Skip Menu |
Report information
Id: 129350
Status: resolved
Priority: 0/
Queue: perl5

Owner: hv <hv [at] crypt.org>
Requestors: brian.carpenter [at] gmail.com
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: low
Type: unknown
Perl Version: (no value)
Fixed In: (no value)



Subject: null pointer deref Perl_re_intuit_start (regexec.c:1049)
This one crashes both Perl 5.20.2 and Perl v5.25.5-8-g3c42ae1. Found with AFL+ASAN. od -tx1 test32 0000000 73 25 25 22 22 26 28 22 18 5c 37 30 30 22 3d 7e 0000020 2f 5c 62 5c 7a 30 2a 5c 37 30 30 2f 29 25 65 0000037 Perl v5.25.5-8-g3c42ae1: ==16060==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000000c (pc 0x000000b51e90 bp 0x7ffc641c93f0 sp 0x7ffc641c9180 T0) #0 0xb51e8f in Perl_re_intuit_start /root/perl/regexec.c:1049:9 #1 0xb439a1 in Perl_regexec_flags /root/perl/regexec.c:2988:6 #2 0x8c2ef8 in Perl_pp_match /root/perl/pp_hot.c:1836:10 #3 0x7f47d3 in Perl_runops_debug /root/perl/dump.c:2239:23 #4 0x5a11c6 in S_run_body /root/perl/perl.c:2526:2 #5 0x5a11c6 in perl_run /root/perl/perl.c:2449 #6 0x4de5fd in main /root/perl/perlmain.c:123:9 #7 0x7f88f6ef3b44 in __libc_start_main /build/glibc-uPj9cH/glibc-2.19/csu/libc-start.c:287 #8 0x4de26c in _start (/root/perl/perl+0x4de26c) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /root/perl/regexec.c:1049 Perl_re_intuit_start ==16060==ABORTING (gdb) list 1044 s = HOP3c(rx_origin, other->min_offset, strend); 1045 if (s < other_last) /* These positions already checked */ 1046 s = other_last; 1047 1048 must = utf8_target ? other->utf8_substr : other->substr; 1049 assert(SvPOK(must)); 1050 { 1051 char *from = s; 1052 char *to = last + SvCUR(must) - (SvTAIL(must)!=0); 1053 Perl 5.20.2: ==23698== Invalid read of size 4 ==23698== at 0x4F6AF8A: Perl_re_intuit_start (in /usr/lib/x86_64-linux-gnu/libperl.so.5.20.2) ==23698== by 0x4F6C34E: Perl_regexec_flags (in /usr/lib/x86_64-linux-gnu/libperl.so.5.20.2) ==23698== by 0x4EFEC7D: Perl_pp_match (in /usr/lib/x86_64-linux-gnu/libperl.so.5.20.2) ==23698== by 0x4EFB055: Perl_runops_standard (in /usr/lib/x86_64-linux-gnu/libperl.so.5.20.2) ==23698== by 0x4E8B73D: perl_run (in /usr/lib/x86_64-linux-gnu/libperl.so.5.20.2) ==23698== by 0x400E18: main (in /usr/bin/perl) ==23698== Address 0xc is not stack'd, malloc'd or (recently) free'd ==23698== ==23698== ==23698== Process terminating with default action of signal 11 (SIGSEGV) ==23698== Access not within mapped region at address 0xC ==23698== at 0x4F6AF8A: Perl_re_intuit_start (in /usr/lib/x86_64-linux-gnu/libperl.so.5.20.2) ==23698== by 0x4F6C34E: Perl_regexec_flags (in /usr/lib/x86_64-linux-gnu/libperl.so.5.20.2) ==23698== by 0x4EFEC7D: Perl_pp_match (in /usr/lib/x86_64-linux-gnu/libperl.so.5.20.2) ==23698== by 0x4EFB055: Perl_runops_standard (in /usr/lib/x86_64-linux-gnu/libperl.so.5.20.2) ==23698== by 0x4E8B73D: perl_run (in /usr/lib/x86_64-linux-gnu/libperl.so.5.20.2) ==23698== by 0x400E18: main (in /usr/bin/perl) ==23698== If you believe this happened as a result of a stack ==23698== overflow in your program's main thread (unlikely but ==23698== possible), you can try to increase the size of the ==23698== main thread stack using the --main-stacksize= flag. ==23698== The main thread stack size used in this run was 8388608. Segmentation fault
Subject: test32.gz
Download test32.gz
application/x-gzip 55b

Message body not shown because it is not plain text.

RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 1.1k
On Sat Sep 24 17:16:05 2016, brian.carpenter@gmail.com wrote: Show quoted text
> This one crashes both Perl 5.20.2 and Perl v5.25.5-8-g3c42ae1. Found > with AFL+ASAN. > > od -tx1 test32 > 0000000 73 25 25 22 22 26 28 22 18 5c 37 30 30 22 3d 7e > 0000020 2f 5c 62 5c 7a 30 2a 5c 37 30 30 2f 29 25 65 > 0000037
This is a simple as I can get it: $ ./miniperl -e '".\x{100}" =~ /\b\z0*\x{100}/' Segmentation fault: 11 $ ./perl -Ilib -Mre=debug -e '".\x{100}" =~ /\b\z0*\x{100}/' Compiling REx "\b\z0*\x{100}" Final program: 1: BOUNDU (2) 2: EOS (3) 3: STAR (6) 4: EXACT <0> (0) 6: EXACT <\x{100}> (8) 8: END (0) anchored ""$ at 0 floating utf8 "%x{100}" at 0..9223372036854775807 (checking floating) stclass BOUNDU minlen 1 Matching REx "\b\z0*\x{100}" against ".%x{100}" UTF-8 pattern and string... Intuit: trying to determine minimum start position... doing 'check' fbm scan, [0..3] gave 1 Found floating substr "%x{100}" at offset 1 (rx_origin now 0)... (multiline anchor test skipped) looking for class: start_shift: 0 check_at: 1 rx_origin: 0 endpos: 1 This position contradicts STCLASS... about to retry anchored at offset 0 (rx_origin now 0)... Segmentation fault: 11 -- Father Chrysostomos
Download (untitled) / with headers
text/plain 378b
This should be fixed by 2814f4b354: [perl #129350] anchored/floating substrings must be utf8 if target is If the target is utf8 and either the anchored or floating substrings are not, we need to create utf8 copies to check against. The state of the two substrings may not be the same, but we were only testing whichever we planned to check first. Hugo
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 378b
This should be fixed by 2814f4b354: [perl #129350] anchored/floating substrings must be utf8 if target is If the target is utf8 and either the anchored or floating substrings are not, we need to create utf8 copies to check against. The state of the two substrings may not be the same, but we were only testing whichever we planned to check first. Hugo
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 136b
On Tue Oct 04 17:21:05 2016, hv wrote: Show quoted text
> This should be fixed by 2814f4b354
Is it verified? I would be happy to resolve the ticket. :)
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 481b
On Tue Oct 11 08:05:21 2016, xsawyerx@cpan.org wrote: Show quoted text
> On Tue Oct 04 17:21:05 2016, hv wrote:
> > This should be fixed by 2814f4b354
> > Is it verified? > > I would be happy to resolve the ticket. :)
I'm not sure I understand the question, or the intended action. The corresponding test passes in smokes - is that the verification you're asking about? The fix is not yet in a stable release of perl, so I think the ticket is as far resolved as it should be at this stage. Hugo
To: perlbug-followup [...] perl.org
Subject: Re: [perl #129350] null pointer deref Perl_re_intuit_start (regexec.c:1049)
Date: Sat, 15 Oct 2016 17:32:41 +0200
From: Sawyer X <xsawyerx [...] gmail.com>
Download (untitled) / with headers
text/plain 440b
On 10/11/2016 05:45 PM, Hugo van der Sanden via RT wrote: Show quoted text
> On Tue Oct 11 08:05:21 2016, xsawyerx@cpan.org wrote:
>> On Tue Oct 04 17:21:05 2016, hv wrote:
>>> This should be fixed by 2814f4b354
>> Is it verified? >> >> I would be happy to resolve the ticket. :)
> [...] The fix is not yet in a stable release of perl, so I think the ticket is as far resolved as it should be at this stage.
You have answered my question. Thank you. :)
Download (untitled) / with headers
text/plain 313b
Thank you for filing this report. You have helped make Perl better. With the release today of Perl 5.26.0, this and 210 other issues have been resolved. Perl 5.26.0 may be downloaded via: https://metacpan.org/release/XSAWYERX/perl-5.26.0 If you find that the problem persists, feel free to reopen this ticket.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org