New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
null ptr deref -> S_pad_findlex (pad.c:1141 #14621
Comments
From @geeknikBuilt v5.21.11 (v5.21.10-23-g21639bf) with the following command line: ./Configure -des -Dusedevel -DDEBUGGING -Dcc=afl-gcc -Doptimize=-O2\ -g && AFL_HARDEN=1 make -j4 test-prep Bug found with AFL (http://lcamtuf.coredump.cx/afl) Valgrind: GDB: Hexdump of the 21-byte test case: System Info: Debian 7, Kernel 3.2.65-1+deb7u2 x86_64, GCC 4.9.2, libc 2.13-38+deb7u8 |
From @geeknikThe test case (perl -e 'qq{@{[{}}*sub{]]}}}=u') also crashes the following: perl 5, version 18, subversion 4 (v5.18.4) built for i386-freebsd-thread-multi-64int |
From @geeknikDoes not crash perl 5, version 16, subversion 3 (v5.16.3) built for amd64-freebsd-thread-multi, fails with this error: $ perl -e 'qq{@{[{}}*sub{]]}}}=u' |
From @wolfsageOn Thu, Mar 26, 2015 at 11:45 PM, Brian Carpenter
This started SEGVing between 5.17.5 and 5.17.6 (on vanilla -des /home/mhorsfall/dpppperls/default/perl-5.17.5/bin/perl5.17.5 -- Matthew Horsfall (alh) |
The RT System itself - Status changed from 'new' to 'open' |
From @wolfsageOn Fri, Mar 27, 2015 at 7:21 AM, Matthew Horsfall (alh)
bad - non-zero exit from ./perl -Ilib /home/mhorsfall/test1-min Don’t leak subs containing syntax errors I fixed this for BEGIN blocks earlier, but missed the fact that When called without an o argument (from newANONATTRSUB), newATTRSUB -- Matthew Horsfall (alh) |
From @cpansproutOn Fri Mar 27 05:06:05 2015, alh wrote:
Why are you always blaming me? :-) -- Father Chrysostomos |
From @wolfsageOn Fri, Mar 27, 2015 at 11:43 AM, Father Chrysostomos via RT
$ git show 6a8dbfd Add Porting/bisect.pl, to automate bisecting a perl code test case. It's not me! :) -- Matthew Horsfall (alh) |
From @tonycozOn Fri Mar 27 05:06:05 2015, alh wrote:
The attached prevents the crash. There maybe a deeper issue where PL_compcv isn't being restored Tony |
From @tonycoz0001-perl-124187-don-t-call-pad_findlex-on-a-NULL-CV.patchFrom 2cb2d43c2aa5d6af0af9e32ae223501c7679fd74 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Wed, 22 Apr 2015 15:01:15 +1000
Subject: [PATCH] [perl #124187] don't call pad_findlex() on a NULL CV
---
pad.c | 4 ++++
t/base/lex.t | 5 +++++
2 files changed, 9 insertions(+)
diff --git a/pad.c b/pad.c
index 2d33779..984b5c1 100644
--- a/pad.c
+++ b/pad.c
@@ -959,6 +959,10 @@ Perl_pad_findmy_pvn(pTHX_ const char *namepv, STRLEN namelen, U32 flags)
Perl_croak(aTHX_ "panic: pad_findmy_pvn illegal flag bits 0x%" UVxf,
(UV)flags);
+ /* compilation errors can zero PL_compcv */
+ if (!PL_compcv)
+ return NOT_IN_PAD;
+
offset = pad_findlex(namepv, namelen, flags,
PL_compcv, PL_cop_seqmax, 1, NULL, &out_pn, &out_flags);
if ((PADOFFSET)offset != NOT_IN_PAD)
diff --git a/t/base/lex.t b/t/base/lex.t
index 0a07ab7..a34a508 100644
--- a/t/base/lex.t
+++ b/t/base/lex.t
@@ -506,3 +506,8 @@ eval q|s##[}#e|;
eval q|my($_);0=split|;
eval q|my $_; @x = split|;
}
+
+{
+ # Used to crash [perl #124187]
+ eval q|qq{@{[{}}*sub{]]}}}=u|;
+}
--
1.7.10.4
|
From @rjbsOn Tue Apr 21 22:03:33 2015, tonyc wrote:
Are we (read: you) comfortable with this patch as the way to sort this out? Is your concern that this will paper over one symptom but leave a deeper problem still ready to spring, or is that an unrelated observation? -- |
From @tonycozOn Mon Apr 27 15:21:58 2015, rjbs wrote:
Yes, that's my concern. I haven't worked with the parser enough to know whether PL_compcv == NULL Ticket 124385 seems related - attemptting to do something with a NULL Tony |
From @tonycozOn Mon Apr 27 18:03:33 2015, tonyc wrote:
These also crash in S_pad_findlex(), with different backtraces: qq{@{[{}}*sub{]]}}}=<$foo> qq{@{[{}}*sub{]]}}}; foo() In all three cases, PP_compcv == PL_main_cv and there's no sensible value to I tried changing the code from 9ffcdca to leave PL_compcv if it's PL_main_cv, I've pushed my original patch from above to blead, since no-one has objected Tony |
@tonycoz - Status changed from 'open' to 'resolved' |
From @iabynOn Mon, May 04, 2015 at 11:51:56PM -0700, Tony Cook via RT wrote:
I think my description in de0885d covers all these: commit de0885d null ptr deref in Perl_cv_forget_slab -- |
Migrated from rt.perl.org#124187 (status was 'resolved')
Searchable as RT124187$
The text was updated successfully, but these errors were encountered: