New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#2 AddressSanitizer: heap-use-after-free on address 0x606000046d00 at pc 0x000000ef95ec bp 0x7ffe2a7856f0 sp 0x7ffe2a7856e8 READ of size 8 #16610
Comments
From superbsegfault@gmail.com================================================================= 0x606000046d00 is located 0 bytes inside of 64-byte region previously allocated by thread T0 here: SUMMARY: AddressSanitizer: heap-use-after-free |
From @hvdsThis reduces at least to: At the point of failure, we're hitting this code from mro_core.c:935: A hardware watchpoint on the location of isa shows it getting set during Perl_init_stacks () at perl.c:4307: Here's a run with -Do: EXECUTING... (-e:1) gp_free clearing PL_stashcache for 'L' I don't know enough about the mro stuff to guess whether this is simply "don't do that" territory or whether there's something we could or should be fixing. Hugo |
The RT System itself - Status changed from 'new' to 'open' |
From @hvdsOn Fri, 13 Jul 2018 03:39:46 -0700, hv wrote:
I feel I've got a little further with this. I set PERL_HASH_SEED for stability. This still SEGVs in the same place: I suspect that it boils down to something like: both the initial *bad_stash::=*non_stash and the later %{*non_stash}=() leave %bad_stash:: as something not properly initialised as a stash; it does get properly initialised at the point it is needed, but in this case we are reaching it twice in the same operation (as recursive_stash::bad_stash and recursive_stash::recursive_stash::bad_stash) and the first and second attempt are interacting badly. If that's correct, it may well be that the bad interaction relates to the seen_stashes logic in mro_gather_and_rename: Nothing I've seen so far suggests to me there is a credible security issue here, but I'm far from understanding it well enough to call it. Hugo |
From @tonycozOn Tue, 17 Jul 2018 07:02:45 -0700, hv wrote:
I don't think this is a security issue. I can see three cases: a) a perl program always does this type of contortion and crashes. This has nothing to do with attacker inputs, so isn't a security issue. b) a perl program does this type of contortion conditionally on attacher inputs, always using the same names. Since the names are the same, presumably this is by design, so control by an attacker is irrelevant. c) a perl program does this type of contortion using named supplied by an attacker. I'd think such a program is already a security mess, having this code crash can only improve security. As to the cause, I added some sv_dump() to S_mro_gather_and_rename() and stash and oldstash both point to the same hash, which *isn't* a stash (assuming I know what a stash is): stash Just to check I added an assertion to HvAUX(): #define HvAUX(hv) (assert(SvOOK(hv)), (struct xpvhv_aux*)&(HvARRAY(hv)[HvMAX(hv)+1])) which failed in the same place the segmentation fault occurs: stash Tony |
From @tonycozOn Thu, 02 Aug 2018 22:07:02 -0700, tonyc wrote:
No objections heard, so now public. Tony |
Migrated from rt.perl.org#133334 (status was 'open')
Searchable as RT133334$
The text was updated successfully, but these errors were encountered: