Skip Menu |
Report information
Id: 130632
Status: open
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: randir <sergey.aleynikov [at] gmail.com>
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: medium
Type: core
Perl Version: 5.25.9
Fixed In: (no value)

Attachments
0001-perl-130632-free-label-pvs-from-the-parser-stack.patch



From: Sergey Aleynikov <sergey.aleynikov [...] gmail.com>
To: perlbug [...] perl.org
Date: Tue, 24 Jan 2017 11:18:44 +0300
Subject: Memory leak in Perl_yylex (toke.c:7027)
Download (untitled) / with headers
text/plain 4.9k
This is a bug report for perl from sergey.aleynikov@gmail.com, generated with the help of perlbug 1.40 running under perl 5.25.9. ----------------------------------------------------------------- [Please describe your issue here] While fuzzing perl v5.25.8-216-gfbceb79751 built with afl and run under libdislocator, I found the following program s//'x' ^ -"s:\347"/eeg to cause a memory leak report under ASAN: ================================================================= ==27209==ERROR: LeakSanitizer: detected memory leaks Direct leak of 4 byte(s) in 1 object(s) allocated from: #0 0x4ea6c8 in malloc (/home/afl/afl-asan/perl+0x4ea6c8) #1 0x8504be in Perl_safesysmalloc /home/afl/afl-asan/util.c:153:21 #2 0x8564ab in Perl_savepvn /home/afl/afl-asan/util.c:1177:5 #3 0x675843 in Perl_yylex /home/afl/afl-asan/toke.c:7027:23 #4 0x6f6072 in Perl_yyparse /home/afl/afl-asan/perly.c:340:34 #5 0xb0c78f in S_doeval_compile /home/afl/afl-asan/pp_ctl.c:3432:77 #6 0xb09a17 in Perl_pp_entereval /home/afl/afl-asan/pp_ctl.c:4292:9 #7 0x84b114 in Perl_runops_debug /home/afl/afl-asan/dump.c:2406:23 #8 0x5f1b05 in S_run_body /home/afl/afl-asan/perl.c:2528:2 #9 0x5f1b05 in perl_run /home/afl/afl-asan/perl.c:2451 #10 0x5224d2 in main /home/afl/afl-asan/perlmain.c:123:9 #11 0x7efca17d02b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) SUMMARY: AddressSanitizer: 4 byte(s) leaked in 1 allocation(s). Leaked scalar comes from the following line pl_yylval.pval = savepvn(PL_tokenbuf, len+1); In this case PL_tokenbuf is "Us" and len == 2. Amount of memory leaked scales with the size of this buffer. For example, the following eternal loop leaks 20 bytes per iteration, so run it with caution: s//'x' ^ -"s666666666666666k:\347"/eeg while (1) [Please do not change anything below this line] ----------------------------------------------------------------- --- Flags: category=core severity=medium --- Site configuration information for perl 5.25.9: Configured by root at Sat Jan 14 02:25:05 MSK 2017. Summary of my perl5 (revision 5 version 25 subversion 9) configuration: Commit id: cbe2fc5001aa59cdc73e04cc35e097a2ecfbeec0 Platform: osname=linux osvers=3.16.0-4-amd64 archname=x86_64-linux uname='linux dorothy 3.16.0-4-amd64 #1 smp debian 3.16.36-1+deb8u2 (2016-10-19) x86_64 gnulinux ' config_args='-des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast -Doptimize=-O0 -g -ggdb3' hint=recommended useposix=true d_sigaction=define useithreads=undef usemultiplicity=undef use64bitint=define use64bitall=define uselongdouble=undef usemymalloc=n bincompat5005=undef Compiler: cc='afl-clang-fast' ccflags ='-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2' optimize='-O0 -g -ggdb3' cppflags='-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include' ccversion='' gccversion='4.2.1 Compatible Clang 3.9.1 (tags/RELEASE_391/rc2)' gccosandvers='' intsize=4 longsize=8 ptrsize=8 doublesize=8 byteorder=12345678 doublekind=3 d_longlong=define longlongsize=8 d_longdbl=define longdblsize=16 longdblkind=3 ivtype='long' ivsize=8 nvtype='double' nvsize=8 Off_t='off_t' lseeksize=8 alignbytes=8 prototype=define Linker and Libraries: ld='afl-clang-fast' ldflags =' -fstack-protector-strong -L/usr/local/lib' libpth=/usr/local/lib /usr/lib/llvm-3.9/bin/../lib/clang/3.9.1/lib /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc libc=libc-2.24.so so=so useshrplib=false libperl=libperl.a gnulibc_version='2.24' Dynamic Linking: dlsrc=dl_dlopen.xs dlext=so d_dlsymun=undef ccdlflags='-Wl,-E' cccdlflags='-fPIC' lddlflags='-shared -O0 -g -ggdb3 -L/usr/local/lib -fstack-protector-strong' --- @INC for perl 5.25.9: lib /usr/local/lib/perl5/site_perl/5.25.9/x86_64-linux /usr/local/lib/perl5/site_perl/5.25.9 /usr/local/lib/perl5/5.25.9/x86_64-linux /usr/local/lib/perl5/5.25.9 --- Environment for perl 5.25.9: HOME=/home/afl LANG=en_US.UTF-8 LANGUAGE=en_US:en LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games PERLBREW_BASHRC_VERSION=0.78 PERLBREW_HOME=/home/afl/.perlbrew PERLBREW_MANPATH=/home/afl/perlbrew/perls/perl-5.22.1/man PERLBREW_PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin PERLBREW_PERL=perl-5.22.1 PERLBREW_ROOT=/home/afl/perlbrew PERLBREW_VERSION=0.78 PERL_BADLANG (unset) SHELL=/usr/bin/zsh
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 1.4k
On Tue, 24 Jan 2017 00:19:10 -0800, randir wrote: Show quoted text
> While fuzzing perl v5.25.8-216-gfbceb79751 built with afl and run > under libdislocator, I found the following program > > s//'x' ^ -"s:\347"/eeg > > to cause a memory leak report under ASAN: > > ================================================================= > ==27209==ERROR: LeakSanitizer: detected memory leaks > > Direct leak of 4 byte(s) in 1 object(s) allocated from: > #0 0x4ea6c8 in malloc (/home/afl/afl-asan/perl+0x4ea6c8) > #1 0x8504be in Perl_safesysmalloc /home/afl/afl-asan/util.c:153:21 > #2 0x8564ab in Perl_savepvn /home/afl/afl-asan/util.c:1177:5 > #3 0x675843 in Perl_yylex /home/afl/afl-asan/toke.c:7027:23 > #4 0x6f6072 in Perl_yyparse /home/afl/afl-asan/perly.c:340:34 > #5 0xb0c78f in S_doeval_compile /home/afl/afl- > asan/pp_ctl.c:3432:77 > #6 0xb09a17 in Perl_pp_entereval /home/afl/afl- > asan/pp_ctl.c:4292:9 > #7 0x84b114 in Perl_runops_debug /home/afl/afl-asan/dump.c:2406:23 > #8 0x5f1b05 in S_run_body /home/afl/afl-asan/perl.c:2528:2 > #9 0x5f1b05 in perl_run /home/afl/afl-asan/perl.c:2451 > #10 0x5224d2 in main /home/afl/afl-asan/perlmain.c:123:9 > #11 0x7efca17d02b0 in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
This normally freed by newSTATEOP(), but if the label token happens to have been pushed onto the parser shift-reduce stack and the parser aborts, it leaks. The attached fixes it for me. Tony
Subject: 0001-perl-130632-free-label-pvs-from-the-parser-stack.patch
From 7cc5dfff56d7dfaac8a7f7cbb6c2ff96f3036eb4 Mon Sep 17 00:00:00 2001 From: Tony Cook <tony@develop-help.com> Date: Tue, 7 Feb 2017 15:08:55 +1100 Subject: (perl #130632) free label pvs from the parser stack For labels, Perl_yylex() generates a LABEL token, with the label name stored in the pval slot of the yylval, allocated with savepvn(). In the normal course of parsing this is freed by Perl_newSTATEOP(), but if parsing is aborted with the label on the parser shift-reduce stack the memory would leak. Clean up pval entries on the parse stack when clearing the parser stack. --- perly.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/perly.c b/perly.c index 1c018bb..43cc955 100644 --- a/perly.c +++ b/perly.c @@ -232,6 +232,10 @@ S_clear_yystack(pTHX_ const yy_parser *parser) YYDPRINTF ((Perl_debug_log, "(freeing op)\n")); op_free(ps->val.opval); } + else if (yy_type_tab[yystos[ps->state]] == toketype_pval + && ps->val.pval) { + Safefree(ps->val.pval); + } SvREFCNT_dec(ps->compcv); ps--; } -- 2.1.4


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org