Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SIGSEGV after panic: reg_node overrun, invalid write in S_regatom #14998

Closed
p5pRT opened this issue Oct 20, 2015 · 6 comments
Closed

SIGSEGV after panic: reg_node overrun, invalid write in S_regatom #14998

p5pRT opened this issue Oct 20, 2015 · 6 comments

Comments

@p5pRT
Copy link

p5pRT commented Oct 20, 2015

Migrated from rt.perl.org#126406 (status was 'resolved')

Searchable as RT126406$

@p5pRT
Copy link
Author

p5pRT commented Oct 20, 2015

From @dcollinsn

Greetings Porters,

I have compiled bleadperl with the afl-gcc compiler using​:

./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache afl-gcc' -Duselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -des
AFL_HARDEN=1 make && make test

And then fuzzed the resulting binary using​:

AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @​@​

After reducing testcases using `afl-tmin` and performing additional minimization by hand, I have located the following testcase that triggers a segmentation fault in the perl interpreter. The testcase is the file​:

/.0\N{6,0}0\N{6,0}000000000000000000000000000000000/

The output is the following​:

panic​: reg_node overrun trying to emit 0, 1633dec>=1633de8 at -e line 1.
Segmentation fault

**GDB**

(gdb) run
Starting program​: /home/dcollins/perldebug/perl -e /.0\\N\{6,0\}0\\N\{6,0\}000000000000000000000000000000000/
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
panic​: reg_node overrun trying to emit 0, 1211f7c>=1211f78 at -e line 1.

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6d38528 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x00007ffff6d38528 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x000000000043a1cc in Perl_opslab_free (slab=0x1211cf0) at op.c​:418
#2 0x000000000043f246 in Perl_opslab_force_free (slab=<optimized out>) at op.c​:461
#3 0x000000000068beea in Perl_cv_undef_flags (cv=0x11f3210, flags=0) at pad.c​:354
#4 0x000000000093c5f0 in Perl_sv_clear (orig_sv=0x11f3210) at sv.c​:6462
#5 0x000000000093f9bc in Perl_sv_free2 (sv=0x11f3210, rc=<optimized out>) at sv.c​:6885
#6 0x000000000052d011 in S_SvREFCNT_dec (sv=<optimized out>) at inline.h​:166
#7 perl_destruct (my_perl=<optimized out>) at perl.c​:785
#8 0x000000000042be70 in main (argc=3, argv=0x7fffffffe318, env=0x7fffffffe338) at perlmain.c​:127
(gdb) info locals
No symbol table info available.
(gdb) f 1
#1 0x000000000043a1cc in Perl_opslab_free (slab=0x1211cf0) at op.c​:418
418 PerlMemShared_free(slab);
(gdb) info locals
slab2 = 0x0
__PRETTY_FUNCTION__ = "Perl_opslab_free"

**VALGRIND**

==44674== Memcheck, a memory error detector
==44674== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==44674== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==44674== Command​: /home/dcollins/perldebug/perl -e /.0\\N{6,0}0\\N{6,0}000000000000000000000000000000000/
==44674==
==44674== Invalid write of size 1
==44674== at 0x72BC0C​: S_regatom (regcomp.c​:12792)
==44674== by 0x73A835​: S_regpiece (regcomp.c​:10880)
==44674== by 0x73A835​: S_regbranch (regcomp.c​:10805)
==44674== by 0x75D006​: S_reg.constprop.46 (regcomp.c​:10550)
==44674== by 0x79B9A8​: Perl_re_op_compile (regcomp.c​:6953)
==44674== by 0x4E7EC1​: Perl_pmruntime (op.c​:5580)
==44674== by 0x66F07C​: Perl_yyparse (perly.y​:1032)
==44674== by 0x53A658​: S_parse_body (perl.c​:2307)
==44674== by 0x5423E2​: perl_parse (perl.c​:1634)
==44674== by 0x42BC87​: main (perlmain.c​:114)
==44674== Address 0x5f7c858 is 0 bytes after a block of size 120 alloc'd
==44674== at 0x4C27C0F​: malloc (vg_replace_malloc.c​:299)
==44674== by 0x7F13BC​: Perl_safesysmalloc (util.c​:153)
==44674== by 0x79AE5D​: Perl_re_op_compile (regcomp.c​:6803)
==44674== by 0x4E7EC1​: Perl_pmruntime (op.c​:5580)
==44674== by 0x66F07C​: Perl_yyparse (perly.y​:1032)
==44674== by 0x53A658​: S_parse_body (perl.c​:2307)
==44674== by 0x5423E2​: perl_parse (perl.c​:1634)
==44674== by 0x42BC87​: main (perlmain.c​:114)
==44674==
panic​: reg_node overrun trying to emit 0, 5f7c85c>=5f7c858 at -e line 1.
==44674==
==44674== HEAP SUMMARY​:
==44674== in use at exit​: 110,368 bytes in 571 blocks
==44674== total heap usage​: 739 allocs, 168 frees, 141,739 bytes allocated
==44674==
==44674== LEAK SUMMARY​:
==44674== definitely lost​: 0 bytes in 0 blocks
==44674== indirectly lost​: 0 bytes in 0 blocks
==44674== possibly lost​: 0 bytes in 0 blocks
==44674== still reachable​: 110,368 bytes in 571 blocks
==44674== suppressed​: 0 bytes in 0 blocks
==44674== Rerun with --leak-check=full to see details of leaked memory
==44674==
==44674== For counts of detected and suppressed errors, rerun with​: -v
==44674== ERROR SUMMARY​: 1 errors from 1 contexts (suppressed​: 0 from 0)

**PERL -V**

Summary of my perl5 (revision 5 version 23 subversion 4) configuration​:
  Commit id​: a7dba6f
  Platform​:
  osname=linux, osvers=3.16.0-4-amd64, archname=x86_64-linux-ld
  uname='linux nightshade64 3.16.0-4-amd64 #1 smp debian 3.16.7-ckt11-1+deb8u4 (2015-09-19) x86_64 gnulinux '
  config_args='-Dusedevel -Dprefix=/usr/local/perl-afl -Dcc=ccache afl-gcc -Duselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -DDEBUGGING -DDEBUG_LEAKING_SCALARS -des'
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=undef, usemultiplicity=undef
  use64bitint=define, use64bitall=define, uselongdouble=define
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='ccache afl-gcc', ccflags ='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
  optimize='-g',
  cppflags='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
  ccversion='', gccversion='4.9.2', gccosandvers=''
  intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678, doublekind=3
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16, longdblkind=3
  ivtype='long', ivsize=8, nvtype='long double', nvsize=16, Off_t='off_t', lseeksize=8
  alignbytes=16, prototype=define
  Linker and Libraries​:
  ld='ccache afl-gcc', ldflags =' -fstack-protector-strong -L/usr/local/lib'
  libpth=/usr/local/lib /usr/lib/gcc/x86_64-linux-gnu/4.9/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
  libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  libc=libc-2.19.so, so=so, useshrplib=false, libperl=libperl.a
  gnulibc_version='2.19'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
  cccdlflags='-fPIC', lddlflags='-shared -g -L/usr/local/lib -fstack-protector-strong'

Characteristics of this binary (from libperl)​:
  Compile-time options​: DEBUGGING HAS_TIMES PERLIO_LAYERS PERL_COPY_ON_WRITE
  PERL_DONT_CREATE_GVSV
  PERL_HASH_FUNC_ONE_AT_A_TIME_HARD PERL_MALLOC_WRAP
  PERL_PRESERVE_IVUV PERL_USE_DEVEL USE_64_BIT_ALL
  USE_64_BIT_INT USE_LARGE_FILES USE_LOCALE
  USE_LOCALE_COLLATE USE_LOCALE_CTYPE
  USE_LOCALE_NUMERIC USE_LOCALE_TIME USE_LONG_DOUBLE
  USE_PERLIO USE_PERL_ATOF
  Built under linux
  Compiled at Oct 15 2015 20​:45​:21
  @​INC​:
  /usr/local/perl-afl/lib/site_perl/5.23.4/x86_64-linux-ld
  /usr/local/perl-afl/lib/site_perl/5.23.4
  /usr/local/perl-afl/lib/5.23.4/x86_64-linux-ld
  /usr/local/perl-afl/lib/5.23.4
  .

@p5pRT
Copy link
Author

p5pRT commented Oct 20, 2015

@khwilliamson - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Oct 20, 2015

From @khwilliamson

Thanks for the report.

Fixed by 9457bb3

--
Karl Williamson

@p5pRT
Copy link
Author

p5pRT commented Oct 20, 2015

@khwilliamson - Status changed from 'open' to 'pending release'

@p5pRT
Copy link
Author

p5pRT commented May 13, 2016

From @khwilliamson

Thank you for submitting this report. You have helped make Perl better.
 
With the release of Perl 5.24.0 on May 9, 2016, this and 149 other issues have been resolved.

Perl 5.24.0 may be downloaded via https://metacpan.org/release/RJBS/perl-5.24.0

@p5pRT p5pRT closed this as completed May 13, 2016
@p5pRT
Copy link
Author

p5pRT commented May 13, 2016

@khwilliamson - Status changed from 'pending release' to 'resolved'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant