Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Quadmath builds segfault on repeat with a very large count #15297

Closed
p5pRT opened this issue Apr 27, 2016 · 6 comments
Closed

Quadmath builds segfault on repeat with a very large count #15297

p5pRT opened this issue Apr 27, 2016 · 6 comments

Comments

@p5pRT
Copy link

p5pRT commented Apr 27, 2016

Migrated from rt.perl.org#128001 (status was 'resolved')

Searchable as RT128001$

@p5pRT
Copy link
Author

p5pRT commented Apr 27, 2016

From @dcollinsn

Greetings Porters,

I have compiled bleadperl with the afl-gcc compiler using​:

./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache afl-gcc' -Uuselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -Dusequadmath -des
AFL_HARDEN=1 make && make test

And then fuzzed the resulting binary using​:

AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @​@​

After reducing testcases using `afl-tmin` and performing additional minimization by hand, I have located the following testcase that triggers a segmentation fault in the perl interpreter. The testcase is the 23-character file​:

dcollins@​nightshade64​:/usr/local/perl-afl/out$ cat allcrash/f4i000000
20x20000000000000000000

On quadmath builds, this crashes with a segmentation fault. On non-quadmath (long doubles) builds, this runs without error​:

dcollins@​nightshade64​:/usr/local/perl-afl/out$ ~/perlquad/perl allcrash/f4i000000
Segmentation fault
dcollins@​nightshade64​:/usr/local/perl-afl/out$ ~/perl/perl allcrash/f4i000000
dcollins@​nightshade64​:/usr/local/perl-afl/out$

Debugging tool output is below. The crashing call is memcpy(0xec1182, 0xea1182, 131072). These memory locations do not overlap.

Using a slightly smaller argument causes this to crash, rather appropriately, with Out of Memory​:

dcollins@​nightshade64​:/usr/local/perl-afl/out$ ~/perlquad/perl -e "20x20000000000000000000"
Segmentation fault
dcollins@​nightshade64​:/usr/local/perl-afl/out$ ~/perlquad/perl -e "20x10000000000000000000"
Segmentation fault
dcollins@​nightshade64​:/usr/local/perl-afl/out$ ~/perlquad/perl -e "20x1000000000000000000"
Out of memory!
panic​: fold_constants JMPENV_PUSH returned 2 at -e line 1.
dcollins@​nightshade64​:/usr/local/perl-afl/out$

I expect that quadmath perl is able to countenance a larger repeat count than regular perl is, and while regular perl would try to shove that number into a type it doesn't fit in (and therefore interpret a smaller repeat count that it is able to execute successfully), quadmath perl sees the full number of repetitions, fails to allocate enough memory, but attempts to copy it the full number of times anyway.

**GDB**

dcollins@​nightshade64​:/usr/local/perl-afl/out$ gdb --args ~/perlquad/perl allcrash/f4i000000
GNU gdb (GDB) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+​: GNU GPL version 3 or later <http​://gnu.org/licenses/gpl.html>
This is free software​: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see​:
<http​://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at​:
<http​://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /home/dcollins/perlquad/perl...done.
(gdb) run
Starting program​: /home/dcollins/perlquad/perl allcrash/f4i000000
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6d4f735 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x00007ffff6d4f735 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00000000006ebe58 in memcpy (__len=131072, __src=0xea1182, __dest=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/string3.h​:51
#2 Perl_repeatcpy (
  to=0xea1182 "20202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020"...,
  from=0xea1180 "20202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020"..., len=2, count=9223372036854775806) at util.c​:3239
#3 0x0000000000861d94 in Perl_pp_repeat () at pp.c​:1895
#4 0x0000000000790c9b in Perl_runops_standard () at run.c​:41
#5 0x0000000000453bb2 in S_fold_constants (o=0xea4610) at op.c​:4381
#6 0x0000000000454b2a in Perl_newBINOP (type=<optimized out>, flags=flags@​entry=0, first=<optimized out>, last=<optimized out>) at op.c​:5020
#7 0x00000000005bb025 in Perl_yyparse (gramtype=gramtype@​entry=258) at perly.y​:787
#8 0x00000000004e8859 in S_parse_body (xsinit=0x427800 <xs_init>, env=0x0) at perl.c​:2331
#9 perl_parse (my_perl=<optimized out>, xsinit=xsinit@​entry=0x427800 <xs_init>, argc=<optimized out>, argv=<optimized out>, env=env@​entry=0x0) at perl.c​:1650
#10 0x0000000000427428 in main (argc=2, argv=0x7fffffffe338, env=0x7fffffffe350) at perlmain.c​:114
(gdb) info locals
No symbol table info available.
(gdb) frame 2
#2 Perl_repeatcpy (
  to=0xea1182 "20202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020"...,
  from=0xea1180 "20202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020"..., len=2, count=9223372036854775806) at util.c​:3239
3239 memcpy(p, to, size);
(gdb) info locals
size = 131072
p = <optimized out>
items = <optimized out>
linear = 4
half = 4611686018427387903
(gdb) l
3234 }
3235
3236 half = count / 2;
3237 while (items <= half) {
3238 IV size = items * len;
3239 memcpy(p, to, size);
3240 p += size;
3241 items *= 2;
3242 }
3243
(gdb) break Perl_repeatcpy
Breakpoint 1 at 0x6eab10​: file util.c, line 3214.
(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program​: /home/dcollins/perlquad/perl allcrash/f4i000000
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Breakpoint 1, Perl_repeatcpy (to=0xea1182 "", from=0xea1180 "20", len=2, count=9223372036854775806) at util.c​:3214
3214 {

...

