From imdb95@gmail.com

Created by imdb95@gmail.com

I am trying to build Perl with American Fuzzing Lop, but have failed.
I write this report with builtin perlbug.
Clang+llvm​: clang+llvm-4.0.0-x86_64-linux-gnu-ubuntu-16.04 (
http​://releases.llvm.org/4.0.0/clang+llvm-4.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz
)
AFL​: afl-2.52b
The version I want to build is​: perl 5, version 31, subversion 1
*******************************
./miniperl -v

This is perl 5, version 31, subversion 1 (v5.31.1 (UNKNOWN-miniperl)) built
for x86_64-linux
*******************************
Following is building log​:
********************************
[Run]​: AFL_USE_ASAN=1 ./Configure -des -Dusedevel -DDEBUGGING
-Dcc=afl-clang-fast -Doptimize=-g
[Output]​: => Success

[Run]​: AFL_USE_ASAN=1 make
[Output]​:
...
afl-clang-fast -fstack-protector-strong -L/usr/local/lib -o miniperl \
  opmini.o perlmini.o gv.o toke.o perly.o pad.o regcomp.o dump.o util.o
mg.o reentr.o mro_core.o keywords.o hv.o
av.o run.o pp_hot.o sv.o pp.o scope.o pp_ctl.o pp_sys.o doop.o doio.o
regexec.o utf8.o taint.o deb.o universal.o g
lobals.o perlio.o perlapi.o numeric.o mathoms.o locale.o pp_pack.o
pp_sort.o caretx.o dquote.o time64.o miniperlma
in.o -lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
afl-clang-fast 2.52b by <lszekeres@​google.com>
./miniperl -w -Ilib -Idist/Exporter/lib -MExporter -e '<?>' || sh -c 'echo

&2 Failed to build miniperl. Please ru
n make minitest; exit 1'
=================================================================
==16743==ERROR​: AddressSanitizer​: heap-use-after-free on address
0x6020000006b0 at pc 0x00000045c609 bp 0x7fff1fe02
b50 sp 0x7fff1fe022f8
READ of size 2 at 0x6020000006b0 thread T0
  #0 0x45c608 in __interceptor_setlocale
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asa
n/../sanitizer_common/sanitizer_common_interceptors.inc​:2875​:5
  #1 0x887905 in Perl_upg_version /root/Fuzz/perl/./vutil.c​:717​:17
  #2 0x8853ed in Perl_new_version /root/Fuzz/perl/./vutil.c​:551​:12
  #3 0xb31ee3 in S_require_version /root/Fuzz/perl/pp_ctl.c​:3719​:10
  #4 0xb31ee3 in Perl_pp_require /root/Fuzz/perl/pp_ctl.c​:4345
  #5 0x863dbc in Perl_runops_debug /root/Fuzz/perl/dump.c​:2537​:23
  #6 0x5d0f4c in Perl_call_sv /root/Fuzz/perl/perl.c​:3043​:6
  #7 0x5bbc7d in Perl_call_list /root/Fuzz/perl/perl.c​:5077​:6
  #8 0x56962e in S_process_special_blocks /root/Fuzz/perl/op.c​:10469​:6
  #9 0x539626 in Perl_newATTRSUB_x /root/Fuzz/perl/op.c​:10395​:21
  #10 0x541522 in Perl_utilize /root/Fuzz/perl/op.c​:7590​:5
  #11 0x6dfaa0 in Perl_yyparse /root/Fuzz/perl/perly.y​:336​:6
  #12 0x5c88c4 in S_parse_body /root/Fuzz/perl/perl.c​:2531​:9
  #13 0x5bf965 in perl_parse /root/Fuzz/perl/perl.c​:1822​:2
  #14 0xde129c in main /root/Fuzz/perl/miniperlmain.c​:132​:10
  #15 0x7f21e137a82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
  #16 0x41c358 in _start (/root/Fuzz/perl/miniperl+0x41c358)

0x6020000006b0 is located 0 bytes inside of 8-byte region
[0x6020000006b0,0x6020000006b8)
freed by thread T0 here​:
  #0 0x4c2d0b in __interceptor_free
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asa
n_malloc_linux.cc​:47​:3
  #1 0x7f21e1385049 in setlocale (/lib/x86_64-linux-gnu/libc.so.6+0x2b049)
previously allocated by thread T0 here​:
  #0 0x4c305c in malloc
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_lin
ux.cc​:66​:3
  #1 0x7f21e13e5489 in __strdup (/lib/x86_64-linux-gnu/libc.so.6+0x8b489)
  #2 0x524f4c4f435f534b (<unknown module>)
SUMMARY​: AddressSanitizer​: heap-use-after-free
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib
/asan/../sanitizer_common/sanitizer_common_interceptors.inc​:2875​:5 in
__interceptor_setlocale
Shadow bytes around the buggy address​:
  0x0c047fff8080​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
  0x0c047fff8090​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
  0x0c047fff80a0​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
  0x0c047fff80b0​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
  0x0c047fff80c0​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
=>0x0c047fff80d0​: fa fa 00 fa fa fa[fd]fa fa fa fd fa fa fa fd fa
  0x0c047fff80e0​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
  0x0c047fff80f0​: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8100​: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8110​: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 06 fa
  0x0c047fff8120​: fa fa 00 fa fa fa fd fa fa fa 00 fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes)​:
  Addressable​: 00
  Partially addressable​: 01 02 03 04 05 06 07
  Heap left redzone​: fa
  Freed heap region​: fd
  Stack left redzone​: f1
  Stack mid redzone​: f2
  Stack right redzone​: f3
  Stack after return​: f5
  Stack use after scope​: f8
  Global redzone​: f9
  Global init order​: f6
  Poisoned by user​: f7
  Container overflow​: fc
  Array cookie​: ac
  Intra object redzone​: bb
  ASan internal​: fe
  Left alloca redzone​: ca
  Right alloca redzone​: cb
==16743==ABORTING
Failed to build miniperl. Please run make minitest
makefile​:362​: recipe for target 'lib/buildcustomize.pl' failed
make​: *** [lib/buildcustomize.pl] Error 1
root@​instance-2​:~/Fuzz/perl# AFL_USE_ASAN=1 make
afl-clang-fast -fstack-protector-strong -L/usr/local/lib -o miniperl \
  opmini.o perlmini.o gv.o toke.o perly.o pad.o regcomp.o dump.o util.o
mg.o reentr.o mro_core.o keywords.o hv.o av.o run.o pp_hot.o sv.o pp.o
scope.o pp_ctl.o pp_sys.o doop.o doio.o regexec.o utf8.o taint.o deb.o
universal.o globals.o perlio.o perlapi.o numeric.o mathoms.o locale.o
pp_pack.o pp_sort.o caretx.o dquote.o time64.o miniperlmain.o -lpthread
-lnsl -ldl -lm -lcrypt -lutil -lc
afl-clang-fast 2.52b by <lszekeres@​google.com>
./miniperl -w -Ilib -Idist/Exporter/lib -MExporter -e '<?>' || sh -c 'echo

&2 Failed to build miniperl. Please run make minitest; exit 1'
=================================================================
==16751==ERROR​: AddressSanitizer​: heap-use-after-free on address
0x6020000006b0 at pc 0x00000045c609 bp 0x7fffe6381650 sp 0x7fffe6380df8
READ of size 2 at 0x6020000006b0 thread T0
  #0 0x45c608 in __interceptor_setlocale
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc​:2875​:5
  #1 0x887905 in Perl_upg_version /root/Fuzz/perl/./vutil.c​:717​:17
  #2 0x8853ed in Perl_new_version /root/Fuzz/perl/./vutil.c​:551​:12
  #3 0xb31ee3 in S_require_version /root/Fuzz/perl/pp_ctl.c​:3719​:10
  #4 0xb31ee3 in Perl_pp_require /root/Fuzz/perl/pp_ctl.c​:4345
  #5 0x863dbc in Perl_runops_debug /root/Fuzz/perl/dump.c​:2537​:23
  #6 0x5d0f4c in Perl_call_sv /root/Fuzz/perl/perl.c​:3043​:6
  #7 0x5bbc7d in Perl_call_list /root/Fuzz/perl/perl.c​:5077​:6
  #8 0x56962e in S_process_special_blocks /root/Fuzz/perl/op.c​:10469​:6
  #9 0x539626 in Perl_newATTRSUB_x /root/Fuzz/perl/op.c​:10395​:21
  #10 0x541522 in Perl_utilize /root/Fuzz/perl/op.c​:7590​:5
  #11 0x6dfaa0 in Perl_yyparse /root/Fuzz/perl/perly.y​:336​:6
  #12 0x5c88c4 in S_parse_body /root/Fuzz/perl/perl.c​:2531​:9
  #13 0x5bf965 in perl_parse /root/Fuzz/perl/perl.c​:1822​:2
  #14 0xde129c in main /root/Fuzz/perl/miniperlmain.c​:132​:10
  #15 0x7fb02aac582f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
  #16 0x41c358 in _start (/root/Fuzz/perl/miniperl+0x41c358)

0x6020000006b0 is located 0 bytes inside of 8-byte region
[0x6020000006b0,0x6020000006b8)
freed by thread T0 here​:
  #0 0x4c2d0b in __interceptor_free
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc​:47​:3
  #1 0x7fb02aad0049 in setlocale (/lib/x86_64-linux-gnu/libc.so.6+0x2b049)

previously allocated by thread T0 here​:
  #0 0x4c305c in malloc
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc​:66​:3
  #1 0x7fb02ab30489 in __strdup (/lib/x86_64-linux-gnu/libc.so.6+0x8b489)
  #2 0x524f4c4f435f534b (<unknown module>)

SUMMARY​: AddressSanitizer​: heap-use-after-free
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc​:2875​:5
in __interceptor_setlocale
Shadow bytes around the buggy address​:
  0x0c047fff8080​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
  0x0c047fff8090​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
  0x0c047fff80a0​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
  0x0c047fff80b0​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
  0x0c047fff80c0​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
=>0x0c047fff80d0​: fa fa 00 fa fa fa[fd]fa fa fa fd fa fa fa fd fa
  0x0c047fff80e0​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
  0x0c047fff80f0​: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8100​: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8110​: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 06 fa
  0x0c047fff8120​: fa fa 00 fa fa fa fd fa fa fa 00 fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes)​:
  Addressable​: 00
  Partially addressable​: 01 02 03 04 05 06 07
  Heap left redzone​: fa
  Freed heap region​: fd
  Stack left redzone​: f1
  Stack mid redzone​: f2
  Stack right redzone​: f3
  Stack after return​: f5
  Stack use after scope​: f8
  Global redzone​: f9
  Global init order​: f6
  Poisoned by user​: f7
  Container overflow​: fc
  Array cookie​: ac
  Intra object redzone​: bb
  ASan internal​: fe
  Left alloca redzone​: ca
  Right alloca redzone​: cb
==16751==ABORTING
Failed to build miniperl. Please run make minitest
makefile​:362​: recipe for target 'lib/buildcustomize.pl' failed
make​: *** [lib/buildcustomize.pl] Error 1

[Run]​: AFL_USE_ASAN=1 make minitest
[Output]​: the same as above

Please fix the bug.
Thanks,
Manh Nguyen
********************************

Flags:
    category=install
    severity=low

Site configuration information for perl 5.22.1:

Configured by Debian Project at Mon Nov 19 18:29:35 UTC 2018.

Summary of my perl5 (revision 5 version 22 subversion 1) configuration:

  Platform:
    osname=linux, osvers=3.16.0, archname=x86_64-linux-gnu-thread-multi
    uname='linux localhost 3.16.0 #1 smp debian 3.16.0 x86_64 gnulinux '
    config_args='-Dusethreads -Duselargefiles -Dcc=x86_64-linux-gnu-gcc
-Dcpp=x86_64-linux-gnu-cpp -Dld=x86_64-linux-gnu-gcc -Dccflags=-DDEBIAN
-Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector-strong -Wformat
-Werror=format-security -Dldflags= -Wl,-Bsymbolic-functions -Wl,-z,relro
-Dlddlflags=-shared -Wl,-Bsymbolic-functions -Wl,-z,relro
-Dcccdlflags=-fPIC -Darchname=x86_64-linux-gnu -Dprefix=/usr
-Dprivlib=/usr/share/perl/5.22
-Darchlib=/usr/lib/x86_64-linux-gnu/perl/5.22 -Dvendorprefix=/usr
-Dvendorlib=/usr/share/perl5
-Dvendorarch=/usr/lib/x86_64-linux-gnu/perl5/5.22 -Dsiteprefix=/usr/local
-Dsitelib=/usr/local/share/perl/5.22.1
-Dsitearch=/usr/local/lib/x86_64-linux-gnu/perl/5.22.1
-Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3
-Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3
-Duse64bitint -Dman1ext=1 -Dman3ext=3perl -Dpager=/usr/bin/sensible-pager
-Uafs -Ud_csh -Ud_ualarm -Uusesfio -Uusenm -Ui_libutil -Uversiononly
-DDEBUGGING=-g -Doptimize=-O2 -dEs -Duseshrplib -Dlibperl=libperl.so.5.22.1'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=define, usemultiplicity=define
    use64bitint=define, use64bitall=define, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='x86_64-linux-gnu-gcc', ccflags ='-D_REENTRANT -D_GNU_SOURCE
-DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O2 -g',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv
-fno-strict-aliasing -pipe -I/usr/local/include'
    ccversion='', gccversion='5.4.0 20160609', gccosandvers=''
    intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678,
doublekind=3
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16,
longdblkind=3
    ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t',
lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='x86_64-linux-gnu-gcc', ldflags =' -fstack-protector-strong
-L/usr/local/lib'
    libpth=/usr/local/lib /usr/lib/gcc/x86_64-linux-gnu/5/include-fixed
/usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib
/usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
    libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt
    perllibs=-ldl -lm -lpthread -lc -lcrypt
    libc=libc-2.23.so, so=so, useshrplib=true, libperl=libperl.so.5.22
    gnulibc_version='2.23'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
    cccdlflags='-fPIC', lddlflags='-shared -L/usr/local/lib
-fstack-protector-strong'

Locally applied patches:
    DEBPKG:debian/cpan_definstalldirs - Provide a sensible INSTALLDIRS
default for modules installed from CPAN.
    DEBPKG:debian/db_file_ver - http://bugs.debian.org/340047 Remove overly
restrictive DB_File version check.
    DEBPKG:debian/doc_info - Replace generic man(1) instructions with
Debian-specific information.
    DEBPKG:debian/enc2xs_inc - http://bugs.debian.org/290336 Tweak enc2xs
to follow symlinks and ignore missing @INC directories.
    DEBPKG:debian/errno_ver - http://bugs.debian.org/343351 Remove Errno
version check due to upgrade problems with long-running processes.
    DEBPKG:debian/libperl_embed_doc - http://bugs.debian.org/186778 Note
that libperl-dev package is required for embedded linking
    DEBPKG:fixes/respect_umask - Respect umask during installation
    DEBPKG:debian/writable_site_dirs - Set umask approproately for site
install directories
    DEBPKG:debian/extutils_set_libperl_path - EU:MM: set location of
libperl.a under /usr/lib
    DEBPKG:debian/no_packlist_perllocal - Don't install .packlist or
perllocal.pod for perl or vendor
    DEBPKG:debian/fakeroot - Postpone LD_LIBRARY_PATH evaluation to the
binary targets.
    DEBPKG:debian/instmodsh_doc - Debian policy doesn't install .packlist
files for core or vendor.
    DEBPKG:debian/ld_run_path - Remove standard libs from LD_RUN_PATH as
per Debian policy.
    DEBPKG:debian/libnet_config_path - Set location of libnet.cfg to
/etc/perl/Net as /usr may not be writable.
    DEBPKG:debian/mod_paths - Tweak @INC ordering for Debian
    DEBPKG:debian/prune_libs - http://bugs.debian.org/128355 Prune the list
of libraries wanted to what we actually need.
    DEBPKG:fixes/net_smtp_docs - [rt.cpan.org #36038]
http://bugs.debian.org/100195 Document the Net::SMTP 'Port' option
    DEBPKG:debian/perlivp - http://bugs.debian.org/510895 Make perlivp skip
include directories in /usr/local
    DEBPKG:debian/deprecate-with-apt - http://bugs.debian.org/747628 Point
users to Debian packages of deprecated core modules
    DEBPKG:debian/squelch-locale-warnings - http://bugs.debian.org/508764
Squelch locale warnings in Debian package maintainer scripts
    DEBPKG:debian/skip-upstream-git-tests - Skip tests specific to the
upstream Git repository
    DEBPKG:debian/patchlevel - http://bugs.debian.org/567489 List packaged
patches for 5.22.1-9ubuntu0.6 in patchlevel.h
    DEBPKG:debian/skip-kfreebsd-crash - http://bugs.debian.org/628493 [perl
#96272] Skip a crashing test case in t/op/threads.t on GNU/kFreeBSD
    DEBPKG:fixes/document_makemaker_ccflags - http://bugs.debian.org/628522
[rt.cpan.org #68613] Document that CCFLAGS should include $Config{ccflags}
    DEBPKG:debian/find_html2text - http://bugs.debian.org/640479 Configure
CPAN::Distribution with correct name of html2text
    DEBPKG:debian/perl5db-x-terminal-emulator.patch -
http://bugs.debian.org/668490 Invoke x-terminal-emulator rather than xterm
in perl5db.pl
    DEBPKG:debian/cpan-missing-site-dirs - http://bugs.debian.org/688842
Fix CPAN::FirstTime defaults with nonexisting site dirs if a parent is
writable
    DEBPKG:fixes/memoize_storable_nstore - [rt.cpan.org #77790]
http://bugs.debian.org/587650 Memoize::Storable: respect 'nstore' option
not respected
    DEBPKG:debian/regen-skip - Skip a regeneration check in unrelated git
repositories
    DEBPKG:debian/makemaker-pasthru - http://bugs.debian.org/758471 Pass LD
settings through to subdirectories
    DEBPKG:fixes/pod_man_reproducible_date - http://bugs.debian.org/759405
Support POD_MAN_DATE in Pod::Man for the left-hand footer
    DEBPKG:debian/locale-robustness - http://bugs.debian.org/782068 [perl
#124310] Make t/run/locale.t survive missing locales masked by LC_ALL
    DEBPKG:fixes/podman-utc - http://bugs.debian.org/780259 Make the
embedded date from Pod::Man reproducible
    DEBPKG:fixes/podman-utc-docs - http://bugs.debian.org/780259
Documentation and test suite updates for UTC fix
    DEBPKG:fixes/podman-empty-date - http://bugs.debian.org/780259 Support
an empty POD_MAN_DATE environment variable
    DEBPKG:fixes/podman-pipe - http://bugs.debian.org/777405 Better errors
for man pages from standard input
    DEBPKG:debian/pod2man-customized - Update porting/customized.dat for
pod2man modifications
    DEBPKG:debian/makemaker-manext - http://bugs.debian.org/247370 Make
EU::MakeMaker honour MANnEXT settings in generated manpage headers
    DEBPKG:debian/makemaker_customized - Update t/porting/customized.dat
for files patched in Debian
    DEBPKG:debian/do-not-record-build-date - [6baa8db]
http://bugs.debian.org/774422 [perl #125830] Allow overriding the compile
time in "perl -V" output
    DEBPKG:fixes/podman-source-date-epoch - http://bugs.debian.org/801621
Make Pod::Man honor the SOURCE_DATE_EPOCH environment variable
    DEBPKG:fixes/podman-source-date-epoch-cleanups -
http://bugs.debian.org/801621 Coding style and documentation for
SOURCE_EPOCH_DATE
    DEBPKG:fixes/podman-source-date-epoch-testfix -
http://bugs.debian.org/807086 Guard for building with SOURCE_DATE_EPOCH or
POD_MAN_DATE set
    DEBPKG:debian/devel-ppport-reproducibility -
http://bugs.debian.org/801523 Sort the list of XS code files when
generating RealPPPort.xs
    DEBPKG:fixes/encode-unicode-bom - http://bugs.debian.org/798727 [
rt.cpan.org #107043] Address
https://rt.cpan.org/Public/Bug/Display.html?id=107043
    DEBPKG:debian/encode-unicode-bom-doc - http://bugs.debian.org/798727
Document Debian backport of Encode::Unicode fix
    DEBPKG:debian/kfreebsd-softupdates - http://bugs.debian.org/796798 Work
around Debian Bug#796798
    DEBPKG:fixes/autodie-scope - http://bugs.debian.org/798096 Fix a
scoping issue with "no autodie" and the "system" sub
    DEBPKG:debian/debugperl-compat-fix - [perl #127212]
http://bugs.debian.org/810326 Disable PERL_TRACK_MEMPOOL for debugging
builds
    DEBPKG:fixes/CVE-2015-8607_file_spec_taint_fix -
http://bugs.debian.org/810719 [perl #126862] ensure File::Spec::canonpath()
preserves taint
    DEBPKG:fixes/mkstemp-umask - http://bugs.debian.org/810924 [perl
#127322] [e57270b] Fix umask for mkstemp(3) calls
    DEBPKG:fixes/crosscompile-no-targethost - [perl #127234] Fix the
Configure escape with usecrosscompile but no targethost
    DEBPKG:fixes/podlators-no-encode - [rt.cpan.org #111156] Degrade
gracefully if utf8 is requested but Encode is not available
    DEBPKG:debian/cross-time-hires - [rt.cpan.org #111391] Add an
environment variable to skip running configuration probes
    DEBPKG:fixes/encode-unicode-pod - Unicode.pm: Fix POD error
    DEBPKG:fixes/memoize-pod - [rt.cpan.org #89441] Fix POD errors in
Memoize
    DEBPKG:fixes/ok-pod - Added encoding for pod.
    DEBPKG:fixes/CVE-2016-2381_duplicate_env - remove duplicate environment
variables from environ
    DEBPKG:fixes/CVE-2017-12837.patch - [PATCH] regcomp [perl #131582]
    DEBPKG:fixes/CVE-2017-12883.patch - [PATCH] PATCH: [perl #131598]
    DEBPKG:fixes/CVE-2016-6185.patch - [PATCH]
=?utf8?q?Don=E2=80=99t=20let=20XSLoader=20load=20relative?=
=?utf8?q?=20paths?=
    DEBPKG:fixes/CVE-2017-6512-pre.patch - [PATCH] Correct the order of
tests of chmod(). (#294)
    DEBPKG:fixes/CVE-2017-6512.patch - http://bugs.debian.org/863870 [
rt.cpan.org #121951] Prevent directory chmod race attack.
    DEBPKG:fixes/CVE-2018-6797.patch - (perl #132227) restart a node if we
change to uni rules within the node and encounter a sharp S
    DEBPKG:fixes/CVE-2018-6798-1.patch - [perl #132063]: Heap buffer
overflow
    DEBPKG:fixes/CVE-2018-6798-2.patch - v5.24.3: fix TRIE_READ_CHAR and
DECL_TRIE_TYPE to account for non-utf8 target
    DEBPKG:fixes/CVE-2018-6798-3.patch - (perl #132063) we should no longer
warn for this code
    DEBPKG:fixes/CVE-2018-6913.patch - (perl #131844) fix various space
calculation issues in pp_pack.c
    DEBPKG:fixes/CVE-2018-12015.patch - [PATCH] [PATCH] Remove existing
files before overwriting them
    DEBPKG:fixes/CVE-2018-18311.patch - [PATCH] Perl_my_setenv(); handle
integer wrap
    DEBPKG:fixes/CVE-2018-18312.patch - [PATCH 242/242] PATCH: [perl
#133423] for 5.26 maint
    DEBPKG:fixes/CVE-2018-18313.patch - [PATCH] regcomp.c: Convert some
strchr to memchr
    DEBPKG:fixes/CVE-2018-18314.patch - [PATCH] fix #131649 - extended
charclass can trigger assert


