Skip Menu |
Report information
Id: 131630
Status: open
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: randir <sergey.aleynikov [at] gmail.com>
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: medium
Type: core
Perl Version: 5.27.1
Fixed In: (no value)



To: perlbug [...] perl.org
Subject: Stack overflow during exception unwind in Perl_croak
From: Sergey Aleynikov <sergey.aleynikov [...] gmail.com>
Date: Thu, 22 Jun 2017 21:55:41 +0300
Download (untitled) / with headers
text/plain 7.1k
This is a bug report for perl from sergey.aleynikov@gmail.com, generated with the help of perlbug 1.40 running under perl 5.27.1. ----------------------------------------------------------------- [Please describe your issue here] While fuzzing perl v5.27.1-37-g4c95ee9f29 built with afl and run under libdislocator, I found the following program eval q!split*@=\0! to cause a stack overflow. GDB info about the crash location is: #0 0x0000563bc3865cf3 in Perl_sv_grow (sv=0x0, newlen=0x0) at sv.c:1546 #1 0x0000563bc388f439 in Perl_sv_catpvn_flags (dsv=0x563bc4147d70, sstr=0x563bc3ad2020 <PL_no_modify> "Modification of a read-only value attempted", slen=0x2b, flags=0x0) at sv.c:5529 #2 0x0000563bc3890c17 in Perl_sv_catpv_flags (dstr=0x563bc4147d70, sstr=0x563bc3ad2020 <PL_no_modify> "Modification of a read-only value attempted", flags=0x0) at sv.c:5646 #3 0x0000563bc38b2a50 in Perl_sv_vcatpvfn_flags (sv=0x563bc4147d70, pat=0x563bc3a705cf "%s", patlen=0x2, args=0x7ffce05bb780, svargs=0x0, sv_count=0x0, maybe_tainted=0x0, flags=0x0) at sv.c:11911 #4 0x0000563bc38b0941 in Perl_sv_vsetpvfn (sv=0x563bc4147d70, pat=0x563bc3a705cf "%s", patlen=0x2, args=0x7ffce05bb780, svargs=0x0, sv_count=0x0, maybe_tainted=0x0) at sv.c:10961 #5 0x0000563bc37f7dd0 in Perl_vmess (pat=0x563bc3a705cf "%s", args=0x7ffce05bb780) at util.c:1487 #6 0x0000563bc37f8e38 in Perl_vcroak (pat=0x563bc3a705cf "%s", args=0x7ffce05bb780) at util.c:1716 #7 0x0000563bc37f912e in Perl_croak (pat=0x563bc3a705cf "%s") at util.c:1763 #8 0x0000563bc37f914a in Perl_croak_no_modify () at util.c:1781 #9 0x0000563bc388d2c2 in Perl_sv_force_normal_flags (sv=0x563bc40b8ae8, flags=0x4) at sv.c:5325 #10 0x0000563bc3882216 in Perl_sv_setsv_flags (dstr=0x563bc40b8ae8, sstr=0x563bc4147d58, flags=0x612) at sv.c:4347 #11 0x0000563bc390d135 in Perl_die_unwind (msv=0x563bc4147d58) at pp_ctl.c:1726 #12 0x0000563bc37f907d in Perl_vcroak (pat=0x563bc3a705cf "%s", args=0x7ffce05bbe70) at util.c:1718 #13 0x0000563bc37f912e in Perl_croak (pat=0x563bc3a705cf "%s") at util.c:1763 #14 0x0000563bc37f914a in Perl_croak_no_modify () at util.c:1781 #15 0x0000563bc388d2c2 in Perl_sv_force_normal_flags (sv=0x563bc40b8ae8, flags=0x4) at sv.c:5325 ... #28306 0x0000563bc3882216 in Perl_sv_setsv_flags (dstr=0x563bc40b8ae8, sstr=0x563bc40b9418, flags=0x612) at sv.c:4347 #28307 0x0000563bc390d135 in Perl_die_unwind (msv=0x563bc40b9418) at pp_ctl.c:1726 #28308 0x0000563bc37f907d in Perl_vcroak (pat=0x563bc3a676e8 "%s in regex; marked by <-- HERE in m/%d%lu%4p <-- HERE %d%lu%4p/", args=0x7ffce0db8bb0) at util.c:1718 #28309 0x0000563bc37f912e in Perl_croak (pat=0x563bc3a676e8 "%s in regex; marked by <-- HERE in m/%d%lu%4p <-- HERE %d%lu%4p/") at util.c:1763 #28310 0x0000563bc37ba100 in S_regatom (pRExC_state=0x7ffce0db99a0, flagp=0x7ffce0db8fd0, depth=0x4) at regcomp.c:12641 #28311 0x0000563bc37b403b in S_regpiece (pRExC_state=0x7ffce0db99a0, flagp=0x7ffce0db90fc, depth=0x3) at regcomp.c:11668 #28312 0x0000563bc37b3989 in S_regbranch (pRExC_state=0x7ffce0db99a0, flagp=0x7ffce0db91a8, first=0x1, depth=0x2) at regcomp.c:11593 #28313 0x0000563bc37b126c in S_reg (pRExC_state=0x7ffce0db99a0, paren=0x0, flagp=0x7ffce0db95e4, depth=0x1) at regcomp.c:11331 #28314 0x0000563bc3799859 in Perl_re_op_compile (patternp=0x563bc409fb58, pat_count=0x1, expr=0x0, eng=0x563bc3cff540 <PL_core_reg_engine>, old_re=0x0, is_bare_re=0x7ffce0db9d5a, orig_rx_flags=0x800, pm_flags=0x800) at regcomp.c:7100 #28315 0x0000563bc39019b5 