Skip Menu |
Report information
Id: 131630
Status: new
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: randir <sergey.aleynikov [at] gmail.com>
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: medium
Type: core
Perl Version: 5.27.1
Fixed In: (no value)



To: perlbug [...] perl.org
Subject: Stack overflow during exception unwind in Perl_croak
From: Sergey Aleynikov <sergey.aleynikov [...] gmail.com>
Date: Thu, 22 Jun 2017 21:55:41 +0300
Download (untitled) / with headers
text/plain 7.1k
This is a bug report for perl from sergey.aleynikov@gmail.com, generated with the help of perlbug 1.40 running under perl 5.27.1. ----------------------------------------------------------------- [Please describe your issue here] While fuzzing perl v5.27.1-37-g4c95ee9f29 built with afl and run under libdislocator, I found the following program eval q!split*@=\0! to cause a stack overflow. GDB info about the crash location is: #0 0x0000563bc3865cf3 in Perl_sv_grow (sv=0x0, newlen=0x0) at sv.c:1546 #1 0x0000563bc388f439 in Perl_sv_catpvn_flags (dsv=0x563bc4147d70, sstr=0x563bc3ad2020 <PL_no_modify> "Modification of a read-only value attempted", slen=0x2b, flags=0x0) at sv.c:5529 #2 0x0000563bc3890c17 in Perl_sv_catpv_flags (dstr=0x563bc4147d70, sstr=0x563bc3ad2020 <PL_no_modify> "Modification of a read-only value attempted", flags=0x0) at sv.c:5646 #3 0x0000563bc38b2a50 in Perl_sv_vcatpvfn_flags (sv=0x563bc4147d70, pat=0x563bc3a705cf "%s", patlen=0x2, args=0x7ffce05bb780, svargs=0x0, sv_count=0x0, maybe_tainted=0x0, flags=0x0) at sv.c:11911 #4 0x0000563bc38b0941 in Perl_sv_vsetpvfn (sv=0x563bc4147d70, pat=0x563bc3a705cf "%s", patlen=0x2, args=0x7ffce05bb780, svargs=0x0, sv_count=0x0, maybe_tainted=0x0) at sv.c:10961 #5 0x0000563bc37f7dd0 in Perl_vmess (pat=0x563bc3a705cf "%s", args=0x7ffce05bb780) at util.c:1487 #6 0x0000563bc37f8e38 in Perl_vcroak (pat=0x563bc3a705cf "%s", args=0x7ffce05bb780) at util.c:1716 #7 0x0000563bc37f912e in Perl_croak (pat=0x563bc3a705cf "%s") at util.c:1763 #8 0x0000563bc37f914a in Perl_croak_no_modify () at util.c:1781 #9 0x0000563bc388d2c2 in Perl_sv_force_normal_flags (sv=0x563bc40b8ae8, flags=0x4) at sv.c:5325 #10 0x0000563bc3882216 in Perl_sv_setsv_flags (dstr=0x563bc40b8ae8, sstr=0x563bc4147d58, flags=0x612) at sv.c:4347 #11 0x0000563bc390d135 in Perl_die_unwind (msv=0x563bc4147d58) at pp_ctl.c:1726 #12 0x0000563bc37f907d in Perl_vcroak (pat=0x563bc3a705cf "%s", args=0x7ffce05bbe70) at util.c:1718 #13 0x0000563bc37f912e in Perl_croak (pat=0x563bc3a705cf "%s") at util.c:1763 #14 0x0000563bc37f914a in Perl_croak_no_modify () at util.c:1781 #15 0x0000563bc388d2c2 in Perl_sv_force_normal_flags (sv=0x563bc40b8ae8, flags=0x4) at sv.c:5325 ... #28306 0x0000563bc3882216 in Perl_sv_setsv_flags (dstr=0x563bc40b8ae8, sstr=0x563bc40b9418, flags=0x612) at sv.c:4347 #28307 0x0000563bc390d135 in Perl_die_unwind (msv=0x563bc40b9418) at pp_ctl.c:1726 #28308 0x0000563bc37f907d in Perl_vcroak (pat=0x563bc3a676e8 "%s in regex; marked by <-- HERE in m/%d%lu%4p <-- HERE %d%lu%4p/", args=0x7ffce0db8bb0) at util.c:1718 #28309 0x0000563bc37f912e in Perl_croak (pat=0x563bc3a676e8 "%s in regex; marked by <-- HERE in m/%d%lu%4p <-- HERE %d%lu%4p/") at util.c:1763 #28310 0x0000563bc37ba100 in S_regatom (pRExC_state=0x7ffce0db99a0, flagp=0x7ffce0db8fd0, depth=0x4) at regcomp.c:12641 #28311 0x0000563bc37b403b in S_regpiece (pRExC_state=0x7ffce0db99a0, flagp=0x7ffce0db90fc, depth=0x3) at regcomp.c:11668 #28312 0x0000563bc37b3989 in S_regbranch (pRExC_state=0x7ffce0db99a0, flagp=0x7ffce0db91a8, first=0x1, depth=0x2) at regcomp.c:11593 #28313 0x0000563bc37b126c in S_reg (pRExC_state=0x7ffce0db99a0, paren=0x0, flagp=0x7ffce0db95e4, depth=0x1) at regcomp.c:11331 #28314 0x0000563bc3799859 in Perl_re_op_compile (patternp=0x563bc409fb58, pat_count=0x1, expr=0x0, eng=0x563bc3cff540 <PL_core_reg_engine>, old_re=0x0, is_bare_re=0x7ffce0db9d5a, orig_rx_flags=0x800, pm_flags=0x800) at regcomp.c:7100 #28315 0x0000563bc39019b5 in Perl_pp_regcomp () at pp_ctl.c:108 #28316 0x0000563bc37f2a7d in Perl_runops_debug () at dump.c:2451 #28317 0x0000563bc36e8b3d in S_run_body (oldscope=0x1) at perl.c:2548 #28318 0x0000563bc36e80bb in perl_run (my_perl=0x563bc409b010) at perl.c:2471 #28319 0x0000563bc36a0f3e in main (argc=0x2, argv=0x7ffce0dba128, env=0x7ffce0dba140) at perlmain.c:123 [Please do not change anything below this line] ----------------------------------------------------------------- --- Flags: category=core severity=medium --- Site configuration information for perl 5.27.1: Configured by root at Sun May 28 01:44:41 MSK 2017. Summary of my perl5 (revision 5 version 26 subversion 0) configuration: Derived from: 4c95ee9f298c2edfc1382d540ff89288790e78b6 Platform: osname=linux osvers=4.9.0-3-amd64 archname=x86_64-linux uname='linux dorothy 4.9.0-3-amd64 #1 smp debian 4.9.25-1 (2017-05-02) x86_64 gnulinux ' config_args='-des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast -Doptimize=-O0 -g -ggdb3 -fno-omit-frame-pointer' hint=previous useposix=true d_sigaction=define useithreads=undef usemultiplicity=undef use64bitint=define use64bitall=define uselongdouble=undef usemymalloc=n default_inc_excludes_dot=define bincompat5005=undef Compiler: cc='afl-clang-fast' ccflags ='-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2' optimize='-O0 -g -ggdb3 -fno-omit-frame-pointer' cppflags='-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include' ccversion='' gccversion='4.2.1 Compatible Clang 3.9.1 (tags/RELEASE_391/rc2)' gccosandvers='' intsize=4 longsize=8 ptrsize=8 doublesize=8 byteorder=12345678 doublekind=3 d_longlong=define longlongsize=8 d_longdbl=define longdblsize=16 longdblkind=3 ivtype='long' ivsize=8 nvtype='double' nvsize=8 Off_t='off_t' lseeksize=8 alignbytes=8 prototype=define Linker and Libraries: ld='afl-clang-fast' ldflags =' -fstack-protector-strong -L/usr/local/lib' libpth=/usr/local/lib /usr/lib/llvm-3.9/bin/../lib/clang/3.9.1/lib /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib /usr/local/lib /usr/lib/llvm-3.9/bin/../lib/clang/3.9.1/lib /usr/include/x86_64-linux-gnu /usr/lib libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc libc=libc-2.24.so so=so useshrplib=false libperl=libperl.a gnulibc_version='2.24' Dynamic Linking: dlsrc=dl_dlopen.xs dlext=so d_dlsymun=undef ccdlflags='-Wl,-E' cccdlflags='-fPIC' lddlflags='-shared -O0 -g -ggdb3 -fno-omit-frame-pointer -L/usr/local/lib -fstack-protector-strong' Locally applied patches: uncommitted-changes --- @INC for perl 5.27.1: lib /usr/local/lib/perl5/site_perl/5.26.0/x86_64-linux /usr/local/lib/perl5/site_perl/5.26.0 /usr/local/lib/perl5/5.26.0/x86_64-linux /usr/local/lib/perl5/5.26.0 --- Environment for perl 5.27.1: HOME=/home/afl LANG=en_US.UTF-8 LANGUAGE=en_US:en LC_CTYPE=en_US.UTF-8 LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.24.1-dbg/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games PERLBREW_BASHRC_VERSION=0.78 PERLBREW_HOME=/home/afl/.perlbrew PERLBREW_MANPATH=/home/afl/perlbrew/perls/perl-5.24.1-dbg/man PERLBREW_PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.24.1-dbg/bin PERLBREW_PERL=perl-5.24.1-dbg PERLBREW_ROOT=/home/afl/perlbrew PERLBREW_VERSION=0.78 PERL_BADLANG (unset) SHELL=/usr/bin/zsh


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org