Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-use-after-free in S_unshare_hek_or_pvn (hv.c:2857) #15687

Open
p5pRT opened this issue Oct 27, 2016 · 5 comments
Open

heap-use-after-free in S_unshare_hek_or_pvn (hv.c:2857) #15687

p5pRT opened this issue Oct 27, 2016 · 5 comments

Comments

@p5pRT
Copy link

p5pRT commented Oct 27, 2016

Migrated from rt.perl.org#129975 (status was 'open')

Searchable as RT129975$

@p5pRT
Copy link
Author

p5pRT commented Oct 27, 2016

From @geeknik

Triggered in Perl v5.25.7 (v5.25.6-71-gac15b3d) with AFL+ASAN. Does not
fail under valgrind.

==28151==ERROR​: AddressSanitizer​: heap-use-after-free on address
0x60200000dfb8 at pc 0x00000088df26 bp 0x7fffc94d7470 sp 0x7fffc94d7468
READ of size 8 at 0x60200000dfb8 thread T0 (0)
  #0 0x88df25 in S_unshare_hek_or_pvn /root/perl/hv.c​:2857​:2
  #1 0x94da7b in Perl_sv_clear /root/perl/sv.c​:6689​:4
  #2 0x9521c2 in Perl_sv_free2 /root/perl/sv.c​:6996​:9
  #3 0x4e3976 in S_SvREFCNT_dec /root/perl/./inline.h​:189​:6
  #4 0x4e3976 in Perl_op_clear /root/perl/op.c​:971
  #5 0x4e2115 in Perl_op_free /root/perl/op.c​:854​:9
  #6 0x4e1d65 in Perl_op_free /root/perl/op.c​:837​:21
  #7 0x586809 in perl_destruct /root/perl/perl.c​:831​:2
  #8 0x4de7ca in main /root/perl/perlmain.c​:134​:18
  #9 0x7f7e5e900b44 in __libc_start_main
/build/glibc-daoqzt/glibc-2.19/csu/libc-start.c​:287
  #10 0x4de2ac in _start (/root/perl/perl+0x4de2ac)

0x60200000dfba is located 0 bytes to the right of 10-byte region
[0x60200000dfb0,0x60200000dfba)
freed by thread T0 (0) here​:
  #0 0x4c09ab in __interceptor_free (/root/perl/perl+0x4c09ab)
  #1 0x7f8f84 in Perl_safesysfree /root/perl/util.c​:388​:2
  #2 0x9521c2 in Perl_sv_free2 /root/perl/sv.c​:6996​:9

previously allocated by thread T0 (0) here​:
  #0 0x4c0c2b in malloc (/root/perl/perl+0x4c0c2b)
  #1 0x7f80b7 in Perl_safesysmalloc /root/perl/util.c​:153​:21

SUMMARY​: AddressSanitizer​: heap-use-after-free /root/perl/hv.c​:2857
S_unshare_hek_or_pvn
Shadow bytes around the buggy address​:
  0x0c047fff9ba0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9bb0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9bc0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9bd0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9be0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fd fd
=>0x0c047fff9bf0​: fa fa fd fd fa fa fd[fd]fa fa 00 02 fa fa fd fd
  0x0c047fff9c00​: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff9c10​: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff9c20​: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff9c30​: fa fa fd fd fa fa 02 fa fa fa fd fd fa fa fd fd
  0x0c047fff9c40​: fa fa fd fd fa fa 00 02 fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes)​:
  Addressable​: 00
  Partially addressable​: 01 02 03 04 05 06 07
  Heap left redzone​: fa
  Heap right redzone​: fb
  Freed heap region​: fd
  Stack left redzone​: f1
  Stack mid redzone​: f2
  Stack right redzone​: f3
  Stack partial redzone​: f4
  Stack after return​: f5
  Stack use after scope​: f8
  Global redzone​: f9
  Global init order​: f6
  Poisoned by user​: f7
  Container overflow​: fc
  ASan internal​: fe
==28151==ABORTING

@p5pRT
Copy link
Author

p5pRT commented Oct 27, 2016

From @geeknik

test165.gz

@p5pRT
Copy link
Author

p5pRT commented Nov 8, 2016

From @tonycoz

On Wed, 26 Oct 2016 20​:45​:10 -0700, brian.carpenter@​gmail.com wrote​:

Triggered in Perl v5.25.7 (v5.25.6-71-gac15b3d) with AFL+ASAN. Does not
fail under valgrind.

Here's a minimized version​:

*p= *$p= $| = *$p = $p |= *$p = *p = $p = \p

Changing the \p to some other reference, like \w, fails differently​:

  Can't coerce GLOB to string in bitwise or (|) at ../129975b.pl line 1.

I suspect another stack refcounting bug.

Tony

@p5pRT
Copy link
Author

p5pRT commented Nov 8, 2016

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Jan 31, 2017

From @tonycoz

On Mon, 07 Nov 2016 16​:13​:18 -0800, tonyc wrote​:

I suspect another stack refcounting bug.

I'm surer of it now, so making it public, since we haven't been treating such issues as security issues.

Tony

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant