From guenther@openbsd.org

This is a bug report for perl from guenther@​openbsd.org,
generated with the help of perlbug 1.39 running under perl 5.16.3.

a2p can try to access before the beginning of a buffer, which is
undefined behavior of course and leads to crashes. Example input
file which triggers this, truncated down to right after the point
a2p crashes on it.

# $OpenBSD​: parse_structinfo.awk,v 1.1 2009/08/09 23​:04​:49 miod Exp $
#
# Copyright (c) 2009 Miodrag Vallat.
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
#

Backtrace from core​:

#0 0x0000168c98703d68 in str_gets (str=0x168e9fd35200, fp=0x168e9e16ef00)
  at str.c​:203
203 if (bp <= str->str_ptr || bp[-2] != '\\')
(gdb) bt
#0 0x0000168c98703d68 in str_gets (str=0x168e9fd35200, fp=0x168e9e16ef00)
  at str.c​:203
#1 0x0000168c9870b8bf in yylex () from /tmp/a2p
#2 0x0000168c9870ea2c in yyparse () from /tmp/a2p
#3 0x0000168c9870fe20 in main () from /tmp/a2p
(gdb) p bp - str->str_ptr
$1 = 1
(gdb)

Fix​:

Index​: gnu/usr.bin/perl/x2p/str.c

RCS file​: /cvs/src/gnu/usr.bin/perl/x2p/str.c,v
retrieving revision 1.12
diff -u -p -r1.12 str.c
--- gnu/usr.bin/perl/x2p/str.c 25 Mar 2013 20​:41​:01 -0000 1.12
+++ gnu/usr.bin/perl/x2p/str.c 1 Oct 2013 22​:42​:05 -0000
@​@​ -200,7 +200,7 @​@​ str_gets(register STR *str, register FIL
  for (;;) {
  while (--cnt >= 0) {
  if ((*bp++ = *ptr++) == newline) {
- if (bp <= str->str_ptr || bp[-2] != '\\')
+ if (bp <= str->str_ptr + 1 || bp[-2] != '\\')
  goto thats_all_folks;
  else {
  line++;

Philip Guenther

Flags​:
  category=utilities
  severity=high

Site configuration information for perl 5.16.3​:

Configured by root at Thu Jan 1 0​:00​:00 UTC 1970.

Summary of my perl5 (revision 5 version 16 subversion 3) configuration​:
 
  Platform​:
  osname=openbsd, osvers=5.4, archname=amd64-openbsd
  uname='openbsd'
  config_args='-dsE -Dopenbsd_distribution=defined -Dccflags=-DNO_LOCALE_NUMERIC -DNO_LOCALE_COLLATE -Dmksymlinks'
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=undef, usemultiplicity=undef
  useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
  use64bitint=define, use64bitall=define, uselongdouble=undef
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='cc', ccflags ='-DNO_LOCALE_NUMERIC -DNO_LOCALE_COLLATE -fno-strict-aliasing -fno-delete-null-pointer-checks -pipe -fstack-protector -I/usr/local/include',
  optimize='-O2',
  cppflags='-DNO_LOCALE_NUMERIC -DNO_LOCALE_COLLATE -fno-strict-aliasing -fno-delete-null-pointer-checks -pipe -fstack-protector -I/usr/local/include'
  ccversion='', gccversion='4.2.1 20070719 ', gccosandvers='openbsd5.4'
  intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
  ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
  alignbytes=8, prototype=define
  Linker and Libraries​:
  ld='cc', ldflags ='-Wl,-E -fstack-protector'
  libpth=/usr/lib
  libs=-lm -lutil -lc
  perllibs=-lm -lutil -lc
  libc=/usr/lib/libc.so.70.0, so=so, useshrplib=true, libperl=libperl.so.14.0
  gnulibc_version=''
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-R/usr/libdata/perl5/amd64-openbsd/5.16.3/CORE'
  cccdlflags='-DPIC -fPIC ', lddlflags='-shared -fPIC -fstack-protector'

Locally applied patches​:
 

@​INC for perl 5.16.3​:
  /usr/local/libdata/perl5/site_perl/amd64-openbsd
  /usr/libdata/perl5/site_perl/amd64-openbsd
  /usr/local/libdata/perl5/site_perl
  /usr/libdata/perl5/site_perl
  /usr/libdata/perl5/amd64-openbsd/5.16.3
  /usr/local/libdata/perl5/amd64-openbsd/5.16.3
  /usr/libdata/perl5
  /usr/local/libdata/perl5
  .

Environment for perl 5.16.3​:
  HOME=/home/users/guenther
  LANG (unset)
  LANGUAGE (unset)
  LD_LIBRARY_PATH (unset)
  LOGDIR (unset)
  PATH=/home/users/guenther/bin​:/usr/local/bin​:/bin​:/usr/bin​:/usr/local/sbin​:/sbin​:/usr/sbin​:/usr/X11R6/bin​:/usr/games
  PERL_BADLANG (unset)
  SHELL=/bin/ksh

From @jkeenan

On Wed Oct 16 22​:12​:32 2013, guenther@​openbsd.org wrote​:

This is a bug report for perl from guenther@​openbsd.org,
generated with the help of perlbug 1.39 running under perl 5.16.3.

-----------------------------------------------------------------

a2p can try to access before the beginning of a buffer, which is
undefined behavior of course and leads to crashes. Example input
file which triggers this, truncated down to right after the point
a2p crashes on it.

------
# $OpenBSD​: parse_structinfo.awk,v 1.1 2009/08/09 23​:04​:49 miod Exp $
#
# Copyright (c) 2009 Miodrag Vallat.
#
# Permission to use, copy, modify, and distribute this software for
any
# purpose with or without fee is hereby granted, provided that the
above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL
WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE
FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY
DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
#

------

Backtrace from core​:

#0 0x0000168c98703d68 in str_gets (str=0x168e9fd35200,
fp=0x168e9e16ef00)
at str.c​:203
203 if (bp <= str->str_ptr || bp[-2] != '\\')
(gdb) bt
#0 0x0000168c98703d68 in str_gets (str=0x168e9fd35200,
fp=0x168e9e16ef00)
at str.c​:203
#1 0x0000168c9870b8bf in yylex () from /tmp/a2p
#2 0x0000168c9870ea2c in yyparse () from /tmp/a2p
#3 0x0000168c9870fe20 in main () from /tmp/a2p
(gdb) p bp - str->str_ptr
$1 = 1
(gdb)

Fix​:

Index​: gnu/usr.bin/perl/x2p/str.c

RCS file​: /cvs/src/gnu/usr.bin/perl/x2p/str.c,v
retrieving revision 1.12
diff -u -p -r1.12 str.c
--- gnu/usr.bin/perl/x2p/str.c 25 Mar 2013 20​:41​:01 -0000 1.12
+++ gnu/usr.bin/perl/x2p/str.c 1 Oct 2013 22​:42​:05 -0000
@​@​ -200,7 +200,7 @​@​ str_gets(register STR *str, register FIL
for (;;) {
while (--cnt >= 0) {
if ((*bp++ = *ptr++) == newline) {
- if (bp <= str->str_ptr || bp[-2] != '\\')
+ if (bp <= str->str_ptr + 1 || bp[-2] != '\\')
goto thats_all_folks;
else {
line++;

Philip Guenther

-----------------------------------------------------------------
---
Flags​:
category=utilities
severity=high
---
Site configuration information for perl 5.16.3​:

Configured by root at Thu Jan 1 0​:00​:00 UTC 1970.

Summary of my perl5 (revision 5 version 16 subversion 3)
configuration​:

Platform​:
osname=openbsd, osvers=5.4, archname=amd64-openbsd
uname='openbsd'
config_args='-dsE -Dopenbsd_distribution=defined
-Dccflags=-DNO_LOCALE_NUMERIC -DNO_LOCALE_COLLATE -Dmksymlinks'
hint=recommended, useposix=true, d_sigaction=define
useithreads=undef, usemultiplicity=undef
useperlio=define, d_sfio=undef, uselargefiles=define,
usesocks=undef
use64bitint=define, use64bitall=define, uselongdouble=undef
usemymalloc=n, bincompat5005=undef
Compiler​:
cc='cc', ccflags ='-DNO_LOCALE_NUMERIC -DNO_LOCALE_COLLATE
-fno-strict-aliasing -fno-delete-null-pointer-checks -pipe
-fstack-protector -I/usr/local/include',
optimize='-O2',
cppflags='-DNO_LOCALE_NUMERIC -DNO_LOCALE_COLLATE
-fno-strict-aliasing -fno-delete-null-pointer-checks -pipe
-fstack-protector -I/usr/local/include'
ccversion='', gccversion='4.2.1 20070719 ',
gccosandvers='openbsd5.4'
intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
d_longlong=define, longlongsize=8, d_longdbl=define,
longdblsize=16
ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t',
lseeksize=8
alignbytes=8, prototype=define
Linker and Libraries​:
ld='cc', ldflags ='-Wl,-E -fstack-protector'
libpth=/usr/lib
libs=-lm -lutil -lc
perllibs=-lm -lutil -lc
libc=/usr/lib/libc.so.70.0, so=so, useshrplib=true,
libperl=libperl.so.14.0
gnulibc_version=''
Dynamic Linking​:
dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-
R/usr/libdata/perl5/amd64-openbsd/5.16.3/CORE'
cccdlflags='-DPIC -fPIC ', lddlflags='-shared -fPIC
-fstack-protector'

Locally applied patches​:

---
@​INC for perl 5.16.3​:
/usr/local/libdata/perl5/site_perl/amd64-openbsd
/usr/libdata/perl5/site_perl/amd64-openbsd
/usr/local/libdata/perl5/site_perl
/usr/libdata/perl5/site_perl
/usr/libdata/perl5/amd64-openbsd/5.16.3
/usr/local/libdata/perl5/amd64-openbsd/5.16.3
/usr/libdata/perl5
/usr/local/libdata/perl5
.

---
Environment for perl 5.16.3​:
HOME=/home/users/guenther
LANG (unset)
LANGUAGE (unset)
LD_LIBRARY_PATH (unset)
LOGDIR (unset)

PATH=/home/users/guenther/bin​:/usr/local/bin​:/bin​:/usr/bin​:/usr/local/sbin​:/sbin​:/usr/sbin​:/usr/X11R6/bin​:/usr/games

PERL\_BADLANG \(unset\)
SHELL=/bin/ksh

I tried to reproduce this problem on blead on our dromedary server,
which is Linux x86_64. I could not. My calls and results​:

##########
$ ./x2p/a2p ../p5p/parse_structinfo.awk

#!/usr/local/bin/perl5.19.5
eval 'exec /usr/local/bin/perl -S $0 ${1+"$@​"}'
  if $running_under_some_shell;
  # this emulates #! processing on NIH machines.
  # (remove #! line above if indigestible)

eval '$'.$1.'$2;' while $ARGV[0] =~ /^([A-Za-z_0-9]+=)(.*)/ && shift;
  # process any FOO=bar switches

# $OpenBSD​: parse_structinfo.awk,v 1.1 2009/08/09 23​:04​:49 miod Exp $
#
# Copyright (c) 2009 Miodrag Vallat.
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
#

$ file x2p/a2p
x2p/a2p​: ELF 64-bit LSB executable, x86-64, version 1 (SYSV),
dynamically linked (uses shared libs), for GNU/Linux 2.6.18, not stripped

The RT System itself - Status changed from 'new' to 'open'

From @jkeenan

On Thu Oct 17 16​:44​:13 2013, jkeenan wrote​:

I tried to reproduce this problem on blead on our dromedary server,
which is Linux x86_64. I could not. My calls and results​:

I also tried to reproduce this problem on blead on Darwin 11.4.2 x86_64. I could not. I got the
same, non-crashing output as I did on Linux.

Is there anyone on list who has access to OpenBSD who could look into this?

Thank you very much.
Jim Keenan

From guenther@sendmail.com

On Thu, 17 Oct 2013, James E Keenan via RT wrote​:

I tried to reproduce this problem on blead on our dromedary server,
which is Linux x86_64. I could not. My calls and results​:

That just says that the malloc in that OS is more forgiving with access
before the start of the buffer. OpenBSD's malloc is very unforgiving to
find these sorts of issues. Perhaps valgrind would show the problem.

Philip

From @iabyn

On Thu, Oct 17, 2013 at 04​:44​:14PM -0700, James E Keenan via RT wrote​:

On Wed Oct 16 22​:12​:32 2013, guenther@​openbsd.org wrote​:

a2p can try to access before the beginning of a buffer, which is
undefined behavior of course and leads to crashes. Example input
file which triggers this, truncated down to right after the point
a2p crashes on it.

I tried to reproduce this problem on blead on our dromedary server,
which is Linux x86_64. I could not. My calls and results​:

I also couldn't reproduce it (even with valgrind), but from visual
inspection the patch looked good, so I've applied it as,

  a7ed8fa

with thanks to the OP.

--
Dave's first rule of Opera​:
If something needs saying, say it​: don't warble it.

@iabyn - Status changed from 'open' to 'resolved'