From @dcollinsn

I have compiled bleadperl with the afl-gcc compiler using​:

./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache afl-gcc' -Uuselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -Dusequadmath -DDEBUGGING -des
AFL_HARDEN=1 make && make test

And then fuzzed the resulting binary using​:

AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl -t -W @​@​

After reducing testcases using `afl-tmin` and performing additional minimization by hand, I have located the following testcase that triggers a assert fail in debugging builds of the perl interpreter. The testcase is the file below. On most perls, this exits with the correct errors - version v.Inf required. However, on debugging builds, with quadmath enabled, with -W, the following assert failure is emitted. This seems to be harmless?

use B.9E90

DEBUG PERL​:
dcollins@​nightshade64​:~/perlquad$ ./perl -W -e 'use B.9E90'
Use of uninitialized value in subroutine entry at -e line 1.
  main​::BEGIN() called at -e line 1
  eval {...} called at -e line 1
perl​: vutil.c​:666​: Perl_upg_version​: Assertion `PL_numeric_standard == 2' failed.
Aborted

REGULAR PERL​:

dcollins@​nightshade64​:~/perlquad$ ./perl -W -e 'use B.9E90'
Use of uninitialized value in subroutine entry at -e line 1.
  main​::BEGIN() called at -e line 1
  eval {...} called at -e line 1
Integer overflow in version at -e line 1.
  main​::BEGIN() called at -e line 1
  eval {...} called at -e line 1
B version v.Inf required--this is only version 1.62 at /usr/local/perl-afl/lib/5.25.1/Exporter/Heavy.pm line 125.
BEGIN failed--compilation aborted at -e line 1.

Debugging tool output is below. A git bisect was attempted. In very old perls (5.14.0), this emitted a "panic​: snprintf buffer overflow". With that marked as "good" and the assert fail marked as "bad", bisect reports the following commit, which is the commit where the assert was first added, so, not too helpful.

7738054 is the first bad commit
commit 7738054
Author​: Karl Williamson <khw@​cpan.org>
Date​: Sun Jun 1 20​:07​:30 2014 -0600

  Allow dynamic lock of LC_NUMERIC

  When processing version strings, the radix character must be a dot even
  if we otherwise would be using some other character. vutil.c
  upg_version() changes to the dot, but calls sv_catpvf() which may try to
  change the character to something else. This commit introduces a way to
  lock the character to a dot around the call to sv_catpvf()

  vutil.c is cpan-upstream, but already blead and cpan have diverged, so
  this just updates the SHA of the new version

:100644 100644 17b2551773d01d16fd1fbf6f903a0e33ac469a98 3e7d4a36f7eecdd94c3ac1bb afd5e50fdcdea909 M intrpvar.h
:100644 100644 3004dce9c91e33a609fae2a2a175a7629e99b2bf 929a249a81e8539280c570c9 5d7a11a6c894fba7 M locale.c
:100644 100644 970a25ff1ab63f04dfaf5da3185cb24acae684f1 3ee2cd49af29e095b1043863 e13de3eabf75fcda M perl.h
:040000 040000 6e5355877cdc8a2fb233b8b41ca2bc291260666b c189fbc99068c0bbc43c93af 95184858b14c0e95 M t
:100644 100644 200ff73cb6591247cb48a2f76fd89f52711a9af4 6f92d33274f31422a5c76001 2ceb2e430b129e88 M vutil.c
bisect run success

**GDB**

dcollins@​nightshade64​:~/perlquad$ gdb --args ./perl -Ilib -W -e 'use B.9E90'
GNU gdb (GDB) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+​: GNU GPL version 3 or later <http​://gnu.org/licenses/gpl.html>
This is free software​: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see​:
<http​://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at​:
<http​://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./perl...done.
(gdb) run
Starting program​: /home/dcollins/perlquad/perl -Ilib -W -e use\ B.9E90
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Use of uninitialized value in subroutine entry at -e line 1.
  main​::BEGIN() called at -e line 1
  eval {...} called at -e line 1
perl​: vutil.c​:666​: Perl_upg_version​: Assertion `PL_numeric_standard == 2' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff6cf9478 in raise () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x00007ffff6cf9478 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007ffff6cfa8fa in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007ffff6cf23a7 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#3 0x00007ffff6cf2452 in __assert_fail ()
  from /lib/x86_64-linux-gnu/libc.so.6
#4 0x0000000000566ba2 in Perl_upg_version (ver=0xb18f30, qv=false)
  at vutil.c​:666
#5 0x000000000056618d in Perl_new_version (ver=0xb18f18) at vutil.c​:551
#6 0x00000000007089dd in XS_universal_version (cv=0xaa3450) at vxs.inc​:161
#7 0x00000000005bf883 in Perl_pp_entersub () at pp_hot.c​:3990
#8 0x0000000000559874 in Perl_runops_debug () at dump.c​:2239
#9 0x0000000000463653 in Perl_call_sv (sv=0xab7840, flags=13) at perl.c​:2841
#10 0x000000000046d36f in Perl_call_list (oldscope=2, paramList=0xab79a8)
  at perl.c​:5009
#11 0x0000000000442c33 in S_process_special_blocks (floor=39,
  fullname=0xab1b10 "BEGIN", gv=0xab79c0, cv=0xab7840) at op.c​:8781
#12 0x00000000004424c7 in Perl_newATTRSUB_x (floor=39, o=0xac2218, proto=0x0,
  attrs=0x0, block=0xac21d8, o_is_gv=false) at op.c​:8710
#13 0x00000000004321cc in Perl_utilize (aver=1, floor=39, version=0x0,
  idop=0xac0b08, arg=0xac1df8) at op.c​:6084
#14 0x00000000004d55ed in Perl_yyparse (gramtype=258) at perly.y​:351
#15 0x0000000000461461 in S_parse_body (env=0x0, xsinit=0x41ea19 <xs_init>)
  at perl.c​:2365
---Type <return> to continue, or q <return> to quit---
#16 0x000000000045f8a7 in perl_parse (my_perl=0xaa1010,
  xsinit=0x41ea19 <xs_init>, argc=5, argv=0x7fffffffe608, env=0x0)
  at perl.c​:1681
#17 0x000000000041e978 in main (argc=5, argv=0x7fffffffe608,
  env=0x7fffffffe638) at perlmain.c​:114
(gdb) f 4
#4 0x0000000000566ba2 in Perl_upg_version (ver=0xb18f30, qv=false)
  at vutil.c​:666
666 UNLOCK_NUMERIC_STANDARD();
(gdb) l
661 }
662 else {
663 len = my_snprintf(tbuf, sizeof(tbuf), "%.9"NVff, SvNVX(ver));
664 buf = tbuf;
665 }
666 UNLOCK_NUMERIC_STANDARD();
667 RESTORE_NUMERIC_LOCAL();
668 }
669 while (buf[len-1] == '0' && len > 0) len--;
670 if ( buf[len-1] == '.' ) len--; /* eat the trailing decimal */
(gdb) info locals
_was_local = false
len = 100
tbuf = "\320Q\267\000\000\000\000\000\360I\266\000\000\000\000\000\060\a\261\000\n\000\000\000\220I\266\000\000\000\000\000\360I\266\000\000\000\000\000\000\206\271\351\rvf\275\360\316\377\377\377\177\000\000\216pV\000\000\000\000"
sv = 0xb75a70
buf = 0xb05ec0 "8", '9' <repeats 36 times>, "79916978141823691996788351450347598460165708610273280.000000000"
version = 0x602c48 <Perl_newSVpvn+146> "H\213E\360\311\303UH\211\345H\203\354pH\211}\230dH\213\004%("
s = 0x7fffffffe600 "\005"
mg = 0xb64990
__PRETTY_FUNCTION__ = "Perl_upg_version"
(gdb) q
A debugging session is active.

  Inferior 1 [process 20534] will be killed.

Quit anyway? (y or n) y

**VALGRIND**

==13582==
==13582== Process terminating with default action of signal 6 (SIGABRT)
==13582== at 0x5BD8478​: raise (in /lib/x86_64-linux-gnu/libc-2.22.so)
==13582== by 0x5BD98F9​: abort (in /lib/x86_64-linux-gnu/libc-2.22.so)
==13582== by 0x5BD13A6​: __assert_fail_base (in /lib/x86_64-linux-gnu/libc-2.22.so)
==13582== by 0x5BD1451​: __assert_fail (in /lib/x86_64-linux-gnu/libc-2.22.so)
==13582== by 0x566BA1​: Perl_upg_version (vutil.c​:666)
==13582== by 0x56618C​: Perl_new_version (vutil.c​:551)
==13582== by 0x7089DC​: XS_universal_version (vxs.inc​:161)
==13582== by 0x5BF882​: Perl_pp_entersub (pp_hot.c​:3990)
==13582== by 0x559873​: Perl_runops_debug (dump.c​:2239)
==13582== by 0x463652​: Perl_call_sv (perl.c​:2841)
==13582== by 0x46D36E​: Perl_call_list (perl.c​:5009)
==13582== by 0x442C32​: S_process_special_blocks (op.c​:8781)
==13582==
==13582== HEAP SUMMARY​:
==13582== in use at exit​: 1,301,684 bytes in 4,925 blocks
==13582== total heap usage​: 11,622 allocs, 6,697 frees, 2,283,630 bytes allocated
==13582==
==13582== LEAK SUMMARY​:
==13582== definitely lost​: 192 bytes in 1 blocks
==13582== indirectly lost​: 2,027 bytes in 22 blocks
==13582== possibly lost​: 626,677 bytes in 451 blocks
==13582== still reachable​: 672,788 bytes in 4,451 blocks
==13582== of which reachable via heuristic​:
==13582== newarray : 3,032 bytes in 95 blocks
==13582== suppressed​: 0 bytes in 0 blocks
==13582== Rerun with --leak-check=full to see details of leaked memory
==13582==
==13582== For counts of detected and suppressed errors, rerun with​: -v
==13582== ERROR SUMMARY​: 0 errors from 0 contexts (suppressed​: 0 from 0)
Aborted

**PERL -V**

dcollins@​nightshade64​:~/perlquad$ ./perl -Ilib -V
Summary of my perl5 (revision 5 version 25 subversion 1) configuration​:
  Commit id​: 9e17953
  Platform​:
  osname=linux, osvers=4.5.0-2-amd64, archname=x86_64-linux-quadmath
  uname='linux nightshade64 4.5.0-2-amd64 #1 smp debian 4.5.3-2 (2016-05-08) x86_64 gnulinux '
  config_args='-Dusedevel -Dcc=ccache gcc-6.1 -Uuselongdouble -Duse64bitall -Dusequadmath -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -DDEBUGGING -DPERL_POISON -des'
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=undef, usemultiplicity=undef
  use64bitint=define, use64bitall=define, uselongdouble=undef
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='ccache gcc-6.1', ccflags ='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
  optimize='-g',
  cppflags='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
  ccversion='', gccversion='6.1.0', gccosandvers=''
  intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678, doublekind=3
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16, longdblkind=3
  ivtype='long', ivsize=8, nvtype='__float128', nvsize=16, Off_t='off_t', lseeksize=8
  alignbytes=16, prototype=define
  Linker and Libraries​:
  ld='ccache gcc-6.1', ldflags =' -fstack-protector-strong -L/usr/local/lib'
  libpth=/usr/local/lib /usr/local/lib/gcc/x86_64-pc-linux-gnu/6.1.0/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
  libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc -lquadmath
  perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc -lquadmath
  libc=libc-2.22.so, so=so, useshrplib=false, libperl=libperl.a
  gnulibc_version='2.22'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
  cccdlflags='-fPIC', lddlflags='-shared -g -L/usr/local/lib -fstack-protector-strong'

Characteristics of this binary (from libperl)​:
  Compile-time options​: DEBUGGING HAS_TIMES PERLIO_LAYERS PERL_COPY_ON_WRITE
  PERL_DONT_CREATE_GVSV
  PERL_HASH_FUNC_ONE_AT_A_TIME_HARD PERL_MALLOC_WRAP
  PERL_OP_PARENT PERL_PRESERVE_IVUV PERL_USE_DEVEL
  USE_64_BIT_ALL USE_64_BIT_INT USE_LARGE_FILES
  USE_LOCALE USE_LOCALE_COLLATE USE_LOCALE_CTYPE
  USE_LOCALE_NUMERIC USE_LOCALE_TIME USE_PERLIO
  USE_PERL_ATOF USE_QUADMATH
  Built under linux
  Compiled at May 21 2016 10​:01​:53
  @​INC​:
  lib
  /usr/local/lib/perl5/site_perl/5.25.1/x86_64-linux-quadmath
  /usr/local/lib/perl5/site_perl/5.25.1
  /usr/local/lib/perl5/5.25.1/x86_64-linux-quadmath
  /usr/local/lib/perl5/5.25.1
  .

From @tonycoz

On Sat, 21 May 2016 07​:56​:26 -0700, dcollinsn@​gmail.com wrote​:

I have compiled bleadperl with the afl-gcc compiler using​:

./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache
afl-gcc' -Uuselongdouble -Duse64bitall -Doptimize=-g -Uversiononly
-Uman1dir -Uman3dir -Dusequadmath -DDEBUGGING -des
AFL_HARDEN=1 make && make test

And then fuzzed the resulting binary using​:

AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl -t -W @​@​

After reducing testcases using `afl-tmin` and performing additional
minimization by hand, I have located the following testcase that
triggers a assert fail in debugging builds of the perl interpreter.
The testcase is the file below. On most perls, this exits with the
correct errors - version v.Inf required. However, on debugging builds,
with quadmath enabled, with -W, the following assert failure is
emitted. This seems to be harmless?

use B.9E90

DEBUG PERL​:
dcollins@​nightshade64​:~/perlquad$ ./perl -W -e 'use B.9E90'
Use of uninitialized value in subroutine entry at -e line 1.
main​::BEGIN() called at -e line 1
eval {...} called at -e line 1
perl​: vutil.c​:666​: Perl_upg_version​: Assertion `PL_numeric_standard ==
2' failed.
Aborted

REGULAR PERL​:

dcollins@​nightshade64​:~/perlquad$ ./perl -W -e 'use B.9E90'
Use of uninitialized value in subroutine entry at -e line 1.
main​::BEGIN() called at -e line 1
eval {...} called at -e line 1
Integer overflow in version at -e line 1.
main​::BEGIN() called at -e line 1
eval {...} called at -e line 1
B version v.Inf required--this is only version 1.62 at
/usr/local/perl-afl/lib/5.25.1/Exporter/Heavy.pm line 125.
BEGIN failed--compilation aborted at -e line 1.

This is caused by two different issues​:

a) Perl_upg_version() can be called in a context with warnings enabled, and for large version numbers it attempts to append to an undefined sv. This is trivially fixable (use Perl_sv_setpvf() instead of Perl_sv_catpvf()).

b) the LOCK_NUMERIC_STANDARD() (aka LOCK_LC_NUMERIC_STANDARD() ) and UNLOCK_NUMERIC_STANDARD() (aka UNLOCK_LC_NUMERIC_STANDARD() ) macros don't handle recursion correctly.

The -MB.9e90 is converted to​:

  use B.9e90;

which ends up calling Exporter->import(.9e90). Since that value is
numeric, Exporter ends up calling B->VERSION(.9e90) which results in
a call to Perl_upg_version().

Because of a) a warning is generated while the numeric standard is "locked" and the __WARN__ handler set in Exportor/Heavy.pm is called.

This attempted to load Carp, eventually leading to the nested call to Perl_upg_version(), where the numeric standard is "locked" and "unlocked" again leaving PL_numeric_standard as 1.

When we return back to the original call to Perl_upg_version() the assertion in UNLOCK_NUMERIC_STANDARD() fires since PL_numeric_standard is no longer 2.

So these macros should probably handle this nesting in some way.

Tony

The RT System itself - Status changed from 'new' to 'open'

From @khwilliamson

I believe the attached two patches do the trick When I run the reduced test case with these applied, the output is

Integer overflow in version at 128207.pl line 1.
  main​::BEGIN() called at 128207.pl line 1
  eval {...} called at 128207.pl line 1
B version v.Inf required--this is only version 1.68 at /home/khw/perl/bitwise/lib/Exporter/Heavy.pm line 125.
BEGIN failed--compilation aborted at 128207.pl line 1.
--
Karl Williamson

From @khwilliamson

On Sat, 03 Jun 2017 08​:12​:08 -0700, khw wrote​:

I believe the attached two patches do the trick When I run the
reduced test case with these applied, the output is

Integer overflow in version at 128207.pl line 1.
main​::BEGIN() called at 128207.pl line 1
eval {...} called at 128207.pl line 1
B version v.Inf required--this is only version 1.68 at
/home/khw/perl/bitwise/lib/Exporter/Heavy.pm line 125.
BEGIN failed--compilation aborted at 128207.pl line 1.

Oops. forgot to attach
--
Karl Williamson

From @khwilliamson

From f495555b9a2acc588c709cf5d88390dd049a03bd Mon Sep 17 00:00:00 2001
From: Karl Williamson <khw@cpan.org>
Date: Sat, 3 Jun 2017 09:08:50 -0600
Subject: [PATCH 2/3] Make LOCK_LC_NUMERIC_STANDARD recursive

Same for UNLOCK_LC_NUMERIC_STANDARD.
---
 perl.h | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/perl.h b/perl.h
index ee98d40f07..0ad1ca711c 100644
--- a/perl.h
+++ b/perl.h
@@ -6191,14 +6191,14 @@ expression, but with an empty argument list, like this:
         _restore_LC_NUMERIC_function = &Perl_set_numeric_standard;          \
     }
 
-/* Lock to the C locale until unlock is called */
+/* Lock/unlock to the C locale until unlock is called.  This needs to be
+ * recursively callable.  [perl #128207] */
 #define LOCK_LC_NUMERIC_STANDARD()                          \
         (__ASSERT_(PL_numeric_standard)                     \
-        PL_numeric_standard = 2)
-
+        PL_numeric_standard++)
 #define UNLOCK_LC_NUMERIC_STANDARD()                        \
-        (__ASSERT_(PL_numeric_standard == 2)                \
-        PL_numeric_standard = 1)
+        (__ASSERT_(PL_numeric_standard > 1)                \
+        PL_numeric_standard > 1 && PL_numeric_standard--)
 
 #define RESTORE_LC_NUMERIC_UNDERLYING()                     \
 	if (_was_local) set_numeric_local();
-- 
2.11.0

From @khwilliamson

From aeadda286c2ef5466605047f688b8d37585556bf Mon Sep 17 00:00:00 2001
From: Karl Williamson <khw@cpan.org>
Date: Sat, 3 Jun 2017 09:09:38 -0600
Subject: [PATCH 3/3] vutil.c: Use setpvf to avoid uninit.

---
 vutil.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/vutil.c b/vutil.c
index c033820fa5..727478e4f9 100644
--- a/vutil.c
+++ b/vutil.c
@@ -655,7 +655,7 @@ VER_NV:
         STORE_NUMERIC_LOCAL_SET_STANDARD();
         LOCK_NUMERIC_STANDARD();
 	if (sv) {
-	    Perl_sv_catpvf(aTHX_ sv, "%.9"NVff, SvNVX(ver));
+	    Perl_sv_setpvf(aTHX_ sv, "%.9"NVff, SvNVX(ver));
 	    len = SvCUR(sv);
 	    buf = SvPVX(sv);
 	}
-- 
2.11.0

From @cpansprout

On Sat, 03 Jun 2017 08​:13​:54 -0700, khw wrote​:

On Sat, 03 Jun 2017 08​:12​:08 -0700, khw wrote​:

I believe the attached two patches do the trick When I run the
reduced test case with these applied, the output is

Integer overflow in version at 128207.pl line 1.
main​::BEGIN() called at 128207.pl line 1
eval {...} called at 128207.pl line 1
B version v.Inf required--this is only version 1.68 at
/home/khw/perl/bitwise/lib/Exporter/Heavy.pm line 125.
BEGIN failed--compilation aborted at 128207.pl line 1.

Oops. forgot to attach

Please make sure that any changes to vutil.c get submitted to the version.pm repository/bugtracker and then they work with older versions of perl. Remember that this file is living a double life.

--

Father Chrysostomos

From @tonycoz

On Sat, 03 Jun 2017 08​:13​:54 -0700, khw wrote​:

On Sat, 03 Jun 2017 08​:12​:08 -0700, khw wrote​:

I believe the attached two patches do the trick When I run the
reduced test case with these applied, the output is

Integer overflow in version at 128207.pl line 1.
main​::BEGIN() called at 128207.pl line 1
eval {...} called at 128207.pl line 1
B version v.Inf required--this is only version 1.68 at
/home/khw/perl/bitwise/lib/Exporter/Heavy.pm line 125.
BEGIN failed--compilation aborted at 128207.pl line 1.

Oops. forgot to attach

They look good to me.

Tony

From @khwilliamson

I have created a PR for version for the appending to an undefined SV,
https://github.com/Perl/version.pm/pulls

The other fixes have been in blead for some time now, and prevent the assertion failure, so I'm closing this ticket
--
Karl Williamson

@khwilliamson - Status changed from 'open' to 'resolved'