Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

panic: Unexpected op 45 #16873

Closed
p5pRT opened this issue Mar 5, 2019 · 5 comments
Closed

panic: Unexpected op 45 #16873

p5pRT opened this issue Mar 5, 2019 · 5 comments

Comments

@p5pRT
Copy link

p5pRT commented Mar 5, 2019

Migrated from rt.perl.org#133899 (status was 'resolved')

Searchable as RT133899$

@p5pRT
Copy link
Author

p5pRT commented Mar 5, 2019

From @dur-randir

Created by @dur-randir

While fuzzing perl v5.29.8-21-gde59f38ed9 built with afl and run under
libdislocator, I found the following program (also attached to this
message) to either panic() or trigger ASAN diagnostics
heap-use-after-free​:

00000000 73 04 7c 30 3f 68 5c 78 7b 33 30 30 7d 28 3f 7b |s.|0?h\x{300}(?{|
00000010 7d 29 04 04 67 72 69 |})..gri|

To trigger ASAN, surround it with 'eval q!!'. ASAN trace is following

==51489==ERROR​: AddressSanitizer​: heap-use-after-free on address
0x604000009528 at pc 0x000000ca6f2d bp 0x7ffe1cccb540 sp
0x7ffe1cccb538
WRITE of size 8 at 0x604000009528 thread T0
  #0 0xca6f2c in S_cleanup_regmatch_info_aux
/home/afl/afl-asan/regexec.c​:10074​:43
  #1 0xb1c83a in Perl_leave_scope /home/afl/afl-asan/scope.c​:1269​:6
  #2 0xb580ad in S_pop_eval_context_maybe_croak
/home/afl/afl-asan/pp_ctl.c​:1632​:5
  #3 0xb576cd in Perl_die_unwind /home/afl/afl-asan/pp_ctl.c​:1784​:13
  #4 0x895c94 in Perl_vcroak /home/afl/afl-asan/util.c​:1716​:5
  #5 0x895c94 in Perl_croak /home/afl/afl-asan/util.c​:1761
  #6 0xcfaef4 in S_setup_EXACTISH_ST_c1_c2
/home/afl/afl-asan/regexec.c​:4558​:25
  #7 0xcbee68 in S_regmatch /home/afl/afl-asan/regexec.c​:8363​:31
  #8 0xca76bd in S_regtry /home/afl/afl-asan/regexec.c​:3933​:14
  #9 0xc6d2b3 in Perl_regexec_flags /home/afl/afl-asan/regexec.c​:3790​:7
  #10 0x99500c in Perl_pp_subst /home/afl/afl-asan/pp_hot.c​:4434​:11
  #11 0x88f834 in Perl_runops_debug /home/afl/afl-asan/dump.c​:2537​:23
  #12 0x5f1015 in S_run_body /home/afl/afl-asan/perl.c​:2692​:2
  #13 0x5f1015 in perl_run /home/afl/afl-asan/perl.c​:2615
  #14 0x50b60a in main /home/afl/afl-asan/perlmain.c​:127​:9
  #15 0x7f47a0a2709a in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
  #16 0x43bdc9 in _start (/home/afl/afl-asan/perl+0x43bdc9)

0x604000009528 is located 24 bytes inside of 48-byte region
[0x604000009510,0x604000009540)
freed by thread T0 here​:
  #0 0x4da200 in __interceptor_cfree.localalias.0
(/home/afl/afl-asan/perl+0x4da200)
  #1 0x89696a in Perl_safesysfree /home/afl/afl-asan/util.c​:385​:2
  #2 0x8c4396 in S_mg_free_struct /home/afl/afl-asan/mg.c​:567​:5
  #3 0x8c4396 in Perl_mg_free /home/afl/afl-asan/mg.c​:588
  #4 0xa1e210 in Perl_sv_clear /home/afl/afl-asan/sv.c​:6598​:3
  #5 0xa269f7 in Perl_sv_free2 /home/afl/afl-asan/sv.c​:7092​:9
  #6 0xb1ef16 in S_SvREFCNT_dec /home/afl/afl-asan/./inline.h​:216​:6
  #7 0xb1ef16 in Perl_leave_scope /home/afl/afl-asan/scope.c​:973
  #8 0xb580ad in S_pop_eval_context_maybe_croak
/home/afl/afl-asan/pp_ctl.c​:1632​:5
  #9 0xb576cd in Perl_die_unwind /home/afl/afl-asan/pp_ctl.c​:1784​:13
  #10 0x895c94 in Perl_vcroak /home/afl/afl-asan/util.c​:1716​:5
  #11 0x895c94 in Perl_croak /home/afl/afl-asan/util.c​:1761
  #12 0xcfaef4 in S_setup_EXACTISH_ST_c1_c2
/home/afl/afl-asan/regexec.c​:4558​:25
  #13 0xcbee68 in S_regmatch /home/afl/afl-asan/regexec.c​:8363​:31
  #14 0xca76bd in S_regtry /home/afl/afl-asan/regexec.c​:3933​:14
  #15 0xc6d2b3 in Perl_regexec_flags /home/afl/afl-asan/regexec.c​:3790​:7
  #16 0x99500c in Perl_pp_subst /home/afl/afl-asan/pp_hot.c​:4434​:11
  #17 0x88f834 in Perl_runops_debug /home/afl/afl-asan/dump.c​:2537​:23
  #18 0x5f1015 in S_run_body /home/afl/afl-asan/perl.c​:2692​:2
  #19 0x5f1015 in perl_run /home/afl/afl-asan/perl.c​:2615
  #20 0x50b60a in main /home/afl/afl-asan/perlmain.c​:127​:9
  #21 0x7f47a0a2709a in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

previously allocated by thread T0 here​:
  #0 0x4da570 in calloc (/home/afl/afl-asan/perl+0x4da570)
  #1 0x896bbe in Perl_safesyscalloc /home/afl/afl-asan/util.c​:439​:18
  #2 0xa115a6 in Perl_sv_magicext /home/afl/afl-asan/sv.c​:5684​:5
  #3 0xc65cc1 in S_setup_eval_state /home/afl/afl-asan/regexec.c​:9993​:18
  #4 0xc65cc1 in Perl_regexec_flags /home/afl/afl-asan/regexec.c​:3411
  #5 0x992608 in Perl_pp_subst /home/afl/afl-asan/pp_hot.c​:4231​:10
  #6 0x88f834 in Perl_runops_debug /home/afl/afl-asan/dump.c​:2537​:23
  #7 0x5f1015 in S_run_body /home/afl/afl-asan/perl.c​:2692​:2
  #8 0x5f1015 in perl_run /home/afl/afl-asan/perl.c​:2615
  #9 0x50b60a in main /home/afl/afl-asan/perlmain.c​:127​:9
  #10 0x7f47a0a2709a in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

This is a regression in blead, bisect points to

commit a9f8c7a
Author​: Karl Williamson <khw@​cpan.org>
Date​: Tue Nov 27 09​:42​:45 2018 -0700

  Add regnode EXACTFU_ONLY8

  This is a regnode that otherwise would be an EXACTFU except that it
  contains a code point that requires UTF-8 to match, including all the
  possible folds involving it. Hence if the target string isn't UTF-8, we
  know it can't possibly match, without needing to try.

  For completeness, there could also be an EXACTFAA_ONLY8 and an
  EXACTFL_ONLY8 created, but I think these are unlikely to actually appear
  in the wild, since using /aa is mainly about ASCII, and /l mostly will
  involve characters that don't require UTF-8.

Perl Info

Flags:
    category=core
    severity=high

Site configuration information for perl 5.29.9:

Configured by dur-randir at Wed Feb 27 14:51:01 MSK 2019.

Summary of my perl5 (revision 5 version 29 subversion 9) configuration:
  Commit id: c1e47bad34ce1d9c84ed57c9b8978bcbd5a02e98
  Platform:
    osname=darwin
    osvers=13.4.0
    archname=darwin-thread-multi-2level
    uname='darwin isengard.local 13.4.0 darwin kernel version 13.4.0:
mon jan 11 18:17:34 pst 2016; root:xnu-2422.115.15~1release_x86_64
x86_64 '
    config_args='-de -Dusedevel -DDEBUGGING -Dusethreads'
    hint=recommended
    useposix=true
    d_sigaction=define
    useithreads=define
    usemultiplicity=define
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    default_inc_excludes_dot=define
    bincompat5005=undef
  Compiler:
    cc='cc'
    ccflags ='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9
-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector
-I/usr/local/include -DPERL_USE_SAFE_PUTENV'
    optimize='-O3 -g'
    cppflags='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9
-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector
-I/usr/local/include'
    ccversion=''
    gccversion='4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.56)'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='cc'
    ldflags =' -mmacosx-version-min=10.9 -fstack-protector -L/usr/local/lib'
    libpth=/usr/local/lib
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/../lib/clang/6.0/lib
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib
/usr/lib
    libs=-lpthread -lgdbm -ldbm -ldl -lm -lutil -lc
    perllibs=-lpthread -ldl -lm -lutil -lc
    libc=
    so=dylib
    useshrplib=false
    libperl=libperl.a
    gnulibc_version=''
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=bundle
    d_dlsymun=undef
    ccdlflags=' '
    cccdlflags=' '
    lddlflags=' -mmacosx-version-min=10.9 -bundle -undefined
dynamic_lookup -L/usr/local/lib -fstack-protector'



@INC for perl 5.29.9:
    lib
    /usr/local/lib/perl5/site_perl/5.29.9/darwin-thread-multi-2level
    /usr/local/lib/perl5/site_perl/5.29.9
    /usr/local/lib/perl5/5.29.9/darwin-thread-multi-2level
    /usr/local/lib/perl5/5.29.9


Environment for perl 5.29.9:
    DYLD_LIBRARY_PATH (unset)
    HOME=/Users/dur-randir
    LANG=en_US.UTF-8
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.22.1/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/texbin
    PERLBREW_HOME=/Users/dur-randir/.perlbrew
    PERLBREW_MANPATH=/Users/dur-randir/perlbrew/perls/perl-5.22.1/man
    PERLBREW_PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.22.1/bin
    PERLBREW_PERL=perl-5.22.1
    PERLBREW_ROOT=/Users/dur-randir/perlbrew
    PERLBREW_SHELLRC_VERSION=0.84
    PERLBREW_VERSION=0.84
    PERL_BADLANG (unset)
    SHELL=/usr/local/bin/zsh

@p5pRT
Copy link
Author

p5pRT commented Mar 5, 2019

From @dur-randir

0022_1

@p5pRT
Copy link
Author

p5pRT commented Mar 7, 2019

From @khwilliamson

Fixed by
commit 70ecb4b
Author​: Karl Williamson <khw@​cpan.org>
Date​: Thu Mar 7 11​:37​:21 2019 -0700

  PATCH​: [perl #133899] panic in s///
 
  Thanks for finding this bug, and the others you've been finding.
 
  A new regnode was added, but this function was not updated to account
  for that. I've now checked all the other new regnodes in 5.29 and this
  was the only missing one.

--
Karl Williamson

@p5pRT
Copy link
Author

p5pRT commented Mar 7, 2019

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Mar 7, 2019

@khwilliamson - Status changed from 'open' to 'resolved'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant