Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Another segfault in a child of Perl_runops_standard, this one in Perl_pp_stat #14910

Closed
p5pRT opened this issue Sep 16, 2015 · 4 comments
Closed

Comments

@p5pRT
Copy link

p5pRT commented Sep 16, 2015

Migrated from rt.perl.org#126064 (status was 'resolved')

Searchable as RT126064$

@p5pRT
Copy link
Author

p5pRT commented Sep 16, 2015

From @dcollinsn

Greetings Porters,

I have compiled bleadperl with the afl-gcc compiler using​:

./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc=afl-gcc -Duselongdouble -Duse64bitint -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -des
AFL_HARDEN=1 make && make test

And then fuzzed the resulting binary using​:

AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @​@​

After reducing testcases using `afl-tmin` and filtering out testcases that are merely iterations of "#!perl -u", I have located the following testcase that triggers a segmentation fault in the perl interpreter. The testcase is the 14 character file​:

stat+stat+stat

As with 126042, this seems to be an instance of multiple instances of the same thing being on the stack, related to the stack not being refcounted. However, unlike earlier instances of this bug that I have found, Valgrind finds an earlier error, namely an invalid 32-bit read 4 bytes before a region alloced in Perl_init_stacks. Accordingly, I do not know whether this (and 126042) should be depending on the 77706 tracking bug.

**GDB**

GNU gdb (GDB) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+​: GNU GPL version 3 or later <http​://gnu.org/licenses/gpl.html>
This is free software​: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see​:
<http​://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at​:
<http​://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ../bin/perl...done.
(gdb) run
Starting program​: /usr/local/perl-afl/bin/perl allcrash/f3i000000
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/libthread_db.so.1".
Warning​: Use of "stat" without parentheses is ambiguous at allcrash/f3i000000 line 1.
Warning​: Use of "stat" without parentheses is ambiguous at allcrash/f3i000000 line 1.

Program received signal SIGSEGV, Segmentation fault.
0x085001b6 in Perl_pp_stat () at pp_sys.c​:2869
2869 : !!(sv=POPs, gv = MAYBE_DEREF_GV(sv))) {
(gdb) bt
#0 0x085001b6 in Perl_pp_stat () at pp_sys.c​:2869
#1 0x08350c5b in Perl_runops_standard () at run.c​:41
#2 0x08116c47 in S_run_body (oldscope=1) at perl.c​:2456
#3 perl_run (my_perl=0x87d8008) at perl.c​:2379
#4 0x08068762 in main (argc=2, argv=0xbffff4a4, env=0xbffff4b0)
  at perlmain.c​:116

**VALGRIND**

==22561== Memcheck, a memory error detector
==22561== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==22561== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==22561== Command​: ../bin/perl allcrash/f3i000000
==22561==
Warning​: Use of "stat" without parentheses is ambiguous at allcrash/f3i000000 line 1.
Warning​: Use of "stat" without parentheses is ambiguous at allcrash/f3i000000 line 1.
==22561== Invalid read of size 4
==22561== at 0x85001B0​: Perl_pp_stat (pp_sys.c​:2869)
==22561== by 0x8350C5A​: Perl_runops_standard (run.c​:41)
==22561== by 0x8116C46​: S_run_body (perl.c​:2456)
==22561== by 0x8116C46​: perl_run (perl.c​:2379)
==22561== by 0x8068761​: main (perlmain.c​:116)
==22561== Address 0x42bffd4 is 4 bytes before a block of size 512 alloc'd
==22561== at 0x402A0DE​: malloc (vg_replace_malloc.c​:296)
==22561== by 0x82B3AF3​: Perl_safesysmalloc (util.c​:153)
==22561== by 0x8343B47​: Perl_av_extend_guts (av.c​:182)
==22561== by 0x8343CBF​: Perl_av_extend (av.c​:80)
==22561== by 0x845CEDD​: Perl_new_stackinfo (scope.c​:56)
==22561== by 0x80FF36D​: Perl_init_stacks (perl.c​:4063)
==22561== by 0x80FF84D​: perl_construct (perl.c​:249)
==22561== by 0x80684B8​: main (perlmain.c​:110)
==22561==
==22561== Invalid read of size 4
==22561== at 0x85001B6​: Perl_pp_stat (pp_sys.c​:2869)
==22561== by 0x8350C5A​: Perl_runops_standard (run.c​:41)
==22561== by 0x8116C46​: S_run_body (perl.c​:2456)
==22561== by 0x8116C46​: perl_run (perl.c​:2379)
==22561== by 0x8068761​: main (perlmain.c​:116)
==22561== Address 0x8 is not stack'd, malloc'd or (recently) free'd
==22561==
==22561==
==22561== Process terminating with default action of signal 11 (SIGSEGV)
==22561== Access not within mapped region at address 0x8
==22561== at 0x85001B6​: Perl_pp_stat (pp_sys.c​:2869)
==22561== by 0x8350C5A​: Perl_runops_standard (run.c​:41)
==22561== by 0x8116C46​: S_run_body (perl.c​:2456)
==22561== by 0x8116C46​: perl_run (perl.c​:2379)
==22561== by 0x8068761​: main (perlmain.c​:116)
==22561== If you believe this happened as a result of a stack
==22561== overflow in your program's main thread (unlikely but
==22561== possible), you can try to increase the size of the
==22561== main thread stack using the --main-stacksize= flag.
==22561== The main thread stack size used in this run was 8388608.
==22561==
==22561== HEAP SUMMARY​:
==22561== in use at exit​: 98,503 bytes in 621 blocks
==22561== total heap usage​: 732 allocs, 111 frees, 116,732 bytes allocated
==22561==
==22561== LEAK SUMMARY​:
==22561== definitely lost​: 160 bytes in 1 blocks
==22561== indirectly lost​: 2,584 bytes in 38 blocks
==22561== possibly lost​: 0 bytes in 0 blocks
==22561== still reachable​: 95,759 bytes in 582 blocks
==22561== suppressed​: 0 bytes in 0 blocks
==22561== Rerun with --leak-check=full to see details of leaked memory
==22561==
==22561== For counts of detected and suppressed errors, rerun with​: -v
==22561== ERROR SUMMARY​: 2 errors from 2 contexts (suppressed​: 0 from 0)
Segmentation fault