3239 memcpy(p, to, size);
(gdb) p size
$7 = 131072
(gdb) l
3234 }
3235
3236 half = count / 2;
3237 while (items <= half) {
3238 IV size = items * len;
3239 memcpy(p, to, size);
3240 p += size;
3241 items *= 2;
3242 }
3243
(gdb) p p
$8 = 0xec1182 ""
(gdb) p to
$9 = 0xea1182 "20202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020"...
(gdb) p len
$10 = 2
(gdb) p size
$11 = 131072
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6d4f735 in ?? () from /lib/x86_64-linux-gnu/libc.so.6

**VALGRIND**

dcollins@​nightshade64​:/usr/local/perl-afl/out$ valgrind ~/perlquad/perl allcrash/f4i000000
==16125== Memcheck, a memory error detector
==16125== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==16125== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==16125== Command​: /home/dcollins/perlquad/perl allcrash/f4i000000
==16125==
==16125== Invalid write of size 1
==16125== at 0x4C2C337​: memcpy@​@​GLIBC_2.14 (vg_replace_strmem.c​:1018)
==16125== by 0x6EBE57​: memcpy (string3.h​:51)
==16125== by 0x6EBE57​: Perl_repeatcpy (util.c​:3239)
==16125== by 0x861D93​: Perl_pp_repeat (pp.c​:1895)
==16125== by 0x790C9A​: Perl_runops_standard (run.c​:41)
==16125== by 0x453BB1​: S_fold_constants (op.c​:4381)
==16125== by 0x5BB024​: Perl_yyparse (perly.y​:787)
==16125== by 0x4E8858​: S_parse_body (perl.c​:2331)
==16125== by 0x4E8858​: perl_parse (perl.c​:1650)
==16125== by 0x427427​: main (perlmain.c​:114)
==16125== Address 0x61bd05a is 0 bytes after a block of size 10 alloc'd
==16125== at 0x4C27C0F​: malloc (vg_replace_malloc.c​:299)
==16125== by 0x6D7CAC​: Perl_safesysmalloc (util.c​:153)
==16125== by 0x8016A7​: Perl_sv_grow (sv.c​:1603)
==16125== by 0x803507​: Perl_sv_2pv_flags (sv.c​:3072)
==16125== by 0x818935​: Perl_sv_pvn_force_flags (sv.c​:9939)
==16125== by 0x861EA6​: Perl_pp_repeat (pp.c​:1879)
==16125== by 0x790C9A​: Perl_runops_standard (run.c​:41)
==16125== by 0x453BB1​: S_fold_constants (op.c​:4381)
==16125== by 0x5BB024​: Perl_yyparse (perly.y​:787)
==16125== by 0x4E8858​: S_parse_body (perl.c​:2331)
==16125== by 0x4E8858​: perl_parse (perl.c​:1650)
==16125== by 0x427427​: main (perlmain.c​:114)
==16125==
==16125== Invalid write of size 2
==16125== at 0x4C2C3AB​: memcpy@​@​GLIBC_2.14 (vg_replace_strmem.c​:1018)
==16125== by 0x6EBE57​: memcpy (string3.h​:51)
==16125== by 0x6EBE57​: Perl_repeatcpy (util.c​:3239)
==16125== by 0x861D93​: Perl_pp_repeat (pp.c​:1895)
==16125== by 0x790C9A​: Perl_runops_standard (run.c​:41)
==16125== by 0x453BB1​: S_fold_constants (op.c​:4381)
==16125== by 0x5BB024​: Perl_yyparse (perly.y​:787)
==16125== by 0x4E8858​: S_parse_body (perl.c​:2331)
==16125== by 0x4E8858​: perl_parse (perl.c​:1650)
==16125== by 0x427427​: main (perlmain.c​:114)
==16125== Address 0x61bd060 is 6 bytes after a block of size 10 alloc'd
==16125== at 0x4C27C0F​: malloc (vg_replace_malloc.c​:299)
==16125== by 0x6D7CAC​: Perl_safesysmalloc (util.c​:153)
==16125== by 0x8016A7​: Perl_sv_grow (sv.c​:1603)
==16125== by 0x803507​: Perl_sv_2pv_flags (sv.c​:3072)
==16125== by 0x818935​: Perl_sv_pvn_force_flags (sv.c​:9939)
==16125== by 0x861EA6​: Perl_pp_repeat (pp.c​:1879)
==16125== by 0x790C9A​: Perl_runops_standard (run.c​:41)
==16125== by 0x453BB1​: S_fold_constants (op.c​:4381)
==16125== by 0x5BB024​: Perl_yyparse (perly.y​:787)
==16125== by 0x4E8858​: S_parse_body (perl.c​:2331)
==16125== by 0x4E8858​: perl_parse (perl.c​:1650)
==16125== by 0x427427​: main (perlmain.c​:114)
==16125==
==16125== Invalid write of size 8
==16125== at 0x4C2C363​: memcpy@​@​GLIBC_2.14 (vg_replace_strmem.c​:1018)
==16125== by 0x6EBE57​: memcpy (string3.h​:51)
==16125== by 0x6EBE57​: Perl_repeatcpy (util.c​:3239)
==16125== by 0x861D93​: Perl_pp_repeat (pp.c​:1895)
==16125== by 0x790C9A​: Perl_runops_standard (run.c​:41)
==16125== by 0x453BB1​: S_fold_constants (op.c​:4381)
==16125== by 0x5BB024​: Perl_yyparse (perly.y​:787)
==16125== by 0x4E8858​: S_parse_body (perl.c​:2331)
==16125== by 0x4E8858​: perl_parse (perl.c​:1650)
==16125== by 0x427427​: main (perlmain.c​:114)
==16125== Address 0x61bd068 is 14 bytes after a block of size 10 alloc'd
==16125== at 0x4C27C0F​: malloc (vg_replace_malloc.c​:299)
==16125== by 0x6D7CAC​: Perl_safesysmalloc (util.c​:153)
==16125== by 0x8016A7​: Perl_sv_grow (sv.c​:1603)
==16125== by 0x803507​: Perl_sv_2pv_flags (sv.c​:3072)
==16125== by 0x818935​: Perl_sv_pvn_force_flags (sv.c​:9939)
==16125== by 0x861EA6​: Perl_pp_repeat (pp.c​:1879)
==16125== by 0x790C9A​: Perl_runops_standard (run.c​:41)
==16125== by 0x453BB1​: S_fold_constants (op.c​:4381)
==16125== by 0x5BB024​: Perl_yyparse (perly.y​:787)
==16125== by 0x4E8858​: S_parse_body (perl.c​:2331)
==16125== by 0x4E8858​: perl_parse (perl.c​:1650)
==16125== by 0x427427​: main (perlmain.c​:114)
==16125==
==16125== Invalid read of size 2
==16125== at 0x4C2C3A8​: memcpy@​@​GLIBC_2.14 (vg_replace_strmem.c​:1018)
==16125== by 0x6EBE57​: memcpy (string3.h​:51)
==16125== by 0x6EBE57​: Perl_repeatcpy (util.c​:3239)
==16125== by 0x861D93​: Perl_pp_repeat (pp.c​:1895)
==16125== by 0x790C9A​: Perl_runops_standard (run.c​:41)
==16125== by 0x453BB1​: S_fold_constants (op.c​:4381)
==16125== by 0x5BB024​: Perl_yyparse (perly.y​:787)
==16125== by 0x4E8858​: S_parse_body (perl.c​:2331)
==16125== by 0x4E8858​: perl_parse (perl.c​:1650)
==16125== by 0x427427​: main (perlmain.c​:114)
==16125== Address 0x61bd060 is 6 bytes after a block of size 10 alloc'd
==16125== at 0x4C27C0F​: malloc (vg_replace_malloc.c​:299)
==16125== by 0x6D7CAC​: Perl_safesysmalloc (util.c​:153)
==16125== by 0x8016A7​: Perl_sv_grow (sv.c​:1603)
==16125== by 0x803507​: Perl_sv_2pv_flags (sv.c​:3072)
==16125== by 0x818935​: Perl_sv_pvn_force_flags (sv.c​:9939)
==16125== by 0x861EA6​: Perl_pp_repeat (pp.c​:1879)
==16125== by 0x790C9A​: Perl_runops_standard (run.c​:41)
==16125== by 0x453BB1​: S_fold_constants (op.c​:4381)
==16125== by 0x5BB024​: Perl_yyparse (perly.y​:787)
==16125== by 0x4E8858​: S_parse_body (perl.c​:2331)
==16125== by 0x4E8858​: perl_parse (perl.c​:1650)
==16125== by 0x427427​: main (perlmain.c​:114)
==16125==
==16125== Invalid read of size 8
==16125== at 0x4C2C360​: memcpy@​@​GLIBC_2.14 (vg_replace_strmem.c​:1018)
==16125== by 0x6EBE57​: memcpy (string3.h​:51)
==16125== by 0x6EBE57​: Perl_repeatcpy (util.c​:3239)
==16125== by 0x861D93​: Perl_pp_repeat (pp.c​:1895)
==16125== by 0x790C9A​: Perl_runops_standard (run.c​:41)
==16125== by 0x453BB1​: S_fold_constants (op.c​:4381)
==16125== by 0x5BB024​: Perl_yyparse (perly.y​:787)
==16125== by 0x4E8858​: S_parse_body (perl.c​:2331)
==16125== by 0x4E8858​: perl_parse (perl.c​:1650)
==16125== by 0x427427​: main (perlmain.c​:114)
==16125== Address 0x61bd060 is 6 bytes after a block of size 10 alloc'd
==16125== at 0x4C27C0F​: malloc (vg_replace_malloc.c​:299)
==16125== by 0x6D7CAC​: Perl_safesysmalloc (util.c​:153)
==16125== by 0x8016A7​: Perl_sv_grow (sv.c​:1603)
==16125== by 0x803507​: Perl_sv_2pv_flags (sv.c​:3072)
==16125== by 0x818935​: Perl_sv_pvn_force_flags (sv.c​:9939)
==16125== by 0x861EA6​: Perl_pp_repeat (pp.c​:1879)
==16125== by 0x790C9A​: Perl_runops_standard (run.c​:41)
==16125== by 0x453BB1​: S_fold_constants (op.c​:4381)
==16125== by 0x5BB024​: Perl_yyparse (perly.y​:787)
==16125== by 0x4E8858​: S_parse_body (perl.c​:2331)
==16125== by 0x4E8858​: perl_parse (perl.c​:1650)
==16125== by 0x427427​: main (perlmain.c​:114)
==16125==
==16125== Invalid read of size 8
==16125== at 0x4C2C36E​: memcpy@​@​GLIBC_2.14 (vg_replace_strmem.c​:1018)
==16125== by 0x6EBE57​: memcpy (string3.h​:51)
==16125== by 0x6EBE57​: Perl_repeatcpy (util.c​:3239)
==16125== by 0x861D93​: Perl_pp_repeat (pp.c​:1895)
==16125== by 0x790C9A​: Perl_runops_standard (run.c​:41)
==16125== by 0x453BB1​: S_fold_constants (op.c​:4381)
==16125== by 0x5BB024​: Perl_yyparse (perly.y​:787)
==16125== by 0x4E8858​: S_parse_body (perl.c​:2331)
==16125== by 0x4E8858​: perl_parse (perl.c​:1650)
==16125== by 0x427427​: main (perlmain.c​:114)
==16125== Address 0x61bd068 is 14 bytes after a block of size 10 alloc'd
==16125== at 0x4C27C0F​: malloc (vg_replace_malloc.c​:299)
==16125== by 0x6D7CAC​: Perl_safesysmalloc (util.c​:153)
==16125== by 0x8016A7​: Perl_sv_grow (sv.c​:1603)
==16125== by 0x803507​: Perl_sv_2pv_flags (sv.c​:3072)
==16125== by 0x818935​: Perl_sv_pvn_force_flags (sv.c​:9939)
==16125== by 0x861EA6​: Perl_pp_repeat (pp.c​:1879)
==16125== by 0x790C9A​: Perl_runops_standard (run.c​:41)
==16125== by 0x453BB1​: S_fold_constants (op.c​:4381)
==16125== by 0x5BB024​: Perl_yyparse (perly.y​:787)
==16125== by 0x4E8858​: S_parse_body (perl.c​:2331)
==16125== by 0x4E8858​: perl_parse (perl.c​:1650)
==16125== by 0x427427​: main (perlmain.c​:114)
==16125==
==16125==
==16125== Process terminating with default action of signal 11 (SIGSEGV)
==16125== Access not within mapped region at address 0x658D000
==16125== at 0x4C2C363​: memcpy@​@​GLIBC_2.14 (vg_replace_strmem.c​:1018)
==16125== by 0x6EBE57​: memcpy (string3.h​:51)
==16125== by 0x6EBE57​: Perl_repeatcpy (util.c​:3239)
==16125== by 0x861D93​: Perl_pp_repeat (pp.c​:1895)
==16125== by 0x790C9A​: Perl_runops_standard (run.c​:41)
==16125== by 0x453BB1​: S_fold_constants (op.c​:4381)
==16125== by 0x5BB024​: Perl_yyparse (perly.y​:787)
==16125== by 0x4E8858​: S_parse_body (perl.c​:2331)
==16125== by 0x4E8858​: perl_parse (perl.c​:1650)
==16125== by 0x427427​: main (perlmain.c​:114)
==16125== If you believe this happened as a result of a stack
==16125== overflow in your program's main thread (unlikely but
==16125== possible), you can try to increase the size of the
==16125== main thread stack using the --main-stacksize= flag.
==16125== The main thread stack size used in this run was 8388608.
==16125==
==16125== HEAP SUMMARY​:
==16125== in use at exit​: 122,472 bytes in 638 blocks
==16125== total heap usage​: 724 allocs, 86 frees, 147,123 bytes allocated
==16125==
==16125== LEAK SUMMARY​:
==16125== definitely lost​: 328 bytes in 1 blocks
==16125== indirectly lost​: 2,631 bytes in 39 blocks
==16125== possibly lost​: 0 bytes in 0 blocks
==16125== still reachable​: 119,513 bytes in 598 blocks
==16125== suppressed​: 0 bytes in 0 blocks
==16125== Rerun with --leak-check=full to see details of leaked memory
==16125==
==16125== For counts of detected and suppressed errors, rerun with​: -v
==16125== ERROR SUMMARY​: 999515 errors from 6 contexts (suppressed​: 0 from 0)
Segmentation fault

**PERL -V**

dcollins@​nightshade64​:/usr/local/perl-afl/out$ ~/perlquad/perl -V
Summary of my perl5 (revision 5 version 24 subversion 0) configuration​:
  Commit id​: 6f30c26
  Platform​:
  osname=linux, osvers=3.16.0-4-amd64, archname=x86_64-linux-quadmath
  uname='linux nightshade64 3.16.0-4-amd64 #1 smp debian 3.16.7-ckt20-1+deb8u3 (2016-01-17) x86_64 gnulinux '
  config_args='-Dusedevel -Dprefix=/usr/local/perl-afl -Dcc=ccache afl-gcc -Uuselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -Dusequadmath -des'
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=undef, usemultiplicity=undef
  use64bitint=define, use64bitall=define, uselongdouble=undef
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='ccache afl-gcc', ccflags ='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
  optimize='-g',
  cppflags='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
  ccversion='', gccversion='5.2.0', gccosandvers=''
  intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678, doublekind=3
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16, longdblkind=3
  ivtype='long', ivsize=8, nvtype='__float128', nvsize=16, Off_t='off_t', lseeksize=8
  alignbytes=16, prototype=define
  Linker and Libraries​:
  ld='ccache afl-gcc', ldflags =' -fstack-protector-strong -L/usr/local/lib'
  libpth=/usr/local/lib /usr/local/lib/gcc/x86_64-unknown-linux-gnu/5.2.0/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
  libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc -lquadmath
  perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc -lquadmath
  libc=libc-2.19.so, so=so, useshrplib=false, libperl=libperl.a
  gnulibc_version='2.19'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
  cccdlflags='-fPIC', lddlflags='-shared -g -L/usr/local/lib -fstack-protector-strong'

Characteristics of this binary (from libperl)​:
  Compile-time options​: HAS_TIMES PERLIO_LAYERS PERL_COPY_ON_WRITE
  PERL_DONT_CREATE_GVSV
  PERL_HASH_FUNC_ONE_AT_A_TIME_HARD PERL_MALLOC_WRAP
  PERL_PRESERVE_IVUV PERL_USE_DEVEL USE_64_BIT_ALL
  USE_64_BIT_INT USE_LARGE_FILES USE_LOCALE
  USE_LOCALE_COLLATE USE_LOCALE_CTYPE
  USE_LOCALE_NUMERIC USE_LOCALE_TIME USE_PERLIO
  USE_PERL_ATOF USE_QUADMATH
  Locally applied patches​:
  RC2
  Built under linux
  Compiled at Apr 24 2016 23​:12​:20
  @​INC​:
  /usr/local/perl-afl/lib/site_perl/5.24.0/x86_64-linux-quadmath
  /usr/local/perl-afl/lib/site_perl/5.24.0
  /usr/local/perl-afl/lib/5.24.0/x86_64-linux-quadmath
  /usr/local/perl-afl/lib/5.24.0
  .

@p5pRT
Copy link
Author

p5pRT commented Apr 27, 2016

From @dcollinsn

This is perhaps a duplicate of [perl #127915], which I didn't find in my
initial search. I'm not sure because there's no -V on this bug, but I can
confirm that this does /not/ crash on non-quad builds on my system, whereas
perl -e "20x~0" does.

On Tue, Apr 26, 2016 at 8​:02 PM, Dan Collins <perlbug-followup@​perl.org>
wrote​:

# New Ticket Created by Dan Collins
# Please include the string​: [perl #128001]
# in the subject line of all future correspondence about this issue.
# <URL​: https://rt-archive.perl.org/perl5/Ticket/Display.html?id=128001 >

Greetings Porters,

I have compiled bleadperl with the afl-gcc compiler using​:

./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache
afl-gcc' -Uuselongdouble -Duse64bitall -Doptimize=-g -Uversiononly
-Uman1dir -Uman3dir -Dusequadmath -des
AFL_HARDEN=1 make && make test

And then fuzzed the resulting binary using​:

AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @​@​

After reducing testcases using `afl-tmin` and performing additional
minimization by hand, I have located the following testcase that triggers a
segmentation fault in the perl interpreter. The testcase is the
23-character file​:

dcollins@​nightshade64​:/usr/local/perl-afl/out$ cat allcrash/f4i000000
20x20000000000000000000

On quadmath builds, this crashes with a segmentation fault. On
non-quadmath (long doubles) builds, this runs without error​:

dcollins@​nightshade64​:/usr/local/perl-afl/out$ ~/perlquad/perl
allcrash/f4i000000
Segmentation fault
dcollins@​nightshade64​:/usr/local/perl-afl/out$ ~/perl/perl
allcrash/f4i000000
dcollins@​nightshade64​:/usr/local/perl-afl/out$

Debugging tool output is below. The crashing call is memcpy(0xec1182,
0xea1182, 131072). These memory locations do not overlap.

Using a slightly smaller argument causes this to crash, rather
appropriately, with Out of Memory​:

dcollins@​nightshade64​:/usr/local/perl-afl/out$ ~/perlquad/perl -e
"20x20000000000000000000"
Segmentation fault
dcollins@​nightshade64​:/usr/local/perl-afl/out$ ~/perlquad/perl -e
"20x10000000000000000000"
Segmentation fault
dcollins@​nightshade64​:/usr/local/perl-afl/out$ ~/perlquad/perl -e
"20x1000000000000000000"
Out of memory!
panic​: fold_constants JMPENV_PUSH returned 2 at -e line 1.
dcollins@​nightshade64​:/usr/local/perl-afl/out$

I expect that quadmath perl is able to countenance a larger repeat count
than regular perl is, and while regular perl would try to shove that number
into a type it doesn't fit in (and therefore interpret a smaller repeat
count that it is able to execute successfully), quadmath perl sees the full
number of repetitions, fails to allocate enough memory, but attempts to
copy it the full number of times anyway.

**GDB**

dcollins@​nightshade64​:/usr/local/perl-afl/out$ gdb --args ~/perlquad/perl
allcrash/f4i000000
GNU gdb (GDB) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+​: GNU GPL version 3 or later <
http​://gnu.org/licenses/gpl.html>
This is free software​: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see​:
<http​://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at​:
<http​://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /home/dcollins/perlquad/perl...done.
(gdb) run
Starting program​: /home/dcollins/perlquad/perl allcrash/f4i000000
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6d4f735 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x00007ffff6d4f735 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00000000006ebe58 in memcpy (__len=131072, __src=0xea1182,
__dest=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/string3.h​:51
#2 Perl_repeatcpy (
to=0xea1182
"20202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020"...,
from=0xea1180
"20202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020"...,
len=2, count=9223372036854775806) at util.c​:3239
#3 0x0000000000861d94 in Perl_pp_repeat () at pp.c​:1895
#4 0x0000000000790c9b in Perl_runops_standard () at run.c​:41
#5 0x0000000000453bb2 in S_fold_constants (o=0xea4610) at op.c​:4381
#6 0x0000000000454b2a in Perl_newBINOP (type=<optimized out>,
flags=flags@​entry=0, first=<optimized out>, last=<optimized out>) at
op.c​:5020
#7 0x00000000005bb025 in Perl_yyparse (gramtype=gramtype@​entry=258) at
perly.y​:787
#8 0x00000000004e8859 in S_parse_body (xsinit=0x427800 <xs_init>,
env=0x0) at perl.c​:2331
#9 perl_parse (my_perl=<optimized out>, xsinit=xsinit@​entry=0x427800
<xs_init>, argc=<optimized out>, argv=<optimized out>, env=env@​entry=0x0)
at perl.c​:1650
#10 0x0000000000427428 in main (argc=2, argv=0x7fffffffe338,
env=0x7fffffffe350) at perlmain.c​:114
(gdb) info locals
No symbol table info available.
(gdb) frame 2
#2 Perl_repeatcpy (
to=0xea1182
"20202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020"...,
from=0xea1180
"20202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020"...,
len=2, count=9223372036854775806) at util.c​:3239
3239 memcpy(p, to, size);
(gdb) info locals
size = 131072
p = <optimized out>
items = <optimized out>
linear = 4
half = 4611686018427387903
(gdb) l
3234 }
3235
3236 half = count / 2;
3237 while (items <= half) {
3238 IV size = items * len;
3239 memcpy(p, to, size);
3240 p += size;
3241 items *= 2;
3242 }
3243
(gdb) break Perl_repeatcpy
Breakpoint 1 at 0x6eab10​: file util.c, line 3214.
(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program​: /home/dcollins/perlquad/perl allcrash/f4i000000
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Breakpoint 1, Perl_repeatcpy (to=0xea1182 "", from=0xea1180 "20", len=2,
count=9223372036854775806) at util.c​:3214
3214 {

...

3239 memcpy(p, to, size);
(gdb) p size
$7 = 131072
(gdb) l
3234 }
3235
3236 half = count / 2;
3237 while (items <= half) {
3238 IV size = items * len;
3239 memcpy(p, to, size);
3240 p += size;
3241 items *= 2;
3242 }
3243
(gdb) p p
$8 = 0xec1182 ""
(gdb) p to
$9 = 0xea1182
"20202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020"...
(gdb) p len
$10 = 2
(gdb) p size
$11 = 131072
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6d4f735 in ?? () from /lib/x86_64-linux-gnu/libc.so.6

**VALGRIND**

dcollins@​nightshade64​:/usr/local/perl-afl/out$ valgrind ~/perlquad/perl
allcrash/f4i000000
==16125== Memcheck, a memory error detector
==16125== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==16125== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright
info
==16125== Command​: /home/dcollins/perlquad/perl allcrash/f4i000000
==16125==
==16125== Invalid write of size 1
==16125== at 0x4C2C337​: memcpy@​@​GLIBC_2.14 (vg_replace_strmem.c​:1018)
==16125== by 0x6EBE57​: memcpy (string3.h​:51)
==16125== by 0x6EBE57​: Perl_repeatcpy (util.c​:3239)
==16125== by 0x861D93​: Perl_pp_repeat (pp.c​:1895)
==16125== by 0x790C9A​: Perl_runops_standard (run.c​:41)
==16125== by 0x453BB1​: S_fold_constants (op.c​:4381)
==16125== by 0x5BB024​: Perl_yyparse (perly.y​:787)
==16125== by 0x4E8858​: S_parse_body (perl.c​:2331)
==16125== by 0x4E8858​: perl_parse (perl.c​:1650)
==16125== by 0x427427​: main (perlmain.c​:114)
==16125== Address 0x61bd05a is 0 bytes after a block of size 10 alloc'd
==16125== at 0x4C27C0F​: malloc (vg_replace_malloc.c​:299)
==16125== by 0x6D7CAC​: Perl_safesysmalloc (util.c​:153)
==16125== by 0x8016A7​: Perl_sv_grow (sv.c​:1603)
==16125== by 0x803507​: Perl_sv_2pv_flags (sv.c​:3072)
==16125== by 0x818935​: Perl_sv_pvn_force_flags (sv.c​:9939)
==16125== by 0x861EA6​: Perl_pp_repeat (pp.c​:1879)
==16125== by 0x790C9A​: Perl_runops_standard (run.c​:41)
==16125== by 0x453BB1​: S_fold_constants (op.c​:4381)
==16125== by 0x5BB024​: Perl_yyparse (perly.y​:787)
==16125== by 0x4E8858​: S_parse_body (perl.c​:2331)
==16125== by 0x4E8858​: perl_parse (perl.c​:1650)
==16125== by 0x427427​: main (perlmain.c​:114)
==16125==
==16125== Invalid write of size 2
==16125== at 0x4C2C3AB​: memcpy@​@​GLIBC_2.14 (vg_replace_strmem.c​:1018)
==16125== by 0x6EBE57​: memcpy (string3.h​:51)
==16125== by 0x6EBE57​: Perl_repeatcpy (util.c​:3239)
==16125== by 0x861D93​: Perl_pp_repeat (pp.c​:1895)
==16125== by 0x790C9A​: Perl_runops_standard (run.c​:41)
==16125== by 0x453BB1​: S_fold_constants (op.c​:4381)
==16125== by 0x5BB024​: Perl_yyparse (perly.y​:787)
==16125== by 0x4E8858​: S_parse_body (perl.c​:2331)
==16125== by 0x4E8858​: perl_parse (perl.c​:1650)
==16125== by 0x427427​: main (perlmain.c​:114)
==16125== Address 0x61bd060 is 6 bytes after a block of size 10 alloc'd
==16125== at 0x4C27C0F​: malloc (vg_replace_malloc.c​:299)
==16125== by 0x6D7CAC​: Perl_safesysmalloc (util.c​:153)
==16125== by 0x8016A7​: Perl_sv_grow (sv.c​:1603)
==16125== by 0x803507​: Perl_sv_2pv_flags (sv.c​:3072)
==16125== by 0x818935​: Perl_sv_pvn_force_flags (sv.c​:9939)
==16125== by 0x861EA6​: Perl_pp_repeat (pp.c​:1879)
==16125== by 0x790C9A​: Perl_runops_standard (run.c​:41)
==16125== by 0x453BB1​: S_fold_constants (op.c​:4381)
==16125== by 0x5BB024​: Perl_yyparse (perly.y​:787)
==16125== by 0x4E8858​: S_parse_body (perl.c​:2331)
==16125== by 0x4E8858​: perl_parse (perl.c​:1650)
==16125== by 0x427427​: main (perlmain.c​:114)
==16125==
==16125== Invalid write of size 8
==16125== at 0x4C2C363​: memcpy@​@​GLIBC_2.14 (vg_replace_strmem.c​:1018)
==16125== by 0x6EBE57​: memcpy (string3.h​:51)
==16125== by 0x6EBE57​: Perl_repeatcpy (util.c​:3239)
==16125== by 0x861D93​: Perl_pp_repeat (pp.c​:1895)
==16125== by 0x790C9A​: Perl_runops_standard (run.c​:41)
==16125== by 0x453BB1​: S_fold_constants (op.c​:4381)
==16125== by 0x5BB024​: Perl_yyparse (perly.y​:787)
==16125== by 0x4E8858​: S_parse_body (perl.c​:2331)
==16125== by 0x4E8858​: perl_parse (perl.c​:1650)
==16125== by 0x427427​: main (perlmain.c​:114)
==16125== Address 0x61bd068 is 14 bytes after a block of size 10 alloc'd
==16125== at 0x4C27C0F​: malloc (vg_replace_malloc.c​:299)
==16125== by 0x6D7CAC​: Perl_safesysmalloc (util.c​:153)
==16125== by 0x8016A7​: Perl_sv_grow (sv.c​:1603)
==16125== by 0x803507​: Perl_sv_2pv_flags (sv.c​:3072)
==16125== by 0x818935​: Perl_sv_pvn_force_flags (sv.c​:9939)
==16125== by 0x861EA6​: Perl_pp_repeat (pp.c​:1879)
==16125== by 0x790C9A​: Perl_runops_standard (run.c​:41)
==16125== by 0x453BB1​: S_fold_constants (op.c​:4381)
==16125== by 0x5BB024​: Perl_yyparse (perly.y​:787)
==16125== by 0x4E8858​: S_parse_body (perl.c​:2331)
==16125== by 0x4E8858​: perl_parse (perl.c​:1650)
==16125== by 0x427427​: main (perlmain.c​:114)
==16125==
==16125== Invalid read of size 2
==16125== at 0x4C2C3A8​: memcpy@​@​GLIBC_2.14 (vg_replace_strmem.c​:1018)
==16125== by 0x6EBE57​: memcpy (string3.h​:51)
==16125== by 0x6EBE57​: Perl_repeatcpy (util.c​:3239)
==16125== by 0x861D93​: Perl_pp_repeat (pp.c​:1895)
==16125== by 0x790C9A​: Perl_runops_standard (run.c​:41)
==16125== by 0x453BB1​: S_fold_constants (op.c​:4381)
==16125== by 0x5BB024​: Perl_yyparse (perly.y​:787)
==16125== by 0x4E8858​: S_parse_body (perl.c​:2331)
==16125== by 0x4E8858​: perl_parse (perl.c​:1650)
==16125== by 0x427427​: main (perlmain.c​:114)
==16125== Address 0x61bd060 is 6 bytes after a block of size 10 alloc'd
==16125== at 0x4C27C0F​: malloc (vg_replace_malloc.c​:299)
==16125== by 0x6D7CAC​: Perl_safesysmalloc (util.c​:153)
==16125== by 0x8016A7​: Perl_sv_grow (sv.c​:1603)
==16125== by 0x803507​: Perl_sv_2pv_flags (sv.c​:3072)
==16125== by 0x818935​: Perl_sv_pvn_force_flags (sv.c​:9939)
==16125== by 0x861EA6​: Perl_pp_repeat (pp.c​:1879)
==16125== by 0x790C9A​: Perl_runops_standard (run.c​:41)
==16125== by 0x453BB1​: S_fold_constants (op.c​:4381)
==16125== by 0x5BB024​: Perl_yyparse (perly.y​:787)
==16125== by 0x4E8858​: S_parse_body (perl.c​:2331)
==16125== by 0x4E8858​: perl_parse (perl.c​:1650)
==16125== by 0x427427​: main (perlmain.c​:114)
==16125==
==16125== Invalid read of size 8
==16125== at 0x4C2C360​: memcpy@​@​GLIBC_2.14 (vg_replace_strmem.c​:1018)
==16125== by 0x6EBE57​: memcpy (string3.h​:51)
==16125== by 0x6EBE57​: Perl_repeatcpy (util.c​:3239)
==16125== by 0x861D93​: Perl_pp_repeat (pp.c​:1895)
==16125== by 0x790C9A​: Perl_runops_standard (run.c​:41)
==16125== by 0x453BB1​: S_fold_constants (op.c​:4381)
==16125== by 0x5BB024​: Perl_yyparse (perly.y​:787)
==16125== by 0x4E8858​: S_parse_body (perl.c​:2331)
==16125== by 0x4E8858​: perl_parse (perl.c​:1650)
==16125== by 0x427427​: main (perlmain.c​:114)
==16125== Address 0x61bd060 is 6 bytes after a block of size 10 alloc'd
==16125== at 0x4C27C0F​: malloc (vg_replace_malloc.c​:299)
==16125== by 0x6D7CAC​: Perl_safesysmalloc (util.c​:153)
==16125== by 0x8016A7​: Perl_sv_grow (sv.c​:1603)
==16125== by 0x803507​: Perl_sv_2pv_flags (sv.c​:3072)
==16125== by 0x818935​: Perl_sv_pvn_force_flags (sv.c​:9939)
==16125== by 0x861EA6​: Perl_pp_repeat (pp.c​:1879)
==16125== by 0x790C9A​: Perl_runops_standard (run.c​:41)
==16125== by 0x453BB1​: S_fold_constants (op.c​:4381)
==16125== by 0x5BB024​: Perl_yyparse (perly.y​:787)
==16125== by 0x4E8858​: S_parse_body (perl.c​:2331)
==16125== by 0x4E8858​: perl_parse (perl.c​:1650)
==16125== by 0x427427​: main (perlmain.c​:114)
==16125==
==16125== Invalid read of size 8
==16125== at 0x4C2C36E​: memcpy@​@​GLIBC_2.14 (vg_replace_strmem.c​:1018)
==16125== by 0x6EBE57​: memcpy (string3.h​:51)
==16125== by 0x6EBE57​: Perl_repeatcpy (util.c​:3239)
==16125== by 0x861D93​: Perl_pp_repeat (pp.c​:1895)
==16125== by 0x790C9A​: Perl_runops_standard (run.c​:41)
==16125== by 0x453BB1​: S_fold_constants (op.c​:4381)
==16125== by 0x5BB024​: Perl_yyparse (perly.y​:787)
==16125== by 0x4E8858​: S_parse_body (perl.c​:2331)
==16125== by 0x4E8858​: perl_parse (perl.c​:1650)
==16125== by 0x427427​: main (perlmain.c​:114)
==16125== Address 0x61bd068 is 14 bytes after a block of size 10 alloc'd
==16125== at 0x4C27C0F​: malloc (vg_replace_malloc.c​:299)
==16125== by 0x6D7CAC​: Perl_safesysmalloc (util.c​:153)
==16125== by 0x8016A7​: Perl_sv_grow (sv.c​:1603)
==16125== by 0x803507​: Perl_sv_2pv_flags (sv.c​:3072)
==16125== by 0x818935​: Perl_sv_pvn_force_flags (sv.c​:9939)
==16125== by 0x861EA6​: Perl_pp_repeat (pp.c​:1879)
==16125== by 0x790C9A​: Perl_runops_standard (run.c​:41)
==16125== by 0x453BB1​: S_fold_constants (op.c​:4381)
==16125== by 0x5BB024​: Perl_yyparse (perly.y​:787)
==16125== by 0x4E8858​: S_parse_body (perl.c​:2331)
==16125== by 0x4E8858​: perl_parse (perl.c​:1650)
==16125== by 0x427427​: main (perlmain.c​:114)
==16125==
==16125==
==16125== Process terminating with default action of signal 11 (SIGSEGV)
==16125== Access not within mapped region at address 0x658D000
==16125== at 0x4C2C363​: memcpy@​@​GLIBC_2.14 (vg_replace_strmem.c​:1018)
==16125== by 0x6EBE57​: memcpy (string3.h​:51)
==16125== by 0x6EBE57​: Perl_repeatcpy (util.c​:3239)
==16125== by 0x861D93​: Perl_pp_repeat (pp.c​:1895)
==16125== by 0x790C9A​: Perl_runops_standard (run.c​:41)
==16125== by 0x453BB1​: S_fold_constants (op.c​:4381)
==16125== by 0x5BB024​: Perl_yyparse (perly.y​:787)
==16125== by 0x4E8858​: S_parse_body (perl.c​:2331)
==16125== by 0x4E8858​: perl_parse (perl.c​:1650)
==16125== by 0x427427​: main (perlmain.c​:114)
==16125== If you believe this happened as a result of a stack
==16125== overflow in your program's main thread (unlikely but
==16125== possible), you can try to increase the size of the
==16125== main thread stack using the --main-stacksize= flag.
==16125== The main thread stack size used in this run was 8388608.
==16125==
==16125== HEAP SUMMARY​:
==16125== in use at exit​: 122,472 bytes in 638 blocks
==16125== total heap usage​: 724 allocs, 86 frees, 147,123 bytes allocated
==16125==
==16125== LEAK SUMMARY​:
==16125== definitely lost​: 328 bytes in 1 blocks
==16125== indirectly lost​: 2,631 bytes in 39 blocks
==16125== possibly lost​: 0 bytes in 0 blocks
==16125== still reachable​: 119,513 bytes in 598 blocks
==16125== suppressed​: 0 bytes in 0 blocks
==16125== Rerun with --leak-check=full to see details of leaked memory
==16125==
==16125== For counts of detected and suppressed errors, rerun with​: -v
==16125== ERROR SUMMARY​: 999515 errors from 6 contexts (suppressed​: 0 from
0)
Segmentation fault

**PERL -V**

dcollins@​nightshade64​:/usr/local/perl-afl/out$ ~/perlquad/perl -V
Summary of my perl5 (revision 5 version 24 subversion 0) configuration​:
Commit id​: 6f30c26
Platform​:
osname=linux, osvers=3.16.0-4-amd64, archname=x86_64-linux-quadmath
uname='linux nightshade64 3.16.0-4-amd64 #1 smp debian
3.16.7-ckt20-1+deb8u3 (2016-01-17) x86_64 gnulinux '
config_args='-Dusedevel -Dprefix=/usr/local/perl-afl -Dcc=ccache
afl-gcc -Uuselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir
-Uman3dir -Dusequadmath -des'
hint=recommended, useposix=true, d_sigaction=define
useithreads=undef, usemultiplicity=undef
use64bitint=define, use64bitall=define, uselongdouble=undef
usemymalloc=n, bincompat5005=undef
Compiler​:
cc='ccache afl-gcc', ccflags ='-fwrapv -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64',
optimize='-g',
cppflags='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong
-I/usr/local/include'
ccversion='', gccversion='5.2.0', gccosandvers=''
intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678,
doublekind=3
d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16,
longdblkind=3
ivtype='long', ivsize=8, nvtype='__float128', nvsize=16,
Off_t='off_t', lseeksize=8
alignbytes=16, prototype=define
Linker and Libraries​:
ld='ccache afl-gcc', ldflags =' -fstack-protector-strong
-L/usr/local/lib'
libpth=/usr/local/lib
/usr/local/lib/gcc/x86_64-unknown-linux-gnu/5.2.0/include-fixed
/usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib
/usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc -lquadmath
perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc -lquadmath
libc=libc-2.19.so, so=so, useshrplib=false, libperl=libperl.a
gnulibc_version='2.19'
Dynamic Linking​:
dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
cccdlflags='-fPIC', lddlflags='-shared -g -L/usr/local/lib
-fstack-protector-strong'

Characteristics of this binary (from libperl)​:
Compile-time options​: HAS_TIMES PERLIO_LAYERS PERL_COPY_ON_WRITE
PERL_DONT_CREATE_GVSV
PERL_HASH_FUNC_ONE_AT_A_TIME_HARD PERL_MALLOC_WRAP
PERL_PRESERVE_IVUV PERL_USE_DEVEL USE_64_BIT_ALL
USE_64_BIT_INT USE_LARGE_FILES USE_LOCALE
USE_LOCALE_COLLATE USE_LOCALE_CTYPE
USE_LOCALE_NUMERIC USE_LOCALE_TIME USE_PERLIO
USE_PERL_ATOF USE_QUADMATH
Locally applied patches​:
RC2
Built under linux
Compiled at Apr 24 2016 23​:12​:20
@​INC​:
/usr/local/perl-afl/lib/site_perl/5.24.0/x86_64-linux-quadmath
/usr/local/perl-afl/lib/site_perl/5.24.0
/usr/local/perl-afl/lib/5.24.0/x86_64-linux-quadmath
/usr/local/perl-afl/lib/5.24.0
.

@p5pRT
Copy link
Author

p5pRT commented Jun 6, 2016

From @tonycoz

On Tue Apr 26 17​:02​:59 2016, dcollinsn@​gmail.com wrote​:

Greetings Porters,

I have compiled bleadperl with the afl-gcc compiler using​:

./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache
afl-gcc' -Uuselongdouble -Duse64bitall -Doptimize=-g -Uversiononly
-Uman1dir -Uman3dir -Dusequadmath -des
AFL_HARDEN=1 make && make test

And then fuzzed the resulting binary using​:

AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @​@​

After reducing testcases using `afl-tmin` and performing additional
minimization by hand, I have located the following testcase that
triggers a segmentation fault in the perl interpreter. The testcase is
the 23-character file​:

dcollins@​nightshade64​:/usr/local/perl-afl/out$ cat allcrash/f4i000000
20x20000000000000000000

This appears to have been fixed by 6bbd724.

I can't reproduce it in blead.

Tony

@p5pRT
Copy link
Author

p5pRT commented Jun 6, 2016

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Jun 6, 2016

From @tonycoz

On Sun Jun 05 21​:26​:24 2016, tonyc wrote​:

On Tue Apr 26 17​:02​:59 2016, dcollinsn@​gmail.com wrote​:

Greetings Porters,

I have compiled bleadperl with the afl-gcc compiler using​:

./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache
afl-gcc' -Uuselongdouble -Duse64bitall -Doptimize=-g -Uversiononly
-Uman1dir -Uman3dir -Dusequadmath -des
AFL_HARDEN=1 make && make test

And then fuzzed the resulting binary using​:

AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @​@​

After reducing testcases using `afl-tmin` and performing additional
minimization by hand, I have located the following testcase that
triggers a segmentation fault in the perl interpreter. The testcase is
the 23-character file​:

dcollins@​nightshade64​:/usr/local/perl-afl/out$ cat allcrash/f4i000000
20x20000000000000000000

This appears to have been fixed by 6bbd724.

I can't reproduce it in blead.

Fixed for Dan too, per IRC discussion.

Tony

@p5pRT
Copy link
Author

p5pRT commented Jun 6, 2016

@tonycoz - Status changed from 'open' to 'resolved'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant