Skip Menu |
Report information
Id: 132828
Status: open
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: demerphq <demerphq [at] gmail.com>
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: low
Type: unknown
Perl Version: (no value)
Fixed In: (no value)



Date: Wed, 7 Feb 2018 21:56:35 +0100
From: demerphq <demerphq [...] gmail.com>
Subject: Tricky code can bypass Carp overload protections and trigger exceptions
To: perlbug [...] perl.org
CC: Brian Fraser <fraserbn [...] gmail.com>
Download (untitled) / with headers
text/plain 2.8k
This produces interesting results: perl -MCarp -E 'package OverloadedInXS { my $n = \&overload::nil; my $p = __PACKAGE__; *{$p."::(("} = $n; *{$p.q!::(""!} = sub { return "<My Stringify>" }; } for (1, 2) { sub { Carp::cluck("") }->(bless {}, "OverloadedInXS"); require overload }' at -e line 1. main::__ANON__(<My Stringify>) called at -e line 1 at -e line 1. main::__ANON__(OverloadedInXS=HASH(0xfe6ed8)) called at -e line 1 So one can get around Carp's defenses against overloading. Which means... perl -MCarp -E 'package OverloadedInXS { my $n = \&overload::nil; my $p = __PACKAGE__; *{$p."::(("} = $n; *{$p.q!::(""!} = sub { Carp::cluck "<My Stringify>" }; } for (1, 2) { sub { Carp::cluck("") }->(bless {}, "OverloadedInXS"); require overload }' Deep recursion on subroutine "Carp::longmess" at /home/yorton/perl5/perlbrew/perls/perl-5.18.4/lib/site_perl/5.18.4/Carp.pm line 170. Deep recursion on subroutine "Carp::longmess_heavy" at /home/yorton/perl5/perlbrew/perls/perl-5.18.4/lib/site_perl/5.18.4/Carp.pm line 148. Deep recursion on subroutine "Carp::ret_backtrace" at /home/yorton/perl5/perlbrew/perls/perl-5.18.4/lib/site_perl/5.18.4/Carp.pm line 450. Deep recursion on subroutine "Carp::caller_info" at /home/yorton/perl5/perlbrew/perls/perl-5.18.4/lib/site_perl/5.18.4/Carp.pm line 467. Deep recursion on subroutine "Carp::format_arg" at /home/yorton/perl5/perlbrew/perls/perl-5.18.4/lib/site_perl/5.18.4/Carp.pm line 237. Deep recursion on subroutine "Carp::caller_info" at /home/yorton/perl5/perlbrew/perls/perl-5.18.4/lib/site_perl/5.18.4/Carp.pm line 481. Deep recursion on subroutine "Carp::format_arg" at /home/yorton/perl5/perlbrew/perls/perl-5.18.4/lib/site_perl/5.18.4/Carp.pm line 237. Deep recursion on anonymous subroutine at /home/yorton/perl5/perlbrew/perls/perl-5.18.4/lib/site_perl/5.18.4/Carp.pm line 282. Segmentation fault This applies to the most recent perl as well. The following patch, against smoke-me/rt52610 version of Carp: diff --git a/dist/Carp/lib/Carp.pm b/dist/Carp/lib/Carp.pm index f4ae975..6d4df6e 100644 --- a/dist/Carp/lib/Carp.pm +++ b/dist/Carp/lib/Carp.pm @@ -322,6 +322,11 @@ sub format_arg { } else { + { + no strict 'refs'; + my $pack= ref $arg; + if (*{$pack."::(("}{CODE}) { require overload; } + } my $sub = _fetch_sub(overload => 'StrVal'); return $sub ? &$sub($arg) : "$arg"; } fixes the segault by checking to see if overloading is enabled, and if it is requiring overload. Even if they had a good reason to avoid loading overload in the first place, surely doing so to avoid a possible segault in an exception is reasonable. Yves ps: Brian Fraser found this neat trick. Which I am unfortunately having to wet-blanket. :-) -- perl -Mre=debug -e "/just|another|perl|hacker/"
CC: "bugs-bitbucket [...] rt.perl.org" <bugs-bitbucket [...] rt.perl.org>
To: Perl5 Porteros <perl5-porters [...] perl.org>
Subject: Re: [perl #132828] Tricky code can bypass Carp overload protections and trigger exceptions
From: demerphq <demerphq [...] gmail.com>
Date: Wed, 7 Feb 2018 22:09:03 +0100
Download (untitled) / with headers
text/plain 2.3k
On 7 February 2018 at 21:56, yves orton <perlbug-followup@perl.org> wrote: Show quoted text
> # New Ticket Created by yves orton > # Please include the string: [perl #132828] > # in the subject line of all future correspondence about this issue. > # <URL: https://rt.perl.org/Ticket/Display.html?id=132828 > > > > This produces interesting results: > > perl -MCarp -E 'package OverloadedInXS { my $n = \&overload::nil; my > $p = __PACKAGE__; *{$p."::(("} = $n; *{$p.q!::(""!} = sub { return > "<My Stringify>" }; } for (1, 2) { sub { Carp::cluck("") }->(bless > {}, "OverloadedInXS"); require overload }' > > at -e line 1. > main::__ANON__(<My Stringify>) called at -e line 1 > at -e line 1. > main::__ANON__(OverloadedInXS=HASH(0xfe6ed8)) called at -e line 1 > > So one can get around Carp's defenses against overloading. Which means... > > perl -MCarp -E 'package OverloadedInXS { my $n = \&overload::nil; my > $p = __PACKAGE__; *{$p."::(("} = $n; *{$p.q!::(""!} = sub { > Carp::cluck "<My Stringify>" }; } for (1, 2) { sub { Carp::cluck("") > }->(bless {}, "OverloadedInXS"); require overload }'
Simplifies to: perl -MCarp -E 'my $p = "OverloadedInXS"; *{$p."::(("} = sub{}; *{$p.q!::(""!} = sub { Carp::cluck "<My Stringify>" }; sub { Carp::cluck("") }->(bless {}, $p);' Show quoted text
> This applies to the most recent perl as well. The following patch, > against smoke-me/rt52610 version of Carp: > > diff --git a/dist/Carp/lib/Carp.pm b/dist/Carp/lib/Carp.pm > index f4ae975..6d4df6e 100644 > --- a/dist/Carp/lib/Carp.pm > +++ b/dist/Carp/lib/Carp.pm > @@ -322,6 +322,11 @@ sub format_arg { > } > else > { > + { > + no strict 'refs'; > + my $pack= ref $arg; > + if (*{$pack."::(("}{CODE}) { require overload; } > + } > my $sub = _fetch_sub(overload => 'StrVal'); > return $sub ? &$sub($arg) : "$arg"; > } > > fixes the segault by checking to see if overloading is enabled, and if > it is requiring overload. Even if they had a good reason to avoid > loading overload in the first place, surely doing so to avoid a > possible segault in an exception is reasonable. > > Yves > ps: Brian Fraser found this neat trick. Which I am unfortunately > having to wet-blanket. :-) > > > -- > perl -Mre=debug -e "/just|another|perl|hacker/" >
-- perl -Mre=debug -e "/just|another|perl|hacker/"
Date: Fri, 23 Feb 2018 10:33:00 +0100
From: demerphq <demerphq [...] gmail.com>
Subject: Re: [perl #132828] Tricky code can bypass Carp overload protections and trigger exceptions
To: Perl5 Porteros <perl5-porters [...] perl.org>
CC: "bugs-bitbucket [...] rt.perl.org" <bugs-bitbucket [...] rt.perl.org>
Download (untitled) / with headers
text/plain 603b
On 7 February 2018 at 22:09, demerphq <demerphq@gmail.com> wrote: Show quoted text
> On 7 February 2018 at 21:56, yves orton <perlbug-followup@perl.org> wrote:
>> # New Ticket Created by yves orton >> # Please include the string: [perl #132828]
> Simplifies to: > > perl -MCarp -E 'my $p = "OverloadedInXS"; *{$p."::(("} = sub{}; > *{$p.q!::(""!} = sub { Carp::cluck "<My Stringify>" }; sub { > Carp::cluck("") }->(bless {}, $p);'
Fixed in c99363aa273278adcad39f32026629b700f9bbc3 Please don't close the ticket until i can push a patch for testing. thanks, Yves -- perl -Mre=debug -e "/just|another|perl|hacker/"
Subject: Re: [perl #132828] Tricky code can bypass Carp overload protections and trigger exceptions
Date: Sun, 25 Feb 2018 04:16:16 +0100
From: demerphq <demerphq [...] gmail.com>
To: Perl5 Porteros <perl5-porters [...] perl.org>
CC: "bugs-bitbucket [...] rt.perl.org" <bugs-bitbucket [...] rt.perl.org>
Download (untitled) / with headers
text/plain 731b
On 23 February 2018 at 10:33, demerphq <demerphq@gmail.com> wrote: Show quoted text
> On 7 February 2018 at 22:09, demerphq <demerphq@gmail.com> wrote:
>> On 7 February 2018 at 21:56, yves orton <perlbug-followup@perl.org> wrote:
>>> # New Ticket Created by yves orton >>> # Please include the string: [perl #132828]
>> Simplifies to: >> >> perl -MCarp -E 'my $p = "OverloadedInXS"; *{$p."::(("} = sub{}; >> *{$p.q!::(""!} = sub { Carp::cluck "<My Stringify>" }; sub { >> Carp::cluck("") }->(bless {}, $p);'
> > Fixed in c99363aa273278adcad39f32026629b700f9bbc3 > > Please don't close the ticket until i can push a patch for testing.
Pushed as b20e410261372f568d77e3064b1b57886c331ece Yves -- perl -Mre=debug -e "/just|another|perl|hacker/"


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org