in Perl_pp_regcomp () at pp_ctl.c:108 #28316 0x0000563bc37f2a7d in Perl_runops_debug () at dump.c:2451 #28317 0x0000563bc36e8b3d in S_run_body (oldscope=0x1) at perl.c:2548 #28318 0x0000563bc36e80bb in perl_run (my_perl=0x563bc409b010) at perl.c:2471 #28319 0x0000563bc36a0f3e in main (argc=0x2, argv=0x7ffce0dba128, env=0x7ffce0dba140) at perlmain.c:123 [Please do not change anything below this line] ----------------------------------------------------------------- --- Flags: category=core severity=medium --- Site configuration information for perl 5.27.1: Configured by root at Sun May 28 01:44:41 MSK 2017. Summary of my perl5 (revision 5 version 26 subversion 0) configuration: Derived from: 4c95ee9f298c2edfc1382d540ff89288790e78b6 Platform: osname=linux osvers=4.9.0-3-amd64 archname=x86_64-linux uname='linux dorothy 4.9.0-3-amd64 #1 smp debian 4.9.25-1 (2017-05-02) x86_64 gnulinux ' config_args='-des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast -Doptimize=-O0 -g -ggdb3 -fno-omit-frame-pointer' hint=previous useposix=true d_sigaction=define useithreads=undef usemultiplicity=undef use64bitint=define use64bitall=define uselongdouble=undef usemymalloc=n default_inc_excludes_dot=define bincompat5005=undef Compiler: cc='afl-clang-fast' ccflags ='-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2' optimize='-O0 -g -ggdb3 -fno-omit-frame-pointer' cppflags='-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include' ccversion='' gccversion='4.2.1 Compatible Clang 3.9.1 (tags/RELEASE_391/rc2)' gccosandvers='' intsize=4 longsize=8 ptrsize=8 doublesize=8 byteorder=12345678 doublekind=3 d_longlong=define longlongsize=8 d_longdbl=define longdblsize=16 longdblkind=3 ivtype='long' ivsize=8 nvtype='double' nvsize=8 Off_t='off_t' lseeksize=8 alignbytes=8 prototype=define Linker and Libraries: ld='afl-clang-fast' ldflags =' -fstack-protector-strong -L/usr/local/lib' libpth=/usr/local/lib /usr/lib/llvm-3.9/bin/../lib/clang/3.9.1/lib /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib /usr/local/lib /usr/lib/llvm-3.9/bin/../lib/clang/3.9.1/lib /usr/include/x86_64-linux-gnu /usr/lib libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc libc=libc-2.24.so so=so useshrplib=false libperl=libperl.a gnulibc_version='2.24' Dynamic Linking: dlsrc=dl_dlopen.xs dlext=so d_dlsymun=undef ccdlflags='-Wl,-E' cccdlflags='-fPIC' lddlflags='-shared -O0 -g -ggdb3 -fno-omit-frame-pointer -L/usr/local/lib -fstack-protector-strong' Locally applied patches: uncommitted-changes --- @INC for perl 5.27.1: lib /usr/local/lib/perl5/site_perl/5.26.0/x86_64-linux /usr/local/lib/perl5/site_perl/5.26.0 /usr/local/lib/perl5/5.26.0/x86_64-linux /usr/local/lib/perl5/5.26.0 --- Environment for perl 5.27.1: HOME=/home/afl LANG=en_US.UTF-8 LANGUAGE=en_US:en LC_CTYPE=en_US.UTF-8 LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.24.1-dbg/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games PERLBREW_BASHRC_VERSION=0.78 PERLBREW_HOME=/home/afl/.perlbrew PERLBREW_MANPATH=/home/afl/perlbrew/perls/perl-5.24.1-dbg/man PERLBREW_PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.24.1-dbg/bin PERLBREW_PERL=perl-5.24.1-dbg PERLBREW_ROOT=/home/afl/perlbrew PERLBREW_VERSION=0.78 PERL_BADLANG (unset) SHELL=/usr/bin/zsh
To: perl5-porters [...] perl.org
Date: Tue, 8 Aug 2017 08:37:01 +0100
From: Dave Mitchell <davem [...] iabyn.com>
Subject: Re: [perl #131630] Stack overflow during exception unwind in Perl_croak
Download (untitled) / with headers
text/plain 423b
On Thu, Jun 22, 2017 at 11:55:56AM -0700, Sergey Aleynikov wrote: Show quoted text
> eval q!split*@=\0!
*@ = \0 aliases $@ to a read-only value. Subsequent attempts to set $@ will cause a "Modification of a read-only value attempted" croak, which will also try to set $@, and so on until the stack overflows. I think this comes under "doctor it hurts if I do this". -- That he said that that that that is is is debatable, is debatable.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org