From sraums2498@gmail.com

=================================================================
==69672==ERROR​: AddressSanitizer​: negative-size-param​: (size=1)
  #0 0x7f152c25805d in __asan_memmove
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8d05d)
  #1 0x1e8c935 in memmove /usr/include/x86_64-linux-gnu/bits/string3.h​:59
  #2 0x1e8c935 in Perl_sv_setpvn
/home/asan_perl/Documents/perl-5.26.1/sv.c​:5004
  #3 0x1e903d0 in Perl_newSVpvn_flags
/home/asan_perl/Documents/perl-5.26.1/sv.c​:9285
  #4 0x2eb918e in S_unpack_rec
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:1627
  #5 0x2f6a66a in Perl_unpackstring
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:838
  #6 0x2f6c002 in Perl_pp_unpack
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:1848
  #7 0x1b1bc2e in Perl_runops_standard
/home/asan_perl/Documents/perl-5.26.1/run.c​:41
  #8 0x9218a5 in S_run_body
/home/asan_perl/Documents/perl-5.26.1/perl.c​:2519
  #9 0x9218a5 in perl_run
/home/asan_perl/Documents/perl-5.26.1/perl.c​:2447
  #10 0x46b6a7 in main
/home/asan_perl/Documents/perl-5.26.1/perlmain.c​:123
  #11 0x7f152b4bf82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
  #12 0x46c888 in _start
(/home/asan_perl/Documents/perl-5.26.1/perl+0x46c888)

==69672==AddressSanitizer CHECK failed​:
../../../../src/libsanitizer/asan/asan_report.cc​:322 "((0 && "Address is
not in memory and not in shadow?")) != (0)" (0x0, 0x0)
  #0 0x7f152c26b631 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa0631)
  #1 0x7f152c2705e3 in __sanitizer​::CheckFailed(char const*, int, char
const*, unsigned long long, unsigned long long)
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa55e3)
  #2 0x7f152c267b97 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9cb97)
  #3 0x7f152c268c77 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9dc77)
  #4 0x7f152c269daf (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9edaf)
  #5 0x7f152c2580d0 in __asan_memmove
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8d0d0)
  #6 0x1e8c935 in memmove /usr/include/x86_64-linux-gnu/bits/string3.h​:59
  #7 0x1e8c935 in Perl_sv_setpvn
/home/asan_perl/Documents/perl-5.26.1/sv.c​:5004
  #8 0x1e903d0 in Perl_newSVpvn_flags
/home/asan_perl/Documents/perl-5.26.1/sv.c​:9285
  #9 0x2eb918e in S_unpack_rec
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:1627
  #10 0x2f6a66a in Perl_unpackstring
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:838
  #11 0x2f6c002 in Perl_pp_unpack
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:1848
  #12 0x1b1bc2e in Perl_runops_standard
/home/asan_perl/Documents/perl-5.26.1/run.c​:41
  #13 0x9218a5 in S_run_body
/home/asan_perl/Documents/perl-5.26.1/perl.c​:2519
  #14 0x9218a5 in perl_run
/home/asan_perl/Documents/perl-5.26.1/perl.c​:2447
  #15 0x46b6a7 in main
/home/asan_perl/Documents/perl-5.26.1/perlmain.c​:123
  #16 0x7f152b4bf82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
  #17 0x46c888 in _start
(/home/asan_perl/Documents/perl-5.26.1/perl+0x46c888)

--
Regards,
SRAUMS

From sraums2498@gmail.com

id_000600,sig_11,src_039820,op_havoc,rep_4

From sraums2498@gmail.com

==3861==ERROR​: AddressSanitizer​: global-buffer-overflow on address
0x0000030f2da1 at pc 0x7ffff6ef6df8 bp 0x7fffffffd480 sp 0x7fffffffcc28
READ of size 555 at 0x0000030f2da1 thread T0
  #0 0x7ffff6ef6df7 in __asan_memmove
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8cdf7)
  #1 0x1e8c935 in memmove /usr/include/x86_64-linux-gnu/bits/string3.h​:59
  #2 0x1e8c935 in Perl_sv_setpvn
/home/asan_perl/Documents/perl-5.26.1/sv.c​:5004
  #3 0x1e903d0 in Perl_newSVpvn_flags
/home/asan_perl/Documents/perl-5.26.1/sv.c​:9285
  #4 0x2eb918e in S_unpack_rec
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:1627
  #5 0x2f6a66a in Perl_unpackstring
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:838
  #6 0x2f6c002 in Perl_pp_unpack
/home/asan_perl/Documents/perl-5.26.1/pp_pack.c​:1848
  #7 0x1b1bc2e in Perl_runops_standard
/home/asan_perl/Documents/perl-5.26.1/run.c​:41
  #8 0x9218a5 in S_run_body
/home/asan_perl/Documents/perl-5.26.1/perl.c​:2519
  #9 0x9218a5 in perl_run
/home/asan_perl/Documents/perl-5.26.1/perl.c​:2447
  #10 0x46b6a7 in main
/home/asan_perl/Documents/perl-5.26.1/perlmain.c​:123
  #11 0x7ffff615e82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
  #12 0x46c888 in _start
(/home/asan_perl/Documents/perl-5.26.1/perl+0x46c888)

0x0000030f2da1 is located 63 bytes to the left of global variable 'PL_Yes'
defined in 'perl.h​:4769​:15' (0x30f2de0) of size 2
  'PL_Yes' is ascii string '1'
0x0000030f2da1 is located 0 bytes to the right of global variable 'PL_No'
defined in 'perl.h​:4771​:15' (0x30f2da0) of size 1
  'PL_No' is ascii string ''
SUMMARY​: AddressSanitizer​: global-buffer-overflow ??​:0 __asan_memmove
Shadow bytes around the buggy address​:
  0x000080616560​: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x000080616570​: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x000080616580​: 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9
  0x000080616590​: 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9
  0x0000806165a0​: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 01 f9 f9 f9
=>0x0000806165b0​: f9 f9 f9 f9[01]f9 f9 f9 f9 f9 f9 f9 02 f9 f9 f9
  0x0000806165c0​: f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 00 00 00 00
  0x0000806165d0​: 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 02 f9 f9 f9
  0x0000806165e0​: f9 f9 f9 f9 00 00 00 00 01 f9 f9 f9 f9 f9 f9 f9
  0x0000806165f0​: 00 00 00 00 00 03 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x000080616600​: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 04 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes)​:
  Addressable​: 00
  Partially addressable​: 01 02 03 04 05 06 07
  Heap left redzone​: fa
  Heap right redzone​: fb
  Freed heap region​: fd
  Stack left redzone​: f1
  Stack mid redzone​: f2
  Stack right redzone​: f3
  Stack partial redzone​: f4
  Stack after return​: f5
  Stack use after scope​: f8
  Global redzone​: f9
  Global init order​: f6
  Poisoned by user​: f7
  Container overflow​: fc
  Array cookie​: ac
  Intra object redzone​: bb
  ASan internal​: fe
==3861==ABORTING

--
Regards,
SRAUMS

From sraums2498@gmail.com

314

From @hvds

This reduces to​:
  ./miniperl -e 's/(?=)/abcdefgh/; unpack "P"'
with the same stack trace.

With warnings, I note that the unpack is _not_ warning about an undef argument.

I'll look more at this if nobody else gets there first​: I suspect the stack is getting out of sync somehow.

Hugo

The RT System itself - Status changed from 'new' to 'open'

From @hvds

This is a minor variant of rt132654, I'll merge them.

Hugo

The RT System itself - Status changed from 'new' to 'open'

From @tonycoz

On Tue, 09 Jan 2018 00​:40​:48 -0800, hv wrote​:

This reduces to​:
./miniperl -e 's/(?=)/abcdefgh/; unpack "P"'
with the same stack trace.

With warnings, I note that the unpack is _not_ warning about an undef
argument.

I'll look more at this if nobody else gets there first​: I suspect the
stack is getting out of sync somehow.

The s/// turns $_ into "abcdefhg".

The unpack "P", which uses $_ if no EXPR is supplied, then attempts to use those bytes as a pointer, which of course fails horribly.

As the documentation in unpack says​:

  The "p" and "P" formats should be used with care. Since Perl has
  no way of checking whether the value passed to "unpack"
  corresponds to a valid memory location, passing a pointer value
  that's not known to be valid is likely to have disastrous
  consequences.

Moving to the public queue (it isn't a security issue) and rejecting.

Tony

@tonycoz - Status changed from 'open' to 'rejected'