/dump.c​:2239​:23
  #4 0x5a11c6 in S_run_body /root/perl/perl.c​:2526​:2
  #5 0x5a11c6 in perl_run /root/perl/perl.c​:2449
  #6 0x4de5fd in main /root/perl/perlmain.c​:123​:9
  #7 0x7f88f6ef3b44 in __libc_start_main /build/glibc-uPj9cH/glibc-2.19/csu/libc-start.c​:287
  #8 0x4de26c in _start (/root/perl/perl+0x4de26c)

AddressSanitizer can not provide additional info.
SUMMARY​: AddressSanitizer​: SEGV /root/perl/regexec.c​:1049 Perl_re_intuit_start
==16060==ABORTING

(gdb) list
1044 s = HOP3c(rx_origin, other->min_offset, strend);
1045 if (s < other_last) /* These positions already checked */
1046 s = other_last;
1047
1048 must = utf8_target ? other->utf8_substr : other->substr;
1049 assert(SvPOK(must));
1050 {
1051 char *from = s;
1052 char *to = last + SvCUR(must) - (SvTAIL(must)!=0);
1053

Perl 5.20.2​:
==23698== Invalid read of size 4
==23698== at 0x4F6AF8A​: Perl_re_intuit_start (in /usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==23698== by 0x4F6C34E​: Perl_regexec_flags (in /usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==23698== by 0x4EFEC7D​: Perl_pp_match (in /usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==23698== by 0x4EFB055​: Perl_runops_standard (in /usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==23698== by 0x4E8B73D​: perl_run (in /usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==23698== by 0x400E18​: main (in /usr/bin/perl)
==23698== Address 0xc is not stack'd, malloc'd or (recently) free'd
==23698==
==23698==
==23698== Process terminating with default action of signal 11 (SIGSEGV)
==23698== Access not within mapped region at address 0xC
==23698== at 0x4F6AF8A​: Perl_re_intuit_start (in /usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==23698== by 0x4F6C34E​: Perl_regexec_flags (in /usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==23698== by 0x4EFEC7D​: Perl_pp_match (in /usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==23698== by 0x4EFB055​: Perl_runops_standard (in /usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==23698== by 0x4E8B73D​: perl_run (in /usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==23698== by 0x400E18​: main (in /usr/bin/perl)
==23698== If you believe this happened as a result of a stack
==23698== overflow in your program's main thread (unlikely but
==23698== possible), you can try to increase the size of the
==23698== main thread stack using the --main-stacksize= flag.
==23698== The main thread stack size used in this run was 8388608.
Segmentation fault

@p5pRT
Copy link
Author

p5pRT commented Sep 25, 2016

From @geeknik

test32.gz

@p5pRT
Copy link
Author

p5pRT commented Sep 25, 2016

From @cpansprout

On Sat Sep 24 17​:16​:05 2016, brian.carpenter@​gmail.com wrote​:

This one crashes both Perl 5.20.2 and Perl v5.25.5-8-g3c42ae1. Found
with AFL+ASAN.

od -tx1 test32
0000000 73 25 25 22 22 26 28 22 18 5c 37 30 30 22 3d 7e
0000020 2f 5c 62 5c 7a 30 2a 5c 37 30 30 2f 29 25 65
0000037

This is a simple as I can get it​:

$ ./miniperl -e '".\x{100}" =~ /\b\z0*\x{100}/'
Segmentation fault​: 11

$ ./perl -Ilib -Mre=debug -e '".\x{100}" =~ /\b\z0*\x{100}/'
Compiling REx "\b\z0*\x{100}"
Final program​:
  1​: BOUNDU (2)
  2​: EOS (3)
  3​: STAR (6)
  4​: EXACT <0> (0)
  6​: EXACT <\x{100}> (8)
  8​: END (0)
anchored ""$ at 0 floating utf8 "%x{100}" at 0..9223372036854775807 (checking floating) stclass BOUNDU minlen 1
Matching REx "\b\z0*\x{100}" against ".%x{100}"
UTF-8 pattern and string...
Intuit​: trying to determine minimum start position...
  doing 'check' fbm scan, [0..3] gave 1
  Found floating substr "%x{100}" at offset 1 (rx_origin now 0)...
  (multiline anchor test skipped)
  looking for class​: start_shift​: 0 check_at​: 1 rx_origin​: 0 endpos​: 1
  This position contradicts STCLASS...
  about to retry anchored at offset 0 (rx_origin now 0)...
Segmentation fault​: 11

--

Father Chrysostomos

@p5pRT
Copy link
Author

p5pRT commented Sep 25, 2016

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Oct 4, 2016

From @hvds

This should be fixed by 2814f4b​:

  [perl #129350] anchored/floating substrings must be utf8 if target is
 
  If the target is utf8 and either the anchored or floating substrings
  are not, we need to create utf8 copies to check against. The state
  of the two substrings may not be the same, but we were only testing
  whichever we planned to check first.

Hugo

@p5pRT
Copy link
Author

p5pRT commented Oct 4, 2016

@hvds - Status changed from 'open' to 'pending release'

@p5pRT
Copy link
Author

p5pRT commented Oct 5, 2016

From @hvds

This should be fixed by 2814f4b​:

  [perl #129350] anchored/floating substrings must be utf8 if target is
 
  If the target is utf8 and either the anchored or floating substrings
  are not, we need to create utf8 copies to check against. The state
  of the two substrings may not be the same, but we were only testing
  whichever we planned to check first.

Hugo

@p5pRT
Copy link
Author

p5pRT commented Oct 11, 2016

From @xsawyerx

On Tue Oct 04 17​:21​:05 2016, hv wrote​:

This should be fixed by 2814f4b

Is it verified?

I would be happy to resolve the ticket. :)

@p5pRT
Copy link
Author

p5pRT commented Oct 11, 2016

From @hvds

On Tue Oct 11 08​:05​:21 2016, xsawyerx@​cpan.org wrote​:

On Tue Oct 04 17​:21​:05 2016, hv wrote​:

This should be fixed by 2814f4b

Is it verified?

I would be happy to resolve the ticket. :)

I'm not sure I understand the question, or the intended action. The corresponding test passes in smokes - is that the verification you're asking about? The fix is not yet in a stable release of perl, so I think the ticket is as far resolved as it should be at this stage.

Hugo

@p5pRT
Copy link
Author

p5pRT commented Oct 15, 2016

From @xsawyerx

On 10/11/2016 05​:45 PM, Hugo van der Sanden via RT wrote​:

On Tue Oct 11 08​:05​:21 2016, xsawyerx@​cpan.org wrote​:

On Tue Oct 04 17​:21​:05 2016, hv wrote​:

This should be fixed by 2814f4b
Is it verified?

I would be happy to resolve the ticket. :)
[...] The fix is not yet in a stable release of perl, so I think the ticket is as far resolved as it should be at this stage.

You have answered my question. Thank you. :)

@p5pRT
Copy link
Author

p5pRT commented May 30, 2017

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release today of Perl 5.26.0, this and 210 other issues have been
resolved.

Perl 5.26.0 may be downloaded via​:
https://metacpan.org/release/XSAWYERX/perl-5.26.0

If you find that the problem persists, feel free to reopen this ticket.

@p5pRT
Copy link
Author

p5pRT commented May 30, 2017

@khwilliamson - Status changed from 'pending release' to 'resolved'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant