From @geeknik

While fuzzing Perl v5.24.0-RC1-2-gde1d2c7 with American Fuzzy Lop, I found that perl -e '$=x~0' triggers a segfault. Perl v5.14.2 dies with "panic​: memory wrap at test05.pl line 1."

Starting program​: /home/geeknik/perl/perl test05.pl
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
__memcpy_ssse3 () at ../sysdeps/x86_64/multiarch/memcpy-ssse3.S​:296
296 ../sysdeps/x86_64/multiarch/memcpy-ssse3.S​: No such file or directory.
(gdb) bt
#0 __memcpy_ssse3 () at ../sysdeps/x86_64/multiarch/memcpy-ssse3.S​:296
#1 0x00000000008208fb in memcpy (__len=131072, __src=0x11fb082, __dest=<optimized out>)
  at /usr/include/x86_64-linux-gnu/bits/string3.h​:52
#2 Perl_repeatcpy (
  to=0x11fb082 "606060606060606060606060606060606060606060606060606060606060606060606060606060606060606060 60606060606060606060606060606060606060606060606060606060606060606060606060606060606060606060606060606060606060"..., from=<optimized out>, len=2, count=9223372036854775806) at util.c​:3239
#3 0x0000000000a62cdc in Perl_pp_repeat () at pp.c​:1895
#4 0x00000000007ff5d4 in Perl_runops_debug () at dump.c​:2239
#5 0x0000000000539034 in S_run_body (oldscope=1) at perl.c​:2483
#6 perl_run (my_perl=<optimized out>) at perl.c​:2406
#7 0x000000000042eac8 in main (argc=2, argv=0x7fffffffe678, env=0x7fffffffe690) at perlmain.c​:116

==13016== Invalid write of size 1
==13016== at 0x4C2A7C8​: memcpy (mc_replace_strmem.c​:838)
==13016== by 0x8208FA​: Perl_repeatcpy (string3.h​:52)
==13016== by 0xA62CDB​: Perl_pp_repeat (pp.c​:1895)
==13016== by 0x7FF5D3​: Perl_runops_debug (dump.c​:2239)
==13016== by 0x539033​: perl_run (perl.c​:2483)
==13016== by 0x42EAC7​: main (perlmain.c​:116)
==13016== Address 0x5eddfb1 is 7 bytes after a block of size 10 alloc'd
==13016== at 0x4C28BED​: malloc (vg_replace_malloc.c​:263)
==13016== by 0x80EDD8​: Perl_safesysmalloc (util.c​:153)
==13016== by 0x9A3C9F​: Perl_sv_grow (sv.c​:1603)
==13016== by 0x9BFD9F​: Perl_sv_2pv_flags (sv.c​:3072)
==13016== by 0x9F0F99​: Perl_sv_pvn_force_flags (sv.c​:9939)
==13016== by 0xA638D6​: Perl_pp_repeat (pp.c​:1879)
==13016== by 0x7FF5D3​: Perl_runops_debug (dump.c​:2239)
==13016== by 0x539033​: perl_run (perl.c​:2483)
==13016== by 0x42EAC7​: main (perlmain.c​:116)
==13016==
==13016== Invalid write of size 2
==13016== at 0x4C2A846​: memcpy (mc_replace_strmem.c​:838)
==13016== by 0x8208FA​: Perl_repeatcpy (string3.h​:52)
==13016== by 0xA62CDB​: Perl_pp_repeat (pp.c​:1895)
==13016== by 0x7FF5D3​: Perl_runops_debug (dump.c​:2239)
==13016== by 0x539033​: perl_run (perl.c​:2483)
==13016== by 0x42EAC7​: main (perlmain.c​:116)
==13016== Address 0x5eddfae is 4 bytes after a block of size 10 alloc'd
==13016== at 0x4C28BED​: malloc (vg_replace_malloc.c​:263)
==13016== by 0x80EDD8​: Perl_safesysmalloc (util.c​:153)
==13016== by 0x9A3C9F​: Perl_sv_grow (sv.c​:1603)
==13016== by 0x9BFD9F​: Perl_sv_2pv_flags (sv.c​:3072)
==13016== by 0x9F0F99​: Perl_sv_pvn_force_flags (sv.c​:9939)
==13016== by 0xA638D6​: Perl_pp_repeat (pp.c​:1879)
==13016== by 0x7FF5D3​: Perl_runops_debug (dump.c​:2239)
==13016== by 0x539033​: perl_run (perl.c​:2483)
==13016== by 0x42EAC7​: main (perlmain.c​:116)
==13016==
==13016== Invalid read of size 1
==13016== at 0x4C2A7C1​: memcpy (mc_replace_strmem.c​:838)
==13016== by 0x8208FA​: Perl_repeatcpy (string3.h​:52)
==13016== by 0xA62CDB​: Perl_pp_repeat (pp.c​:1895)
==13016== by 0x7FF5D3​: Perl_runops_debug (dump.c​:2239)
==13016== by 0x539033​: perl_run (perl.c​:2483)
==13016== by 0x42EAC7​: main (perlmain.c​:116)
==13016== Address 0x5eddfb1 is 7 bytes after a block of size 10 alloc'd
==13016== at 0x4C28BED​: malloc (vg_replace_malloc.c​:263)
==13016== by 0x80EDD8​: Perl_safesysmalloc (util.c​:153)
==13016== by 0x9A3C9F​: Perl_sv_grow (sv.c​:1603)
==13016== by 0x9BFD9F​: Perl_sv_2pv_flags (sv.c​:3072)
==13016== by 0x9F0F99​: Perl_sv_pvn_force_flags (sv.c​:9939)
==13016== by 0xA638D6​: Perl_pp_repeat (pp.c​:1879)
==13016== by 0x7FF5D3​: Perl_runops_debug (dump.c​:2239)
==13016== by 0x539033​: perl_run (perl.c​:2483)
==13016== by 0x42EAC7​: main (perlmain.c​:116)
==13016==
==13016== Invalid read of size 8
==13016== at 0x4C2A7E8​: memcpy (mc_replace_strmem.c​:838)
==13016== by 0x8208FA​: Perl_repeatcpy (string3.h​:52)
==13016== by 0xA62CDB​: Perl_pp_repeat (pp.c​:1895)
==13016== by 0x7FF5D3​: Perl_runops_debug (dump.c​:2239)
==13016== by 0x539033​: perl_run (perl.c​:2483)
==13016== by 0x42EAC7​: main (perlmain.c​:116)
==13016== Address 0x5eddfa8 is 8 bytes inside a block of size 10 alloc'd
==13016== at 0x4C28BED​: malloc (vg_replace_malloc.c​:263)
==13016== by 0x80EDD8​: Perl_safesysmalloc (util.c​:153)
==13016== by 0x9A3C9F​: Perl_sv_grow (sv.c​:1603)
==13016== by 0x9BFD9F​: Perl_sv_2pv_flags (sv.c​:3072)
==13016== by 0x9F0F99​: Perl_sv_pvn_force_flags (sv.c​:9939)
==13016== by 0xA638D6​: Perl_pp_repeat (pp.c​:1879)
==13016== by 0x7FF5D3​: Perl_runops_debug (dump.c​:2239)
==13016== by 0x539033​: perl_run (perl.c​:2483)
==13016== by 0x42EAC7​: main (perlmain.c​:116)
==13016==
==13016== Invalid write of size 8
==13016== at 0x4C2A7ED​: memcpy (mc_replace_strmem.c​:838)
==13016== by 0x8208FA​: Perl_repeatcpy (string3.h​:52)
==13016== by 0xA62CDB​: Perl_pp_repeat (pp.c​:1895)
==13016== by 0x7FF5D3​: Perl_runops_debug (dump.c​:2239)
==13016== by 0x539033​: perl_run (perl.c​:2483)
==13016== by 0x42EAC7​: main (perlmain.c​:116)
==13016== Address 0x5eddfb8 is 14 bytes after a block of size 10 alloc'd
==13016== at 0x4C28BED​: malloc (vg_replace_malloc.c​:263)
==13016== by 0x80EDD8​: Perl_safesysmalloc (util.c​:153)
==13016== by 0x9A3C9F​: Perl_sv_grow (sv.c​:1603)
==13016== by 0x9BFD9F​: Perl_sv_2pv_flags (sv.c​:3072)
==13016== by 0x9F0F99​: Perl_sv_pvn_force_flags (sv.c​:9939)
==13016== by 0xA638D6​: Perl_pp_repeat (pp.c​:1879)
==13016== by 0x7FF5D3​: Perl_runops_debug (dump.c​:2239)
==13016== by 0x539033​: perl_run (perl.c​:2483)
==13016== by 0x42EAC7​: main (perlmain.c​:116)
==13016==
==13016== Invalid read of size 8
==13016== at 0x4C2A7FA​: memcpy (mc_replace_strmem.c​:838)
==13016== by 0x8208FA​: Perl_repeatcpy (string3.h​:52)
==13016== by 0xA62CDB​: Perl_pp_repeat (pp.c​:1895)
==13016== by 0x7FF5D3​: Perl_runops_debug (dump.c​:2239)
==13016== by 0x539033​: perl_run (perl.c​:2483)
==13016== by 0x42EAC7​: main (perlmain.c​:116)
==13016== Address 0x5eddfa8 is 8 bytes inside a block of size 10 alloc'd
==13016== at 0x4C28BED​: malloc (vg_replace_malloc.c​:263)
==13016== by 0x80EDD8​: Perl_safesysmalloc (util.c​:153)
==13016== by 0x9A3C9F​: Perl_sv_grow (sv.c​:1603)
==13016== by 0x9BFD9F​: Perl_sv_2pv_flags (sv.c​:3072)
==13016== by 0x9F0F99​: Perl_sv_pvn_force_flags (sv.c​:9939)
==13016== by 0xA638D6​: Perl_pp_repeat (pp.c​:1879)
==13016== by 0x7FF5D3​: Perl_runops_debug (dump.c​:2239)
==13016== by 0x539033​: perl_run (perl.c​:2483)
==13016== by 0x42EAC7​: main (perlmain.c​:116)
==13016==
==13016==
==13016== Process terminating with default action of signal 11 (SIGSEGV)
==13016== Access not within mapped region at address 0x62DDFA1
==13016== at 0x4C2A7C8​: memcpy (mc_replace_strmem.c​:838)
==13016== by 0x8208FA​: Perl_repeatcpy (string3.h​:52)
==13016== by 0xA62CDB​: Perl_pp_repeat (pp.c​:1895)
==13016== by 0x7FF5D3​: Perl_runops_debug (dump.c​:2239)
==13016== by 0x539033​: perl_run (perl.c​:2483)
==13016== by 0x42EAC7​: main (perlmain.c​:116)
==13016== If you believe this happened as a result of a stack
==13016== overflow in your program's main thread (unlikely but
==13016== possible), you can try to increase the size of the
==13016== main thread stack using the --main-stacksize= flag.
==13016== The main thread stack size used in this run was 8388608.
Segmentation fault

From zefram@fysh.org

Brian Carpenter wrote​:

While fuzzing Perl v5.24.0-RC1-2-gde1d2c7 with American Fuzzy Lop, I
found that perl -e '$=x~0' triggers a segfault. Perl v5.14.2 dies with
"panic​: memory wrap at test05.pl line 1."

This doesn't depend on $=. Any two-character string will do​:

$ perl -lwe 'print "ab" x ~0'
panic​: memory wrap at -e line 1.

It's specific to length 2​:

$ perl -lwe 'print "abc" x ~0'
Out of memory during string extend at -e line 1.
$ perl -lwe 'print "a" x ~0'
Out of memory!
panic​: fold_constants JMPENV_PUSH returned 2 at -e line 1.

The panic for length 1 is obviously a different problem. It's specific to
the constant-foldable situation, and didn't happen prior to Perl 5.17.1.
It might also be considered a problem that length 1 yields the "Out of
memory!" pseudo-panic, rather than the catchable exception generated
for length 3 and above.

-zefram

The RT System itself - Status changed from 'new' to 'open'

From @tonycoz

On Sun Apr 17 16​:31​:11 2016, brian.carpenter@​gmail.com wrote​:

While fuzzing Perl v5.24.0-RC1-2-gde1d2c7 with American Fuzzy Lop, I
found that perl -e '$=x~0' triggers a segfault. Perl v5.14.2 dies with
"panic​: memory wrap at test05.pl line 1."

As with #128001, this appears to have been fixed by 6bbd724.

Can you reproduce it with blead?

Tony

From @iabyn

On Sun, Jun 05, 2016 at 09​:34​:12PM -0700, Tony Cook via RT wrote​:

On Sun Apr 17 16​:31​:11 2016, brian.carpenter@​gmail.com wrote​:

While fuzzing Perl v5.24.0-RC1-2-gde1d2c7 with American Fuzzy Lop, I
found that perl -e '$=x~0' triggers a segfault. Perl v5.14.2 dies with
"panic​: memory wrap at test05.pl line 1."

As with #128001, this appears to have been fixed by 6bbd724.

Yes, that commit was explicitly a fix for [perl #127915], but I only
updated the [perl #127855] ticket. Closing.

--
In economics, the exam questions are the same every year.
They just change the answers.

@iabyn - Status changed from 'open' to 'resolved'