Skip Menu |
Report information
Id: 132996
Status: open
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: jeremy [at] feusi.co
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: low
Type: unknown
Perl Version: (no value)
Fixed In: (no value)



Subject: Re: Null pointer dereference in Perl_pp_multiconcat
Date: Sun, 18 Mar 2018 14:08:49 +0100
From: Jeremy Feusi <jeremy [...] feusi.co>
To: perlbug [...] perl.org
Download (untitled) / with headers
text/plain 13.2k
I just realized that I used the wrong perlbug. But as I can't seem to get the correct perlbug to run I'll just have to give yout the most important facts manually: Configure command: ./Configure -des -Dusedevel -Dcc=clang -Dcxx=clang++ -Dld=clang++ -Aldflags=-fsanitize=address -Accflags=-g3\ -fsanitize=address -Acxxflags=-g3\ -fsanitize=address Perl version: perl 5, version 27, subversion 10 built for x86_64-linux Platform: Linux Debian 4.9.65-3 x86_64 GNU/Linux Tell me if you need anything else. In-Reply-To: <5.26.1_42062_1521280686@debian-vm.localdomain> On Sat, Mar 17, 2018 at 11:32:37AM +0100, jeremy@feusi.co wrote: Show quoted text
> > Reply-To: jeremy@feusi.co > > > This is a bug report for perl from jeremy@feusi.co, > generated with the help of perlbug 1.40 running under perl 5.26.1. > > > ----------------------------------------------------------------- > Perl segfaults when executing the attached program (perl <progname>) due to a null pointer dereference in Perl_pp_multiconcat. > This bug can also reproduced on archlinux and debian with standard installation configuration and version 5.26.1. > > Detailed backtrace: > > ASAN:DEADLYSIGNAL > ================================================================= > ==9327==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000000c (pc 0x00000084e5f2 bp 0x7ffeed336030 sp 0x7ffeed335a40 T0) > ==9327==The signal is caused by a READ memory access. > ==9327==Hint: address points to the zero page. > #0 0x84e5f1 in Perl_pp_multiconcat /home/jfe/perl52/pp_hot.c > #1 0x8488be in Perl_runops_standard /home/jfe/perl52/run.c:41:26 > #2 0xa95bf6 in S_regmatch /home/jfe/perl52/regexec.c:7424:3 > #3 0xa74ea0 in S_regtry /home/jfe/perl52/regexec.c:4086:14 > #4 0xa57204 in Perl_regexec_flags /home/jfe/perl52/regexec.c:3943:7 > #5 0x877ab1 in Perl_pp_subst /home/jfe/perl52/pp_hot.c:4212:10 > #6 0x8488be in Perl_runops_standard /home/jfe/perl52/run.c:41:26 > #7 0x5dbc91 in S_run_body /home/jfe/perl52/perl.c > #8 0x5dabb4 in perl_run /home/jfe/perl52/perl.c:2646:2 > #9 0x52f0b8 in main /home/jfe/perl52/perlmain.c:122:9 > #10 0x7fe328886f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29) > #11 0x43f999 in _start (/home/jfe/perl52/perl+0x43f999) > > AddressSanitizer can not provide additional info. > SUMMARY: AddressSanitizer: SEGV /home/jfe/perl52/pp_hot.c in Perl_pp_multiconcat > ==9327==ABORTING > > This bug was found with honggfuzz and asan. > > > [Please do not change anything below this line] > ----------------------------------------------------------------- > --- > Flags: > category=core > severity=high > --- > Site configuration information for perl 5.26.1: > > Configured by Debian at Fri Jan 12 19:31:09 UTC 2018. > > Summary of my perl5 (revision 5 version 26 subversion 1) configuration: > > Platform: > osname=linux > osvers=4.9.0 > archname=x86_64-linux-gnu-thread-multi > uname='linux localhost 4.9.0 #1 smp debian 4.9.0 x86_64 gnulinux ' > config_args='-Dusethreads -Duselargefiles -Dcc=x86_64-linux-gnu-gcc -Dcpp=x86_64-linux-gnu-cpp -Dld=x86_64-linux-gnu-gcc -Dccflags=-DDEBIAN -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -fdebug-prefix-map=/build/perl-awpeXx/perl-5.26.1=. -fstack-protector-strong -Wformat -Werror=format-security -Dldflags= -Wl,-z,relro -Dlddlflags=-shared -Wl,-z,relro -Dcccdlflags=-fPIC -Darchname=x86_64-linux-gnu -Dprefix=/usr -Dprivlib=/usr/share/perl/5.26 -Darchlib=/usr/lib/x86_64-linux-gnu/perl/5.26 -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/x86_64-linux-gnu/perl5/5.26 -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.26.1 -Dsitearch=/usr/local/lib/x86_64-linux-gnu/perl/5.26.1 -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3 -Duse64bitint -Dman1ext=1 -Dman3ext=3perl > -Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Ud_ualarm -Uusesfio -Uusenm -Ui_libutil -Ui_xlocale -Uversiononly -DDEBUGGING=-g -Doptimize=-O2 -dEs -Duseshrplib -Dlibperl=libperl.so.5.26.1' > hint=recommended > useposix=true > d_sigaction=define > useithreads=define > usemultiplicity=define > use64bitint=define > use64bitall=define > uselongdouble=undef > usemymalloc=n > default_inc_excludes_dot=define > bincompat5005=undef > Compiler: > cc='x86_64-linux-gnu-gcc' > ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64' > optimize='-O2 -g' > cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include' > ccversion='' > gccversion='7.2.0' > gccosandvers='' > intsize=4 > longsize=8 > ptrsize=8 > doublesize=8 > byteorder=12345678 > doublekind=3 > d_longlong=define > longlongsize=8 > d_longdbl=define > longdblsize=16 > longdblkind=3 > ivtype='long' > ivsize=8 > nvtype='double' > nvsize=8 > Off_t='off_t' > lseeksize=8 > alignbytes=8 > prototype=define > Linker and Libraries: > ld='x86_64-linux-gnu-gcc' > ldflags =' -fstack-protector-strong -L/usr/local/lib' > libpth=/usr/local/lib /usr/lib/gcc/x86_64-linux-gnu/7/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib > libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt > perllibs=-ldl -lm -lpthread -lc -lcrypt > libc=libc-2.26.so > so=so > useshrplib=true > libperl=libperl.so.5.26 > gnulibc_version='2.26' > Dynamic Linking: > dlsrc=dl_dlopen.xs > dlext=so > d_dlsymun=undef > ccdlflags='-Wl,-E' > cccdlflags='-fPIC' > lddlflags='-shared -L/usr/local/lib -fstack-protector-strong' > > Locally applied patches: > DEBPKG:debian/cpan_definstalldirs - Provide a sensible INSTALLDIRS default for modules installed from CPAN. > DEBPKG:debian/db_file_ver - https://bugs.debian.org/340047 Remove overly restrictive DB_File version check. > DEBPKG:debian/doc_info - Replace generic man(1) instructions with Debian-specific information. > DEBPKG:debian/enc2xs_inc - https://bugs.debian.org/290336 Tweak enc2xs to follow symlinks and ignore missing @INC directories. > DEBPKG:debian/errno_ver - https://bugs.debian.org/343351 Remove Errno version check due to upgrade problems with long-running processes. > DEBPKG:debian/libperl_embed_doc - https://bugs.debian.org/186778 Note that libperl-dev package is required for embedded linking > DEBPKG:fixes/respect_umask - Respect umask during installation > DEBPKG:debian/writable_site_dirs - Set umask approproately for site install directories > DEBPKG:debian/extutils_set_libperl_path - EU:MM: set location of libperl.a under /usr/lib > DEBPKG:debian/no_packlist_perllocal - Don't install .packlist or perllocal.pod for perl or vendor > DEBPKG:debian/fakeroot - Postpone LD_LIBRARY_PATH evaluation to the binary targets. > DEBPKG:debian/instmodsh_doc - Debian policy doesn't install .packlist files for core or vendor. > DEBPKG:debian/ld_run_path - Remove standard libs from LD_RUN_PATH as per Debian policy. > DEBPKG:debian/libnet_config_path - Set location of libnet.cfg to /etc/perl/Net as /usr may not be writable. > DEBPKG:debian/perlivp - https://bugs.debian.org/510895 Make perlivp skip include directories in /usr/local > DEBPKG:debian/deprecate-with-apt - https://bugs.debian.org/747628 Point users to Debian packages of deprecated core modules > DEBPKG:debian/squelch-locale-warnings - https://bugs.debian.org/508764 Squelch locale warnings in Debian package maintainer scripts > DEBPKG:debian/patchlevel - https://bugs.debian.org/567489 List packaged patches for 5.26.1-4 in patchlevel.h > DEBPKG:fixes/document_makemaker_ccflags - https://bugs.debian.org/628522 [rt.cpan.org #68613] Document that CCFLAGS should include $Config{ccflags} > DEBPKG:debian/find_html2text - https://bugs.debian.org/640479 Configure CPAN::Distribution with correct name of html2text > DEBPKG:debian/perl5db-x-terminal-emulator.patch - https://bugs.debian.org/668490 Invoke x-terminal-emulator rather than xterm in perl5db.pl > DEBPKG:debian/cpan-missing-site-dirs - https://bugs.debian.org/688842 Fix CPAN::FirstTime defaults with nonexisting site dirs if a parent is writable > DEBPKG:fixes/memoize_storable_nstore - [rt.cpan.org #77790] https://bugs.debian.org/587650 Memoize::Storable: respect 'nstore' option not respected > DEBPKG:debian/makemaker-pasthru - https://bugs.debian.org/758471 Pass LD settings through to subdirectories > DEBPKG:debian/makemaker-manext - https://bugs.debian.org/247370 Make EU::MakeMaker honour MANnEXT settings in generated manpage headers > DEBPKG:debian/kfreebsd-softupdates - https://bugs.debian.org/796798 Work around Debian Bug#796798 > DEBPKG:fixes/autodie-scope - https://bugs.debian.org/798096 Fix a scoping issue with "no autodie" and the "system" sub > DEBPKG:fixes/memoize-pod - [rt.cpan.org #89441] Fix POD errors in Memoize > DEBPKG:debian/hurd-softupdates - https://bugs.debian.org/822735 Fix t/op/stat.t failures on hurd > DEBPKG:fixes/math_complex_doc_great_circle - https://bugs.debian.org/697567 [rt.cpan.org #114104] Math::Trig: clarify definition of great_circle_midpoint > DEBPKG:fixes/math_complex_doc_see_also - https://bugs.debian.org/697568 [rt.cpan.org #114105] Math::Trig: add missing SEE ALSO > DEBPKG:fixes/math_complex_doc_angle_units - https://bugs.debian.org/731505 [rt.cpan.org #114106] Math::Trig: document angle units > DEBPKG:fixes/cpan_web_link - https://bugs.debian.org/367291 CPAN: Add link to main CPAN web site > DEBPKG:fixes/time_piece_doc - https://bugs.debian.org/817925 Time::Piece: Improve documentation for add_months and add_years > DEBPKG:fixes/extutils_makemaker_reproducible - https://bugs.debian.org/835815 https://bugs.debian.org/834190 Make perllocal.pod files reproducible > DEBPKG:fixes/file_path_hurd_errno - File-Path: Fix test failure in Hurd due to hard-coded ENOENT > DEBPKG:debian/hppa_op_optimize_workaround - https://bugs.debian.org/838613 Temporarily lower the optimization of op.c on hppa due to gcc-6 problems > DEBPKG:debian/installman-utf8 - https://bugs.debian.org/840211 Generate man pages with UTF-8 characters > DEBPKG:fixes/file_path_chmod_race - https://bugs.debian.org/863870 [rt.cpan.org #121951] Prevent directory chmod race attack. > DEBPKG:fixes/extutils_file_path_compat - Correct the order of tests of chmod(). (#294) > DEBPKG:fixes/getopt-long-2 - [rt.cpan.org #120300] Withdraw part of commit 5d9947fb445327c7299d8beb009d609bc70066c0, which tries to implement more GNU getopt_long campatibility. GNU > DEBPKG:fixes/getopt-long-3 - provide a default value for optional arguments > DEBPKG:fixes/getopt-long-4 - https://bugs.debian.org/864544 [rt.cpan.org #122068] Fix issue #122068. > DEBPKG:fixes/test-builder-reset - https://bugs.debian.org/865894 Reset inside subtest maintains parent > DEBPKG:debian/hppa_opmini_optimize_workaround - https://bugs.debian.org/869122 Lower the optimization level of opmini.c on hppa > DEBPKG:debian/sh4_op_optimize_workaround - https://bugs.debian.org/869373 Also lower the optimization level of op.c and opmini.c on sh4 > DEBPKG:fixes/json-pp-example - [rt.cpan.org #92793] https://bugs.debian.org/871837 fix RT-92793: bug in SYNOPSIS > DEBPKG:debian/perldoc-pager - https://bugs.debian.org/870340 [rt.cpan.org #120229] Fix perldoc terminal escapes when sensible-pager is less > DEBPKG:debian/prune_libs - https://bugs.debian.org/128355 Prune the list of libraries wanted to what we actually need. > DEBPKG:debian/configure-regen - https://bugs.debian.org/762638 Regenerate Configure et al. after probe unit changes > DEBPKG:fixes/rename-filexp.U-phase1 - regen-configure: rename filexp.U to filexp_path.U, phase 1 > DEBPKG:fixes/rename-filexp.U-phase2 - regen-configure: rename filexp.U to filexp_path.U, phase 2 > DEBPKG:fixes/packaging_test_skips - Skip various tests if PERL_BUILD_PACKAGING is set > DEBPKG:debian/mod_paths - Tweak @INC ordering for Debian > DEBPKG:fixes/encode-alias-regexp - https://bugs.debian.org/880085 fix https://github.com/dankogai/p5-encode/issues/127 > > --- > @INC for perl 5.26.1: > /etc/perl > /usr/local/lib/x86_64-linux-gnu/perl/5.26.1 > /usr/local/share/perl/5.26.1 > /usr/lib/x86_64-linux-gnu/perl5/5.26 > /usr/share/perl5 > /usr/lib/x86_64-linux-gnu/perl/5.26 > /usr/share/perl/5.26 > /usr/local/lib/site_perl > /usr/lib/x86_64-linux-gnu/perl-base > > --- > Environment for perl 5.26.1: > HOME=/home/jfe > LANG=en_US.UTF-8 > LANGUAGE=en_US.UTF-8 > LC_ADDRESS=de_CH.UTF-8 > LC_ALL=en_US.UTF-8 > LC_COLLATE=de_CH.UTF-8 > LC_IDENTIFICATION=de_CH.UTF-8 > LC_MEASUREMENT=de_CH.UTF-8 > LC_MESSAGES=en_US.UTF-8 > LC_MONETARY=de_CH.UTF-8 > LC_NAME=de_CH.UTF-8 > LC_NUMERIC=de_CH.UTF-8 > LC_PAPER=de_CH.UTF-8 > LC_TELEPHONE=de_CH.UTF-8 > LC_TIME=en_DK.UTF-8 > LD_LIBRARY_PATH (unset) > LOGDIR (unset) > PATH=/home/jfe/.cargo/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games > PERL_BADLANG (unset) > SHELL=/bin/bash
Show quoted text
> #!./perl > m/(?{print <<EOF > A$A > EOF > })/g; > eval 's/${\%A}{3}//e'; >
To: perl5-porters [...] perl.org
Subject: Re: [perl #132996] Re: Null pointer dereference in Perl_pp_multiconcat
From: Shlomi Fish <shlomif [...] shlomifish.org>
Date: Fri, 23 Mar 2018 10:46:52 +0300
Download (untitled) / with headers
text/plain 207b
Hi all! Here is the program: <<<<< #!./perl m/(?{print <<EOF A$A EOF })/g; eval 's/${\%A}{3}//e'; Show quoted text
>>>>>
it segfaults both /usr/bin/perl and bleadperl on my mageia v7 x64 system. Regards, Shlomi Fish
From: Shlomi Fish <shlomif [...] shlomifish.org>
Date: Fri, 23 Mar 2018 12:35:56 +0300
Subject: Fw: [perl #132996] Re: Null pointer dereference in Perl_pp_multiconcat
To: <perl5-porters [...] perl.org>
Download (untitled) / with headers
text/plain 1.4k
Begin forwarded message: Date: Fri, 23 Mar 2018 09:20:54 +0000 From: Dave Mitchell <davem@iabyn.com> To: Shlomi Fish <shlomif@shlomifish.org> Subject: Re: [perl #132996] Re: Null pointer dereference in Perl_pp_multiconcat On Fri, Mar 23, 2018 at 10:46:52AM +0300, Shlomi Fish wrote: Show quoted text
> Hi all! > > Here is the program: > > <<<<< > > #!./perl > m/(?{print <<EOF > A$A > EOF > })/g; > eval 's/${\%A}{3}//e'; >
> >>>>>
> > it segfaults both /usr/bin/perl and bleadperl on my mageia v7 x64 system.
It can be reduced further to my $a=""; m/(?{"A$a"})/; eval 'm//'; It's something to do with the 'use last successful match' behaviour of m//; when the code block in the regex is executed for a second time, it looks like the wrong pad is in use and padsv($a) returns a null pointer or other garbage. The bug is present back to at least 5.8.9, so its (fortunately) not a regression introduced by pp_multiconcat. -- The optimist believes that he lives in the best of all possible worlds. As does the pessimist. -- ----------------------------------------------------------------- Shlomi Fish http://www.shlomifish.org/ Stop Using MSIE - http://www.shlomifish.org/no-ie/ Buffy Summers does not really need stakes to slay vampires, because her kisses are deadly for them. And that includes those that she blows in the air. — http://www.shlomifish.org/humour/bits/facts/Buffy/ Please reply to list if it's a mailing list post - http://shlom.in/reply .


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org