**PERL -V**

Summary of my perl5 (revision 5 version 23 subversion 3) configuration​:
  Commit id​: 801fcc2
  Platform​:
  osname=linux, osvers=2.6.32-5-686, archname=i686-linux-64int-ld
  uname='linux nagios 2.6.32-5-686 #1 smp tue may 13 16​:33​:32 utc 2014 i686 gnulinux '
  config_args='-Dusedevel -Dprefix=/usr/local/perl-afl -Dcc=afl-gcc -Duselongdouble -Duse64bitint -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -des'
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=undef, usemultiplicity=undef
  use64bitint=define, use64bitall=undef, uselongdouble=define
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='afl-gcc', ccflags ='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
  optimize='-g',
  cppflags='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
  ccversion='', gccversion='5.2.0', gccosandvers=''
  intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=12345678, doublekind=3
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12, longdblkind=3
  ivtype='long long', ivsize=8, nvtype='long double', nvsize=12, Off_t='off_t', lseeksize=8
  alignbytes=4, prototype=define
  Linker and Libraries​:
  ld='afl-gcc', ldflags =' -fstack-protector-strong -L/usr/local/lib'
  libpth=/usr/local/lib /usr/local/lib/gcc/i686-pc-linux-gnu/5.2.0/include-fixed /usr/lib /lib/../lib /usr/lib/../lib /lib /usr/lib/i486-linux-gnu /usr/lib64
  libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  libc=libc-2.22.so, so=so, useshrplib=false, libperl=libperl.a
  gnulibc_version='2.22'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
  cccdlflags='-fPIC', lddlflags='-shared -g -L/usr/local/lib -fstack-protector-strong'

Characteristics of this binary (from libperl)​:
  Compile-time options​: HAS_TIMES PERLIO_LAYERS PERL_COPY_ON_WRITE
  PERL_DONT_CREATE_GVSV
  PERL_HASH_FUNC_ONE_AT_A_TIME_HARD PERL_MALLOC_WRAP
  PERL_PRESERVE_IVUV PERL_USE_DEVEL USE_64_BIT_INT
  USE_LARGE_FILES USE_LOCALE USE_LOCALE_COLLATE
  USE_LOCALE_CTYPE USE_LOCALE_NUMERIC USE_LOCALE_TIME
  USE_LONG_DOUBLE USE_PERLIO USE_PERL_ATOF
  Built under linux
  Compiled at Sep 13 2015 22​:47​:04
  @​INC​:
  /usr/local/perl-afl/lib/site_perl/5.23.3/i686-linux-64int-ld
  /usr/local/perl-afl/lib/site_perl/5.23.3
  /usr/local/perl-afl/lib/5.23.3/i686-linux-64int-ld
  /usr/local/perl-afl/lib/5.23.3
  /usr/local/perl-afl/lib/site_perl/5.23.2
  /usr/local/perl-afl/lib/site_perl
  .

@p5pRT
Copy link
Author

p5pRT commented Sep 20, 2015

From @cpansprout

On Tue Sep 15 19​:23​:00 2015, dcollinsn@​gmail.com wrote​:

Greetings Porters,

I have compiled bleadperl with the afl-gcc compiler using​:

./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc=afl-gcc
-Duselongdouble -Duse64bitint -Doptimize=-g -Uversiononly -Uman1dir
-Uman3dir -des
AFL_HARDEN=1 make && make test

And then fuzzed the resulting binary using​:

AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @​@​

After reducing testcases using `afl-tmin` and filtering out testcases
that are merely iterations of "#!perl -u", I have located the
following testcase that triggers a segmentation fault in the perl
interpreter. The testcase is the 14 character file​:

stat+stat+stat

As with 126042, this seems to be an instance of multiple instances of
the same thing being on the stack, related to the stack not being
refcounted.

It has nothing to do with the stack not being refcounted, but stack corruption resulting from perl losing track of where the current stack pointer is meant to be. It is reading past the beginning of the stack.

I have just fixed it in 7f399b4.

--

Father Chrysostomos

@p5pRT
Copy link
Author

p5pRT commented Sep 20, 2015

The RT System itself - Status changed from 'new' to 'open'

@p5pRT p5pRT closed this as completed Sep 20, 2015
@p5pRT
Copy link
Author

p5pRT commented Sep 20, 2015

@cpansprout - Status changed from 'open' to 'resolved'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant