Navigation Menu

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Assertion failure in glob3 (bsd_glob.c:759) #16869

Open
p5pRT opened this issue Mar 3, 2019 · 4 comments
Open

Assertion failure in glob3 (bsd_glob.c:759) #16869

p5pRT opened this issue Mar 3, 2019 · 4 comments
Labels
assertion failure type-core

Comments

@p5pRT
Copy link

p5pRT commented Mar 3, 2019

Migrated from rt.perl.org#133888 (status was 'open')

Searchable as RT133888$
@p5pRT
Copy link
Author

p5pRT commented Mar 3, 2019

From @dur-randir

Created by @dur-randir

While fuzzing perl v5.29.8-21-gde59f38ed9 built with afl and run
under libdislocator, I found the program attached to this message to
cause an assertion failure​:

perl​: bsd_glob.c​:759​: int glob3(Char *, Char *, Char *, Char *, Char
*, Char *, Char *, glob_t *, size_t *)​: Assertion `restpattern <
restpattern_last' failed.

GDB stack trace is following​:

#0 __GI_raise (sig=sig@​entry=6) at ../sysdeps/unix/sysv/linux/raise.c​:50
#1 0x00007ffff7c25535 in __GI_abort () at abort.c​:79
#2 0x00007ffff7c2540f in __assert_fail_base (fmt=0x7ffff7d87ee0
"%s%s%s​:%u​: %s%sAssertion `%s' failed.\n%n",
  assertion=0x7ffff7917040 "restpattern < restpattern_last",
file=0x7ffff7917003 "bsd_glob.c", line=759, function=<optimized out>)
at assert.c​:92
#3 0x00007ffff7c330f2 in __GI___assert_fail
(assertion=assertion@​entry=0x7ffff7917040 "restpattern <
restpattern_last",
  file=file@​entry=0x7ffff7917003 "bsd_glob.c", line=line@​entry=759,
function=function@​entry=0x7ffff791705f <__PRETTY_FUNCTION__.17683>
"glob3")
  at assert.c​:101
#4 0x00007ffff791323b in glob3 (pathbuf=pathbuf@​entry=0x7fffffff9cb0,
pathbuf_last=0x7fffffffbcae, pathend=pathend@​entry=0x7fffffff9cb0,
  pathend_last=pathend_last@​entry=0x7fffffffbcae,
pattern=0x7fffffff7cb0, restpattern=0x7fffffff9cae,
restpattern_last=0x7fffffff9cae,
  pglob=0x7fffffffdd60, limitp=0x7fffffff7ca8) at bsd_glob.c​:759
#5 0x00007ffff7912af3 in glob2 (pathbuf=pathbuf@​entry=0x7fffffff9cb0,
pathbuf_last=pathbuf_last@​entry=0x7fffffffbcae,
pathend=pathend@​entry=0x7fffffff9cb0,
  pathend_last=pathend_last@​entry=0x7fffffffbcae, pattern=<optimized
out>, pattern@​entry=0x7fffffff7cb0,
pattern_last=pattern_last@​entry=0x7fffffff9cae,
  pglob=0x7fffffffdd60, limitp=0x7fffffff7ca8) at bsd_glob.c​:732
#6 0x00007ffff79135fb in glob2 (limitp=0x7fffffff7ca8,
pglob=0x7fffffffdd60, pattern_last=0x7fffffff9cae,
pattern=0x7fffffff7cb0,
  pathend_last=0x7fffffffbcae, pathend=0x7fffffff9cb0,
pathbuf_last=0x7fffffffbcae, pathbuf=0x7fffffff9cb0) at bsd_glob.c​:668
#7 glob1 (limitp=0x7fffffff7ca8, pglob=0x7fffffffdd60,
pattern_last=0x7fffffff9cae, pattern=0x7fffffff7cb0) at bsd_glob.c​:650
#8 glob0 (pattern=pattern@​entry=0x7fffffffbd30,
pglob=pglob@​entry=0x7fffffffdd60) at bsd_glob.c​:584
#9 0x00007ffff7913a43 in globexp1 (pattern=0x7fffffffbd30,
pglob=pglob@​entry=0x7fffffffdd60) at bsd_glob.c​:316
#10 0x00007ffff7913b3e in bsd_glob
(pattern=pattern@​entry=0x5555559b6610 "0<0>", '0' <repeats 45 times>,
"'", '0' <repeats 150 times>...,
  flags=flags@​entry=11904, errfunc=errfunc@​entry=0x7ffff7913bf0
<errfunc>, pglob=pglob@​entry=0x7fffffffdd60) at bsd_glob.c​:292
#11 0x00007ffff7913ced in doglob (pattern=pattern@​entry=0x5555559b6610
"0<0>", '0' <repeats 45 times>, "'", '0' <repeats 150 times>...,
  flags=flags@​entry=11904) at Glob.xs​:49
#12 0x00007ffff7915a66 in csh_glob
(entries=entries@​entry=0x555555989710, pat=<optimized out>,
len=<optimized out>, is_utf8=<optimized out>) at Glob.xs​:282
#13 0x00007ffff79143a2 in iterate (globber=0x7ffff7915440 <csh_glob>)
at Glob.xs​:118
#14 0x000055555571d148 in Perl_pp_glob () at pp_sys.c​:364
#15 0x0000555555655792 in Perl_runops_debug () at dump.c​:2535
#16 0x00005555555c45f0 in S_run_body (oldscope=1) at perl.c​:2694
#17 perl_run (my_perl=<optimized out>) at perl.c​:2617
#18 0x000055555558d1d2 in main (argc=<optimized out>, argv=<optimized
out>, env=<optimized out>) at perlmain.c​:122

This is a regression between 5.18 and 5.20, bisect points to

commit 46a847d
Author​: David Mitchell <davem@​iabyn.com>
Date​: Wed Nov 13 12​:33​:40 2013 +0000

  File​::Glob​: silence some compiler warnings

Perl Info 

Flags:
    category=core
    severity=medium

Site configuration information for perl 5.29.9:

Configured by dur-randir at Wed Feb 27 14:51:01 MSK 2019.

Summary of my perl5 (revision 5 version 29 subversion 9) configuration:
  Commit id: c1e47bad34ce1d9c84ed57c9b8978bcbd5a02e98
  Platform:
    osname=darwin
    osvers=13.4.0
    archname=darwin-thread-multi-2level
    uname='darwin isengard.local 13.4.0 darwin kernel version 13.4.0:
mon jan 11 18:17:34 pst 2016; root:xnu-2422.115.15~1release_x86_64
x86_64 '
    config_args='-de -Dusedevel -DDEBUGGING -Dusethreads'
    hint=recommended
    useposix=true
    d_sigaction=define
    useithreads=define
    usemultiplicity=define
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    default_inc_excludes_dot=define
    bincompat5005=undef
  Compiler:
    cc='cc'
    ccflags ='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9
-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector
-I/usr/local/include -DPERL_USE_SAFE_PUTENV'
    optimize='-O3 -g'
    cppflags='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9
-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector
-I/usr/local/include'
    ccversion=''
    gccversion='4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.56)'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='cc'
    ldflags =' -mmacosx-version-min=10.9 -fstack-protector -L/usr/local/lib'
    libpth=/usr/local/lib
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/../lib/clang/6.0/lib
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib
/usr/lib
    libs=-lpthread -lgdbm -ldbm -ldl -lm -lutil -lc
    perllibs=-lpthread -ldl -lm -lutil -lc
    libc=
    so=dylib
    useshrplib=false
    libperl=libperl.a
    gnulibc_version=''
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=bundle
    d_dlsymun=undef
    ccdlflags=' '
    cccdlflags=' '
    lddlflags=' -mmacosx-version-min=10.9 -bundle -undefined
dynamic_lookup -L/usr/local/lib -fstack-protector'



@INC for perl 5.29.9:
    lib
    /usr/local/lib/perl5/site_perl/5.29.9/darwin-thread-multi-2level
    /usr/local/lib/perl5/site_perl/5.29.9
    /usr/local/lib/perl5/5.29.9/darwin-thread-multi-2level
    /usr/local/lib/perl5/5.29.9


Environment for perl 5.29.9:
    DYLD_LIBRARY_PATH (unset)
    HOME=/Users/dur-randir
    LANG=en_US.UTF-8
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.22.1/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/texbin
    PERLBREW_HOME=/Users/dur-randir/.perlbrew
    PERLBREW_MANPATH=/Users/dur-randir/perlbrew/perls/perl-5.22.1/man
    PERLBREW_PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.22.1/bin
    PERLBREW_PERL=perl-5.22.1
    PERLBREW_ROOT=/Users/dur-randir/perlbrew
    PERLBREW_SHELLRC_VERSION=0.84
    PERLBREW_VERSION=0.84
    PERL_BADLANG (unset)
    SHELL=/usr/local/bin/zsh

@p5pRT
Copy link
Author

p5pRT commented Mar 3, 2019

From @dur-randir

0054

@p5pRT
Copy link
Author

p5pRT commented Mar 27, 2019

From @tonycoz

On Sun, 03 Mar 2019 11​:33​:07 -0800, randir wrote​:

This is a bug report for perl from sergey.aleynikov@​gmail.com,
generated with the help of perlbug 1.41 running under perl 5.29.9.

-----------------------------------------------------------------
[Please describe your issue here]

While fuzzing perl v5.29.8-21-gde59f38ed9 built with afl and run
under libdislocator, I found the program attached to this message to
cause an assertion failure​:

perl​: bsd_glob.c​:759​: int glob3(Char *, Char *, Char *, Char *, Char
*, Char *, Char *, glob_t *, size_t *)​: Assertion `restpattern <
restpattern_last' failed.

I believe this is an error in the assertion.

The pattern in this case is exactly 4095 bytes long, you can reproduce this with​:

my $str = ("0" x 4094) . "?";
glob $str;

At the point of the call to glob3() restpattern points one past the end of the pattern (ie. at the terminating NUL for a simple glob) and restpattern_last points at the last byte in the buffer (*not* one past the end) ie. patbuf + MAXPATHLEN -1 (patbuf in glob0()).

So in this case they're equal and the assertion fails.

Tony

@p5pRT
Copy link
Author

p5pRT commented Mar 27, 2019

The RT System itself - Status changed from 'new' to 'open'

@xenu xenu removed the affects-5.29 label Nov 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
assertion failure type-core
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@khwilliamson @xenu @p5pRT