From @geeknik

Triggered in Perl v5.25.7 (v5.25.6-71-gac15b3d) with AFL+ASAN.

perl -e '($0+=(*0)=@​0=($0)=N)=@​0=(($0)=0)=@​0=()'

==31223==ERROR​: AddressSanitizer​: heap-use-after-free on address
0x60200000e630 at pc 0x0000004a9e7c bp 0x7ffc9e04d670 sp 0x7ffc9e04ce28
WRITE of size 2 at 0x60200000e630 thread T0 (N)
  #0 0x4a9e7b in __asan_memmove (/root/perl/perl+0x4a9e7b)
  #1 0x9364ab in Perl_sv_setpv /root/perl/sv.c​:4990​:5
  #2 0x5d1c69 in Perl_gv_fullname4 /root/perl/gv.c​:2411​:5
  #3 0x92709d in Perl_sv_setsv_flags /root/perl/sv.c​:4776​:6
  #4 0x8bc035 in Perl_pp_aassign /root/perl/pp_hot.c​:1547​:3
  #5 0x7f4273 in Perl_runops_debug /root/perl/dump.c​:2246​:23
  #6 0x5a12e6 in S_run_body /root/perl/perl.c​:2526​:2
  #7 0x5a12e6 in perl_run /root/perl/perl.c​:2449
  #8 0x4de63d in main /root/perl/perlmain.c​:123​:9
  #9 0x7f1989433b44 in __libc_start_main
/build/glibc-daoqzt/glibc-2.19/csu/libc-start.c​:287
  #10 0x4de2ac in _start (/root/perl/perl+0x4de2ac)

0x60200000e630 is located 0 bytes inside of 10-byte region
[0x60200000e630,0x60200000e63a)
freed by thread T0 (N) here​:
  #0 0x4c09ab in __interceptor_free (/root/perl/perl+0x4c09ab)
  #1 0x7f8f84 in Perl_safesysfree /root/perl/util.c​:388​:2
  #2 0x9521c2 in Perl_sv_free2 /root/perl/sv.c​:6996​:9

previously allocated by thread T0 (N) here​:
  #0 0x4c0c2b in malloc (/root/perl/perl+0x4c0c2b)
  #1 0x7f80b7 in Perl_safesysmalloc /root/perl/util.c​:153​:21

SUMMARY​: AddressSanitizer​: heap-use-after-free ??​:0 __asan_memmove
Shadow bytes around the buggy address​:
  0x0c047fff9c70​: fa fa 05 fa fa fa 00 05 fa fa 04 fa fa fa 05 fa
  0x0c047fff9c80​: fa fa 05 fa fa fa 00 00 fa fa 00 02 fa fa 05 fa
  0x0c047fff9c90​: fa fa 00 02 fa fa 00 fa fa fa 00 04 fa fa 07 fa
  0x0c047fff9ca0​: fa fa 00 02 fa fa 00 03 fa fa 06 fa fa fa 00 03
  0x0c047fff9cb0​: fa fa 05 fa fa fa 00 02 fa fa 00 05 fa fa 00 06
=>0x0c047fff9cc0​: fa fa 00 04 fa fa[fd]fd fa fa fd fa fa fa 00 02
  0x0c047fff9cd0​: fa fa 00 02 fa fa 00 02 fa fa 00 02 fa fa 00 06
  0x0c047fff9ce0​: fa fa 00 04 fa fa 00 02 fa fa 00 02 fa fa 00 00
  0x0c047fff9cf0​: fa fa fd fa fa fa 00 02 fa fa fd fa fa fa 00 02
  0x0c047fff9d00​: fa fa 00 02 fa fa 00 02 fa fa 00 02 fa fa 00 02
  0x0c047fff9d10​: fa fa 00 02 fa fa 00 02 fa fa 00 02 fa fa 00 02
Shadow byte legend (one shadow byte represents 8 application bytes)​:
  Addressable​: 00
  Partially addressable​: 01 02 03 04 05 06 07
  Heap left redzone​: fa
  Heap right redzone​: fb
  Freed heap region​: fd
  Stack left redzone​: f1
  Stack mid redzone​: f2
  Stack right redzone​: f3
  Stack partial redzone​: f4
  Stack after return​: f5
  Stack use after scope​: f8
  Global redzone​: f9
  Global init order​: f6
  Poisoned by user​: f7
  Container overflow​: fc
  ASan internal​: fe
==31223==ABORTING

Perl 5.20.2-3+deb8u6 fails gracefully​:
panic​: attempt to copy freed scalar 16c3e78 at -e line 1.

Non-ASAN build of Perl v5.25.7 (v5.25.6-76-gc1b1197) + Valgrind​:

valgrind -q ./perl -e '($0+=(*0)=@​0=($0)=N)=@​0=(($0)=0)=@​0=()'
==6579== Invalid write of size 1
==6579== at 0x4C2D6A3​: memcpy@​GLIBC_2.2.5 (vg_replace_strmem.c​:914)
==6579== by 0x533C6E​: memmove (string3.h​:57)
==6579== by 0x533C6E​: Perl_sv_setpv (sv.c​:4990)
==6579== by 0x453EF9​: Perl_gv_fullname4 (gv.c​:2411)
==6579== by 0x5222E4​: Perl_sv_setsv_flags (sv.c​:4776)
==6579== by 0x50428E​: Perl_pp_aassign (pp_hot.c​:1547)
==6579== by 0x4D6EE1​: Perl_runops_debug (dump.c​:2246)
==6579== by 0x453176​: S_run_body (perl.c​:2538)
==6579== by 0x453176​: perl_run (perl.c​:2461)
==6579== by 0x4219B4​: main (perlmain.c​:123)
==6579== Address 0x5f78f50 is 0 bytes inside a block of size 10 free'd
==6579== at 0x4C29E90​: free (vg_replace_malloc.c​:473)
==6579== by 0x515029​: Perl_sv_clear (sv.c​:6694)
==6579== by 0x5155E6​: Perl_sv_free2 (sv.c​:6996)
==6579== by 0x454567​: S_SvREFCNT_dec (inline.h​:189)
==6579== by 0x454567​: Perl_gp_free (gv.c​:2573)
==6579== by 0x52257F​: Perl_sv_setsv_flags (sv.c​:4567)
==6579== by 0x50428E​: Perl_pp_aassign (pp_hot.c​:1547)
==6579== by 0x4D6EE1​: Perl_runops_debug (dump.c​:2246)
==6579== by 0x453176​: S_run_body (perl.c​:2538)
==6579== by 0x453176​: perl_run (perl.c​:2461)
==6579== by 0x4219B4​: main (perlmain.c​:123)
==6579==
==6579== Invalid write of size 1
==6579== at 0x4C2D5FC​: memcpy@​GLIBC_2.2.5 (vg_replace_strmem.c​:914)
==6579== by 0x539754​: memmove (string3.h​:57)
==6579== by 0x539754​: Perl_sv_catpvn_flags (sv.c​:5459)
==6579== by 0x454009​: Perl_gv_fullname4 (gv.c​:2416)
==6579== by 0x5222E4​: Perl_sv_setsv_flags (sv.c​:4776)
==6579== by 0x50428E​: Perl_pp_aassign (pp_hot.c​:1547)
==6579== by 0x4D6EE1​: Perl_runops_debug (dump.c​:2246)
==6579== by 0x453176​: S_run_body (perl.c​:2538)
==6579== by 0x453176​: perl_run (perl.c​:2461)
==6579== by 0x4219B4​: main (perlmain.c​:123)
==6579== Address 0x5f78f51 is 1 bytes inside a block of size 10 free'd
==6579== at 0x4C29E90​: free (vg_replace_malloc.c​:473)
==6579== by 0x515029​: Perl_sv_clear (sv.c​:6694)
==6579== by 0x5155E6​: Perl_sv_free2 (sv.c​:6996)
==6579== by 0x454567​: S_SvREFCNT_dec (inline.h​:189)
==6579== by 0x454567​: Perl_gp_free (gv.c​:2573)
==6579== by 0x52257F​: Perl_sv_setsv_flags (sv.c​:4567)
==6579== by 0x50428E​: Perl_pp_aassign (pp_hot.c​:1547)
==6579== by 0x4D6EE1​: Perl_runops_debug (dump.c​:2246)
==6579== by 0x453176​: S_run_body (perl.c​:2538)
==6579== by 0x453176​: perl_run (perl.c​:2461)
==6579== by 0x4219B4​: main (perlmain.c​:123)
==6579==
==6579== Invalid write of size 1
==6579== at 0x5397B7​: Perl_sv_catpvn_flags (sv.c​:5481)
==6579== by 0x454009​: Perl_gv_fullname4 (gv.c​:2416)
==6579== by 0x5222E4​: Perl_sv_setsv_flags (sv.c​:4776)
==6579== by 0x50428E​: Perl_pp_aassign (pp_hot.c​:1547)
==6579== by 0x4D6EE1​: Perl_runops_debug (dump.c​:2246)
==6579== by 0x453176​: S_run_body (perl.c​:2538)
==6579== by 0x453176​: perl_run (perl.c​:2461)
==6579== by 0x4219B4​: main (perlmain.c​:123)
==6579== Address 0x5f78f55 is 5 bytes inside a block of size 10 free'd
==6579== at 0x4C29E90​: free (vg_replace_malloc.c​:473)
==6579== by 0x515029​: Perl_sv_clear (sv.c​:6694)
==6579== by 0x5155E6​: Perl_sv_free2 (sv.c​:6996)
==6579== by 0x454567​: S_SvREFCNT_dec (inline.h​:189)
==6579== by 0x454567​: Perl_gp_free (gv.c​:2573)
==6579== by 0x52257F​: Perl_sv_setsv_flags (sv.c​:4567)
==6579== by 0x50428E​: Perl_pp_aassign (pp_hot.c​:1547)
==6579== by 0x4D6EE1​: Perl_runops_debug (dump.c​:2246)
==6579== by 0x453176​: S_run_body (perl.c​:2538)
==6579== by 0x453176​: perl_run (perl.c​:2461)
==6579== by 0x4219B4​: main (perlmain.c​:123)
==6579==
==6579== Invalid write of size 1
==6579== at 0x4C2D6A3​: memcpy@​GLIBC_2.2.5 (vg_replace_strmem.c​:914)
==6579== by 0x539754​: memmove (string3.h​:57)
==6579== by 0x539754​: Perl_sv_catpvn_flags (sv.c​:5459)
==6579== by 0x454020​: Perl_gv_fullname4 (gv.c​:2417)
==6579== by 0x5222E4​: Perl_sv_setsv_flags (sv.c​:4776)
==6579== by 0x50428E​: Perl_pp_aassign (pp_hot.c​:1547)
==6579== by 0x4D6EE1​: Perl_runops_debug (dump.c​:2246)
==6579== by 0x453176​: S_run_body (perl.c​:2538)
==6579== by 0x453176​: perl_run (perl.c​:2461)
==6579== by 0x4219B4​: main (perlmain.c​:123)
==6579== Address 0x5f78f55 is 5 bytes inside a block of size 10 free'd
==6579== at 0x4C29E90​: free (vg_replace_malloc.c​:473)
==6579== by 0x515029​: Perl_sv_clear (sv.c​:6694)
==6579== by 0x5155E6​: Perl_sv_free2 (sv.c​:6996)
==6579== by 0x454567​: S_SvREFCNT_dec (inline.h​:189)
==6579== by 0x454567​: Perl_gp_free (gv.c​:2573)
==6579== by 0x52257F​: Perl_sv_setsv_flags (sv.c​:4567)
==6579== by 0x50428E​: Perl_pp_aassign (pp_hot.c​:1547)
==6579== by 0x4D6EE1​: Perl_runops_debug (dump.c​:2246)
==6579== by 0x453176​: S_run_body (perl.c​:2538)
==6579== by 0x453176​: perl_run (perl.c​:2461)
==6579== by 0x4219B4​: main (perlmain.c​:123)
==6579==
==6579== Invalid write of size 1
==6579== at 0x5397B7​: Perl_sv_catpvn_flags (sv.c​:5481)
==6579== by 0x454020​: Perl_gv_fullname4 (gv.c​:2417)
==6579== by 0x5222E4​: Perl_sv_setsv_flags (sv.c​:4776)
==6579== by 0x50428E​: Perl_pp_aassign (pp_hot.c​:1547)
==6579== by 0x4D6EE1​: Perl_runops_debug (dump.c​:2246)
==6579== by 0x453176​: S_run_body (perl.c​:2538)
==6579== by 0x453176​: perl_run (perl.c​:2461)
==6579== by 0x4219B4​: main (perlmain.c​:123)
==6579== Address 0x5f78f57 is 7 bytes inside a block of size 10 free'd
==6579== at 0x4C29E90​: free (vg_replace_malloc.c​:473)
==6579== by 0x515029​: Perl_sv_clear (sv.c​:6694)
==6579== by 0x5155E6​: Perl_sv_free2 (sv.c​:6996)
==6579== by 0x454567​: S_SvREFCNT_dec (inline.h​:189)
==6579== by 0x454567​: Perl_gp_free (gv.c​:2573)
==6579== by 0x52257F​: Perl_sv_setsv_flags (sv.c​:4567)
==6579== by 0x50428E​: Perl_pp_aassign (pp_hot.c​:1547)
==6579== by 0x4D6EE1​: Perl_runops_debug (dump.c​:2246)
==6579== by 0x453176​: S_run_body (perl.c​:2538)
==6579== by 0x453176​: perl_run (perl.c​:2461)
==6579== by 0x4219B4​: main (perlmain.c​:123)
==6579==
==6579== Invalid write of size 1
==6579== at 0x4C2D6A3​: memcpy@​GLIBC_2.2.5 (vg_replace_strmem.c​:914)
==6579== by 0x539754​: memmove (string3.h​:57)
==6579== by 0x539754​: Perl_sv_catpvn_flags (sv.c​:5459)
==6579== by 0x53A1A5​: Perl_sv_catsv_flags (sv.c​:5517)
==6579== by 0x5222E4​: Perl_sv_setsv_flags (sv.c​:4776)
==6579== by 0x50428E​: Perl_pp_aassign (pp_hot.c​:1547)
==6579== by 0x4D6EE1​: Perl_runops_debug (dump.c​:2246)
==6579== by 0x453176​: S_run_body (perl.c​:2538)
==6579== by 0x453176​: perl_run (perl.c​:2461)
==6579== by 0x4219B4​: main (perlmain.c​:123)
==6579== Address 0x5f78f57 is 7 bytes inside a block of size 10 free'd
==6579== at 0x4C29E90​: free (vg_replace_malloc.c​:473)
==6579== by 0x515029​: Perl_sv_clear (sv.c​:6694)
==6579== by 0x5155E6​: Perl_sv_free2 (sv.c​:6996)
==6579== by 0x454567​: S_SvREFCNT_dec (inline.h​:189)
==6579== by 0x454567​: Perl_gp_free (gv.c​:2573)
==6579== by 0x52257F​: Perl_sv_setsv_flags (sv.c​:4567)
==6579== by 0x50428E​: Perl_pp_aassign (pp_hot.c​:1547)
==6579== by 0x4D6EE1​: Perl_runops_debug (dump.c​:2246)
==6579== by 0x453176​: S_run_body (perl.c​:2538)
==6579== by 0x453176​: perl_run (perl.c​:2461)
==6579== by 0x4219B4​: main (perlmain.c​:123)
==6579==
==6579== Invalid write of size 1
==6579== at 0x5397B7​: Perl_sv_catpvn_flags (sv.c​:5481)
==6579== by 0x53A1A5​: Perl_sv_catsv_flags (sv.c​:5517)
==6579== by 0x5222E4​: Perl_sv_setsv_flags (sv.c​:4776)
==6579== by 0x50428E​: Perl_pp_aassign (pp_hot.c​:1547)
==6579== by 0x4D6EE1​: Perl_runops_debug (dump.c​:2246)
==6579== by 0x453176​: S_run_body (perl.c​:2538)
==6579== by 0x453176​: perl_run (perl.c​:2461)
==6579== by 0x4219B4​: main (perlmain.c​:123)
==6579== Address 0x5f78f58 is 8 bytes inside a block of size 10 free'd
==6579== at 0x4C29E90​: free (vg_replace_malloc.c​:473)
==6579== by 0x515029​: Perl_sv_clear (sv.c​:6694)
==6579== by 0x5155E6​: Perl_sv_free2 (sv.c​:6996)
==6579== by 0x454567​: S_SvREFCNT_dec (inline.h​:189)
==6579== by 0x454567​: Perl_gp_free (gv.c​:2573)
==6579== by 0x52257F​: Perl_sv_setsv_flags (sv.c​:4567)
==6579== by 0x50428E​: Perl_pp_aassign (pp_hot.c​:1547)
==6579== by 0x4D6EE1​: Perl_runops_debug (dump.c​:2246)
==6579== by 0x453176​: S_run_body (perl.c​:2538)
==6579== by 0x453176​: perl_run (perl.c​:2461)
==6579== by 0x4219B4​: main (perlmain.c​:123)
==6579==

From @tonycoz

On Tue, 25 Oct 2016 17​:01​:07 -0700, brian.carpenter@​gmail.com wrote​:

Triggered in Perl v5.25.7 (v5.25.6-71-gac15b3d) with AFL+ASAN.

perl -e '($0+=(*0)=@​0=($0)=N)=@​0=(($0)=0)=@​0=()'

Simplifies to​:

./perl -e '($0+=(*0)=@​0=$0)=@​0=$0'

Removing the first =$0 gives​:

./perl -e '($0+=(*0)=@​0)=@​0=$0'
panic​: attempt to copy freed scalar 62100001bd68 to 621000010f20 at -e line 1.

This looks like yet another stack-not-refcounted issue.

I don't think it's a security issue.

Tony

The RT System itself - Status changed from 'new' to 'open'

From @tonycoz

On Sun, 06 Nov 2016 19​:58​:17 -0800, tonyc wrote​:

This looks like yet another stack-not-refcounted issue.

I don't think it's a security issue.

Now public.

Tony