@INC for perl 5.22.1:
    /etc/perl
    /usr/local/lib/x86_64-linux-gnu/perl/5.22.1
    /usr/local/share/perl/5.22.1
    /usr/lib/x86_64-linux-gnu/perl5/5.22
    /usr/share/perl5
    /usr/lib/x86_64-linux-gnu/perl/5.22
    /usr/share/perl/5.22
    /usr/local/lib/site_perl
    /usr/lib/x86_64-linux-gnu/perl-base
    .


Environment for perl 5.22.1:
    HOME=/root
    LANG=C.UTF-8
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)

PATH=/root/Fuzz/afl-2.52b:/root/Fuzz/clang+llvm-4.0.0-x86_64-linux-gnu-ubuntu-16.04/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
    PERL_BADLANG (unset)
    SHELL=/bin/bash

From @jkeenan

On Thu, 20 Jun 2019 09​:44​:34 GMT, imdb95@​gmail.com wrote​:

From​: imdb95@​gmail.com
Message-Id​: <5.22.1_17412_1561023304@​instance-2>
Reply-To​: imdb95@​gmail.com
To​: perlbug@​perl.org

This is a bug report for perl from imdb95@​gmail.com,
generated with the help of perlbug 1.40 running under perl 5.22.1.

-----------------------------------------------------------------
[Please describe your issue here]
I am trying to build Perl with American Fuzzing Lop, but have failed.
I write this report with builtin perlbug.
Clang+llvm​: clang+llvm-4.0.0-x86_64-linux-gnu-ubuntu-16.04 (
http​://releases.llvm.org/4.0.0/clang+llvm-4.0.0-x86_64-linux-gnu-
ubuntu-16.04.tar.xz
)
AFL​: afl-2.52b
The version I want to build is​: perl 5, version 31, subversion 1
*******************************
./miniperl -v

This is perl 5, version 31, subversion 1 (v5.31.1 (UNKNOWN-miniperl))
built
for x86_64-linux
*******************************
Following is building log​:
********************************
[Run]​: AFL_USE_ASAN=1 ./Configure -des -Dusedevel -DDEBUGGING
-Dcc=afl-clang-fast -Doptimize=-g
[Output]​: => Success

[Run]​: AFL_USE_ASAN=1 make
[Output]​:
...
afl-clang-fast -fstack-protector-strong -L/usr/local/lib -o miniperl \
opmini.o perlmini.o gv.o toke.o perly.o pad.o regcomp.o dump.o
util.o
mg.o reentr.o mro_core.o keywords.o hv.o
av.o run.o pp_hot.o sv.o pp.o scope.o pp_ctl.o pp_sys.o doop.o doio.o
regexec.o utf8.o taint.o deb.o universal.o g
lobals.o perlio.o perlapi.o numeric.o mathoms.o locale.o pp_pack.o
pp_sort.o caretx.o dquote.o time64.o miniperlma
in.o -lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
afl-clang-fast 2.52b by <lszekeres@​google.com>
./miniperl -w -Ilib -Idist/Exporter/lib -MExporter -e '<?>' || sh -c
'echo

&2 Failed to build miniperl. Please ru
n make minitest; exit 1'
=================================================================
==16743==ERROR​: AddressSanitizer​: heap-use-after-free on address
0x6020000006b0 at pc 0x00000045c609 bp 0x7fff1fe02
b50 sp 0x7fff1fe022f8
READ of size 2 at 0x6020000006b0 thread T0
#0 0x45c608 in __interceptor_setlocale
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-
rt/lib/asa
n/../sanitizer_common/sanitizer_common_interceptors.inc​:2875​:5
#1 0x887905 in Perl_upg_version /root/Fuzz/perl/./vutil.c​:717​:17
#2 0x8853ed in Perl_new_version /root/Fuzz/perl/./vutil.c​:551​:12
#3 0xb31ee3 in S_require_version /root/Fuzz/perl/pp_ctl.c​:3719​:10
#4 0xb31ee3 in Perl_pp_require /root/Fuzz/perl/pp_ctl.c​:4345
#5 0x863dbc in Perl_runops_debug /root/Fuzz/perl/dump.c​:2537​:23
#6 0x5d0f4c in Perl_call_sv /root/Fuzz/perl/perl.c​:3043​:6
#7 0x5bbc7d in Perl_call_list /root/Fuzz/perl/perl.c​:5077​:6
#8 0x56962e in S_process_special_blocks
/root/Fuzz/perl/op.c​:10469​:6
#9 0x539626 in Perl_newATTRSUB_x /root/Fuzz/perl/op.c​:10395​:21
#10 0x541522 in Perl_utilize /root/Fuzz/perl/op.c​:7590​:5
#11 0x6dfaa0 in Perl_yyparse /root/Fuzz/perl/perly.y​:336​:6
#12 0x5c88c4 in S_parse_body /root/Fuzz/perl/perl.c​:2531​:9
#13 0x5bf965 in perl_parse /root/Fuzz/perl/perl.c​:1822​:2
#14 0xde129c in main /root/Fuzz/perl/miniperlmain.c​:132​:10
#15 0x7f21e137a82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#16 0x41c358 in _start (/root/Fuzz/perl/miniperl+0x41c358)

0x6020000006b0 is located 0 bytes inside of 8-byte region
[0x6020000006b0,0x6020000006b8)
freed by thread T0 here​:
#0 0x4c2d0b in __interceptor_free
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-
rt/lib/asan/asa
n_malloc_linux.cc​:47​:3
#1 0x7f21e1385049 in setlocale (/lib/x86_64-linux-
gnu/libc.so.6+0x2b049)
previously allocated by thread T0 here​:
#0 0x4c305c in malloc
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-
rt/lib/asan/asan_malloc_lin
ux.cc​:66​:3
#1 0x7f21e13e5489 in __strdup (/lib/x86_64-linux-
gnu/libc.so.6+0x8b489)
#2 0x524f4c4f435f534b (<unknown module>)
SUMMARY​: AddressSanitizer​: heap-use-after-free
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib
/asan/../sanitizer_common/sanitizer_common_interceptors.inc​:2875​:5 in
__interceptor_setlocale
Shadow bytes around the buggy address​:
0x0c047fff8080​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff8090​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff80a0​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff80b0​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff80c0​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
=>0x0c047fff80d0​: fa fa 00 fa fa fa[fd]fa fa fa fd fa fa fa fd fa
0x0c047fff80e0​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff80f0​: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8100​: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8110​: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 06 fa
0x0c047fff8120​: fa fa 00 fa fa fa fd fa fa fa 00 fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes)​:
Addressable​: 00
Partially addressable​: 01 02 03 04 05 06 07
Heap left redzone​: fa
Freed heap region​: fd
Stack left redzone​: f1
Stack mid redzone​: f2
Stack right redzone​: f3
Stack after return​: f5
Stack use after scope​: f8
Global redzone​: f9
Global init order​: f6
Poisoned by user​: f7
Container overflow​: fc
Array cookie​: ac
Intra object redzone​: bb
ASan internal​: fe
Left alloca redzone​: ca
Right alloca redzone​: cb
==16743==ABORTING
Failed to build miniperl. Please run make minitest
makefile​:362​: recipe for target 'lib/buildcustomize.pl' failed
make​: *** [lib/buildcustomize.pl] Error 1
root@​instance-2​:~/Fuzz/perl# AFL_USE_ASAN=1 make
afl-clang-fast -fstack-protector-strong -L/usr/local/lib -o miniperl \
opmini.o perlmini.o gv.o toke.o perly.o pad.o regcomp.o dump.o
util.o
mg.o reentr.o mro_core.o keywords.o hv.o av.o run.o pp_hot.o sv.o pp.o
scope.o pp_ctl.o pp_sys.o doop.o doio.o regexec.o utf8.o taint.o deb.o
universal.o globals.o perlio.o perlapi.o numeric.o mathoms.o locale.o
pp_pack.o pp_sort.o caretx.o dquote.o time64.o miniperlmain.o
-lpthread
-lnsl -ldl -lm -lcrypt -lutil -lc
afl-clang-fast 2.52b by <lszekeres@​google.com>
./miniperl -w -Ilib -Idist/Exporter/lib -MExporter -e '<?>' || sh -c
'echo

&2 Failed to build miniperl. Please run make minitest; exit 1'
=================================================================
==16751==ERROR​: AddressSanitizer​: heap-use-after-free on address
0x6020000006b0 at pc 0x00000045c609 bp 0x7fffe6381650 sp
0x7fffe6380df8
READ of size 2 at 0x6020000006b0 thread T0
#0 0x45c608 in __interceptor_setlocale
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-
rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc​:2875​:5
#1 0x887905 in Perl_upg_version /root/Fuzz/perl/./vutil.c​:717​:17
#2 0x8853ed in Perl_new_version /root/Fuzz/perl/./vutil.c​:551​:12
#3 0xb31ee3 in S_require_version /root/Fuzz/perl/pp_ctl.c​:3719​:10
#4 0xb31ee3 in Perl_pp_require /root/Fuzz/perl/pp_ctl.c​:4345
#5 0x863dbc in Perl_runops_debug /root/Fuzz/perl/dump.c​:2537​:23
#6 0x5d0f4c in Perl_call_sv /root/Fuzz/perl/perl.c​:3043​:6
#7 0x5bbc7d in Perl_call_list /root/Fuzz/perl/perl.c​:5077​:6
#8 0x56962e in S_process_special_blocks
/root/Fuzz/perl/op.c​:10469​:6
#9 0x539626 in Perl_newATTRSUB_x /root/Fuzz/perl/op.c​:10395​:21
#10 0x541522 in Perl_utilize /root/Fuzz/perl/op.c​:7590​:5
#11 0x6dfaa0 in Perl_yyparse /root/Fuzz/perl/perly.y​:336​:6
#12 0x5c88c4 in S_parse_body /root/Fuzz/perl/perl.c​:2531​:9
#13 0x5bf965 in perl_parse /root/Fuzz/perl/perl.c​:1822​:2
#14 0xde129c in main /root/Fuzz/perl/miniperlmain.c​:132​:10
#15 0x7fb02aac582f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#16 0x41c358 in _start (/root/Fuzz/perl/miniperl+0x41c358)

0x6020000006b0 is located 0 bytes inside of 8-byte region
[0x6020000006b0,0x6020000006b8)
freed by thread T0 here​:
#0 0x4c2d0b in __interceptor_free
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-
rt/lib/asan/asan_malloc_linux.cc​:47​:3
#1 0x7fb02aad0049 in setlocale (/lib/x86_64-linux-
gnu/libc.so.6+0x2b049)

previously allocated by thread T0 here​:
#0 0x4c305c in malloc
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-
rt/lib/asan/asan_malloc_linux.cc​:66​:3
#1 0x7fb02ab30489 in __strdup (/lib/x86_64-linux-
gnu/libc.so.6+0x8b489)
#2 0x524f4c4f435f534b (<unknown module>)

SUMMARY​: AddressSanitizer​: heap-use-after-free
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-
rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc​:2875​:5
in __interceptor_setlocale
Shadow bytes around the buggy address​:
0x0c047fff8080​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff8090​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff80a0​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff80b0​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff80c0​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
=>0x0c047fff80d0​: fa fa 00 fa fa fa[fd]fa fa fa fd fa fa fa fd fa
0x0c047fff80e0​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff80f0​: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8100​: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8110​: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 06 fa
0x0c047fff8120​: fa fa 00 fa fa fa fd fa fa fa 00 fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes)​:
Addressable​: 00
Partially addressable​: 01 02 03 04 05 06 07
Heap left redzone​: fa
Freed heap region​: fd
Stack left redzone​: f1
Stack mid redzone​: f2
Stack right redzone​: f3
Stack after return​: f5
Stack use after scope​: f8
Global redzone​: f9
Global init order​: f6
Poisoned by user​: f7
Container overflow​: fc
Array cookie​: ac
Intra object redzone​: bb
ASan internal​: fe
Left alloca redzone​: ca
Right alloca redzone​: cb
==16751==ABORTING
Failed to build miniperl. Please run make minitest
makefile​:362​: recipe for target 'lib/buildcustomize.pl' failed
make​: *** [lib/buildcustomize.pl] Error 1

[Run]​: AFL_USE_ASAN=1 make minitest
[Output]​: the same as above

Please fix the bug.
Thanks,
Manh Nguyen
********************************

Can you supply the full ./Configure command (i.e., all switches) which you used in this attempt to build with AFL?

Thank you very much.

--
James E Keenan (jkeenan@​cpan.org)

The RT System itself - Status changed from 'new' to 'open'

From imdb95@gmail.com

The full commands I compiled​:
1. AFL_USE_ASAN=1 ./Configure -des -Dusedevel -DDEBUGGING
-Dcc=afl-clang-fast -Doptimize=-g

2. AFL_USE_ASAN=1 make

One important clue​: I built it on "Ubuntu 16.04 LTS Minimal" of Google
Cloud. When built on "Ubuntu 16.04 LTS", it's ok.
[image​: image.png]

On Sat, Jun 22, 2019 at 9​:14 PM James E Keenan via RT <
perlbug-followup@​perl.org> wrote​:

On Thu, 20 Jun 2019 09​:44​:34 GMT, imdb95@​gmail.com wrote​:

From​: imdb95@​gmail.com
Message-Id​: <5.22.1_17412_1561023304@​instance-2>
Reply-To​: imdb95@​gmail.com
To​: perlbug@​perl.org

This is a bug report for perl from imdb95@​gmail.com,
generated with the help of perlbug 1.40 running under perl 5.22.1.

-----------------------------------------------------------------
[Please describe your issue here]
I am trying to build Perl with American Fuzzing Lop, but have failed.
I write this report with builtin perlbug.
Clang+llvm​: clang+llvm-4.0.0-x86_64-linux-gnu-ubuntu-16.04 (
http​://releases.llvm.org/4.0.0/clang+llvm-4.0.0-x86_64-linux-gnu-
ubuntu-16.04.tar.xz
)
AFL​: afl-2.52b
The version I want to build is​: perl 5, version 31, subversion 1
*******************************
./miniperl -v

This is perl 5, version 31, subversion 1 (v5.31.1 (UNKNOWN-miniperl))
built
for x86_64-linux
*******************************
Following is building log​:
********************************
[Run]​: AFL_USE_ASAN=1 ./Configure -des -Dusedevel -DDEBUGGING
-Dcc=afl-clang-fast -Doptimize=-g
[Output]​: => Success

[Run]​: AFL_USE_ASAN=1 make
[Output]​:
...
afl-clang-fast -fstack-protector-strong -L/usr/local/lib -o miniperl \
opmini.o perlmini.o gv.o toke.o perly.o pad.o regcomp.o dump.o
util.o
mg.o reentr.o mro_core.o keywords.o hv.o
av.o run.o pp_hot.o sv.o pp.o scope.o pp_ctl.o pp_sys.o doop.o doio.o
regexec.o utf8.o taint.o deb.o universal.o g
lobals.o perlio.o perlapi.o numeric.o mathoms.o locale.o pp_pack.o
pp_sort.o caretx.o dquote.o time64.o miniperlma
in.o -lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
afl-clang-fast 2.52b by <lszekeres@​google.com>
./miniperl -w -Ilib -Idist/Exporter/lib -MExporter -e '<?>' || sh -c
'echo

&2 Failed to build miniperl. Please ru
n make minitest; exit 1'
=================================================================
==16743==ERROR​: AddressSanitizer​: heap-use-after-free on address
0x6020000006b0 at pc 0x00000045c609 bp 0x7fff1fe02
b50 sp 0x7fff1fe022f8
READ of size 2 at 0x6020000006b0 thread T0
#0 0x45c608 in __interceptor_setlocale
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-
rt/lib/asa
n/../sanitizer_common/sanitizer_common_interceptors.inc​:2875​:5
#1 0x887905 in Perl_upg_version /root/Fuzz/perl/./vutil.c​:717​:17
#2 0x8853ed in Perl_new_version /root/Fuzz/perl/./vutil.c​:551​:12
#3 0xb31ee3 in S_require_version /root/Fuzz/perl/pp_ctl.c​:3719​:10
#4 0xb31ee3 in Perl_pp_require /root/Fuzz/perl/pp_ctl.c​:4345
#5 0x863dbc in Perl_runops_debug /root/Fuzz/perl/dump.c​:2537​:23
#6 0x5d0f4c in Perl_call_sv /root/Fuzz/perl/perl.c​:3043​:6
#7 0x5bbc7d in Perl_call_list /root/Fuzz/perl/perl.c​:5077​:6
#8 0x56962e in S_process_special_blocks
/root/Fuzz/perl/op.c​:10469​:6
#9 0x539626 in Perl_newATTRSUB_x /root/Fuzz/perl/op.c​:10395​:21
#10 0x541522 in Perl_utilize /root/Fuzz/perl/op.c​:7590​:5
#11 0x6dfaa0 in Perl_yyparse /root/Fuzz/perl/perly.y​:336​:6
#12 0x5c88c4 in S_parse_body /root/Fuzz/perl/perl.c​:2531​:9
#13 0x5bf965 in perl_parse /root/Fuzz/perl/perl.c​:1822​:2
#14 0xde129c in main /root/Fuzz/perl/miniperlmain.c​:132​:10
#15 0x7f21e137a82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#16 0x41c358 in _start (/root/Fuzz/perl/miniperl+0x41c358)

0x6020000006b0 is located 0 bytes inside of 8-byte region
[0x6020000006b0,0x6020000006b8)
freed by thread T0 here​:
#0 0x4c2d0b in __interceptor_free
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-
rt/lib/asan/asa
n_malloc_linux.cc​:47​:3
#1 0x7f21e1385049 in setlocale (/lib/x86_64-linux-
gnu/libc.so.6+0x2b049)
previously allocated by thread T0 here​:
#0 0x4c305c in malloc
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-
rt/lib/asan/asan_malloc_lin
ux.cc​:66​:3
#1 0x7f21e13e5489 in __strdup (/lib/x86_64-linux-
gnu/libc.so.6+0x8b489)
#2 0x524f4c4f435f534b (<unknown module>)
SUMMARY​: AddressSanitizer​: heap-use-after-free
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib
/asan/../sanitizer_common/sanitizer_common_interceptors.inc​:2875​:5 in
__interceptor_setlocale
Shadow bytes around the buggy address​:
0x0c047fff8080​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff8090​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff80a0​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff80b0​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff80c0​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
=>0x0c047fff80d0​: fa fa 00 fa fa fa[fd]fa fa fa fd fa fa fa fd fa
0x0c047fff80e0​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff80f0​: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8100​: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8110​: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 06 fa
0x0c047fff8120​: fa fa 00 fa fa fa fd fa fa fa 00 fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes)​:
Addressable​: 00
Partially addressable​: 01 02 03 04 05 06 07
Heap left redzone​: fa
Freed heap region​: fd
Stack left redzone​: f1
Stack mid redzone​: f2
Stack right redzone​: f3
Stack after return​: f5
Stack use after scope​: f8
Global redzone​: f9
Global init order​: f6
Poisoned by user​: f7
Container overflow​: fc
Array cookie​: ac
Intra object redzone​: bb
ASan internal​: fe
Left alloca redzone​: ca
Right alloca redzone​: cb
==16743==ABORTING
Failed to build miniperl. Please run make minitest
makefile​:362​: recipe for target 'lib/buildcustomize.pl' failed
make​: *** [lib/buildcustomize.pl] Error 1
root@​instance-2​:~/Fuzz/perl# AFL_USE_ASAN=1 make
afl-clang-fast -fstack-protector-strong -L/usr/local/lib -o miniperl \
opmini.o perlmini.o gv.o toke.o perly.o pad.o regcomp.o dump.o
util.o
mg.o reentr.o mro_core.o keywords.o hv.o av.o run.o pp_hot.o sv.o pp.o
scope.o pp_ctl.o pp_sys.o doop.o doio.o regexec.o utf8.o taint.o deb.o
universal.o globals.o perlio.o perlapi.o numeric.o mathoms.o locale.o
pp_pack.o pp_sort.o caretx.o dquote.o time64.o miniperlmain.o
-lpthread
-lnsl -ldl -lm -lcrypt -lutil -lc
afl-clang-fast 2.52b by <lszekeres@​google.com>
./miniperl -w -Ilib -Idist/Exporter/lib -MExporter -e '<?>' || sh -c
'echo

&2 Failed to build miniperl. Please run make minitest; exit 1'
=================================================================
==16751==ERROR​: AddressSanitizer​: heap-use-after-free on address
0x6020000006b0 at pc 0x00000045c609 bp 0x7fffe6381650 sp
0x7fffe6380df8
READ of size 2 at 0x6020000006b0 thread T0
#0 0x45c608 in __interceptor_setlocale
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-
rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc​:2875​:5
#1 0x887905 in Perl_upg_version /root/Fuzz/perl/./vutil.c​:717​:17
#2 0x8853ed in Perl_new_version /root/Fuzz/perl/./vutil.c​:551​:12
#3 0xb31ee3 in S_require_version /root/Fuzz/perl/pp_ctl.c​:3719​:10
#4 0xb31ee3 in Perl_pp_require /root/Fuzz/perl/pp_ctl.c​:4345
#5 0x863dbc in Perl_runops_debug /root/Fuzz/perl/dump.c​:2537​:23
#6 0x5d0f4c in Perl_call_sv /root/Fuzz/perl/perl.c​:3043​:6
#7 0x5bbc7d in Perl_call_list /root/Fuzz/perl/perl.c​:5077​:6
#8 0x56962e in S_process_special_blocks
/root/Fuzz/perl/op.c​:10469​:6
#9 0x539626 in Perl_newATTRSUB_x /root/Fuzz/perl/op.c​:10395​:21
#10 0x541522 in Perl_utilize /root/Fuzz/perl/op.c​:7590​:5
#11 0x6dfaa0 in Perl_yyparse /root/Fuzz/perl/perly.y​:336​:6
#12 0x5c88c4 in S_parse_body /root/Fuzz/perl/perl.c​:2531​:9
#13 0x5bf965 in perl_parse /root/Fuzz/perl/perl.c​:1822​:2
#14 0xde129c in main /root/Fuzz/perl/miniperlmain.c​:132​:10
#15 0x7fb02aac582f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#16 0x41c358 in _start (/root/Fuzz/perl/miniperl+0x41c358)

0x6020000006b0 is located 0 bytes inside of 8-byte region
[0x6020000006b0,0x6020000006b8)
freed by thread T0 here​:
#0 0x4c2d0b in __interceptor_free
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-
rt/lib/asan/asan_malloc_linux.cc​:47​:3
#1 0x7fb02aad0049 in setlocale (/lib/x86_64-linux-
gnu/libc.so.6+0x2b049)

previously allocated by thread T0 here​:
#0 0x4c305c in malloc
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-
rt/lib/asan/asan_malloc_linux.cc​:66​:3
#1 0x7fb02ab30489 in __strdup (/lib/x86_64-linux-
gnu/libc.so.6+0x8b489)
#2 0x524f4c4f435f534b (<unknown module>)

SUMMARY​: AddressSanitizer​: heap-use-after-free
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-
rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc​:2875​:5
in __interceptor_setlocale
Shadow bytes around the buggy address​:
0x0c047fff8080​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff8090​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff80a0​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff80b0​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff80c0​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
=>0x0c047fff80d0​: fa fa 00 fa fa fa[fd]fa fa fa fd fa fa fa fd fa
0x0c047fff80e0​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff80f0​: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8100​: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8110​: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 06 fa
0x0c047fff8120​: fa fa 00 fa fa fa fd fa fa fa 00 fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes)​:
Addressable​: 00
Partially addressable​: 01 02 03 04 05 06 07
Heap left redzone​: fa
Freed heap region​: fd
Stack left redzone​: f1
Stack mid redzone​: f2
Stack right redzone​: f3
Stack after return​: f5
Stack use after scope​: f8
Global redzone​: f9
Global init order​: f6
Poisoned by user​: f7
Container overflow​: fc
Array cookie​: ac
Intra object redzone​: bb
ASan internal​: fe
Left alloca redzone​: ca
Right alloca redzone​: cb
==16751==ABORTING
Failed to build miniperl. Please run make minitest
makefile​:362​: recipe for target 'lib/buildcustomize.pl' failed
make​: *** [lib/buildcustomize.pl] Error 1

[Run]​: AFL_USE_ASAN=1 make minitest
[Output]​: the same as above

Please fix the bug.
Thanks,
Manh Nguyen
********************************

Can you supply the full ./Configure command (i.e., all switches) which you
used in this attempt to build with AFL?

Thank you very much.

--
James E Keenan (jkeenan@​cpan.org)

From imdb95@gmail.com

image.png

From @jkeenan

[We prefer bottom-posting; rearranging comments.]

On Sat, Jun 22, 2019 at 9​:14 PM James E Keenan via RT <
perlbug-followup@​perl.org> wrote​:

On Thu, 20 Jun 2019 09​:44​:34 GMT, imdb95@​gmail.com wrote​:

From​: imdb95@​gmail.com
Message-Id​: <5.22.1_17412_1561023304@​instance-2>
Reply-To​: imdb95@​gmail.com
To​: perlbug@​perl.org

This is a bug report for perl from imdb95@​gmail.com,
generated with the help of perlbug 1.40 running under perl 5.22.1.

-----------------------------------------------------------------
[Please describe your issue here]
I am trying to build Perl with American Fuzzing Lop, but have failed.
I write this report with builtin perlbug.
Clang+llvm​: clang+llvm-4.0.0-x86_64-linux-gnu-ubuntu-16.04 (
http​://releases.llvm.org/4.0.0/clang+llvm-4.0.0-x86_64-linux-gnu-
ubuntu-16.04.tar.xz
)
AFL​: afl-2.52b
The version I want to build is​: perl 5, version 31, subversion 1
*******************************
./miniperl -v

This is perl 5, version 31, subversion 1 (v5.31.1 (UNKNOWN-miniperl))
built
for x86_64-linux
*******************************
Following is building log​:
********************************
[Run]​: AFL_USE_ASAN=1 ./Configure -des -Dusedevel -DDEBUGGING
-Dcc=afl-clang-fast -Doptimize=-g
[Output]​: => Success

[Run]​: AFL_USE_ASAN=1 make
[Output]​:
...
afl-clang-fast -fstack-protector-strong -L/usr/local/lib -o miniperl \
opmini.o perlmini.o gv.o toke.o perly.o pad.o regcomp.o dump.o
util.o
mg.o reentr.o mro_core.o keywords.o hv.o
av.o run.o pp_hot.o sv.o pp.o scope.o pp_ctl.o pp_sys.o doop.o doio.o
regexec.o utf8.o taint.o deb.o universal.o g
lobals.o perlio.o perlapi.o numeric.o mathoms.o locale.o pp_pack.o
pp_sort.o caretx.o dquote.o time64.o miniperlma
in.o -lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
afl-clang-fast 2.52b by <lszekeres@​google.com>
./miniperl -w -Ilib -Idist/Exporter/lib -MExporter -e '<?>' || sh -c
'echo

&2 Failed to build miniperl. Please ru
n make minitest; exit 1'
=================================================================
==16743==ERROR​: AddressSanitizer​: heap-use-after-free on address
0x6020000006b0 at pc 0x00000045c609 bp 0x7fff1fe02
b50 sp 0x7fff1fe022f8
READ of size 2 at 0x6020000006b0 thread T0
#0 0x45c608 in __interceptor_setlocale
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-
rt/lib/asa
n/../sanitizer_common/sanitizer_common_interceptors.inc​:2875​:5
#1 0x887905 in Perl_upg_version /root/Fuzz/perl/./vutil.c​:717​:17
#2 0x8853ed in Perl_new_version /root/Fuzz/perl/./vutil.c​:551​:12
#3 0xb31ee3 in S_require_version /root/Fuzz/perl/pp_ctl.c​:3719​:10
#4 0xb31ee3 in Perl_pp_require /root/Fuzz/perl/pp_ctl.c​:4345
#5 0x863dbc in Perl_runops_debug /root/Fuzz/perl/dump.c​:2537​:23
#6 0x5d0f4c in Perl_call_sv /root/Fuzz/perl/perl.c​:3043​:6
#7 0x5bbc7d in Perl_call_list /root/Fuzz/perl/perl.c​:5077​:6
#8 0x56962e in S_process_special_blocks
/root/Fuzz/perl/op.c​:10469​:6
#9 0x539626 in Perl_newATTRSUB_x /root/Fuzz/perl/op.c​:10395​:21
#10 0x541522 in Perl_utilize /root/Fuzz/perl/op.c​:7590​:5
#11 0x6dfaa0 in Perl_yyparse /root/Fuzz/perl/perly.y​:336​:6
#12 0x5c88c4 in S_parse_body /root/Fuzz/perl/perl.c​:2531​:9
#13 0x5bf965 in perl_parse /root/Fuzz/perl/perl.c​:1822​:2
#14 0xde129c in main /root/Fuzz/perl/miniperlmain.c​:132​:10
#15 0x7f21e137a82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#16 0x41c358 in _start (/root/Fuzz/perl/miniperl+0x41c358)

0x6020000006b0 is located 0 bytes inside of 8-byte region
[0x6020000006b0,0x6020000006b8)
freed by thread T0 here​:
#0 0x4c2d0b in __interceptor_free
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-
rt/lib/asan/asa
n_malloc_linux.cc​:47​:3
#1 0x7f21e1385049 in setlocale (/lib/x86_64-linux-
gnu/libc.so.6+0x2b049)
previously allocated by thread T0 here​:
#0 0x4c305c in malloc
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-
rt/lib/asan/asan_malloc_lin
ux.cc​:66​:3
#1 0x7f21e13e5489 in __strdup (/lib/x86_64-linux-
gnu/libc.so.6+0x8b489)
#2 0x524f4c4f435f534b (<unknown module>)
SUMMARY​: AddressSanitizer​: heap-use-after-free
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib
/asan/../sanitizer_common/sanitizer_common_interceptors.inc​:2875​:5 in
__interceptor_setlocale
Shadow bytes around the buggy address​:
0x0c047fff8080​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff8090​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff80a0​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff80b0​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff80c0​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
=>0x0c047fff80d0​: fa fa 00 fa fa fa[fd]fa fa fa fd fa fa fa fd fa
0x0c047fff80e0​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff80f0​: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8100​: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8110​: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 06 fa
0x0c047fff8120​: fa fa 00 fa fa fa fd fa fa fa 00 fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes)​:
Addressable​: 00
Partially addressable​: 01 02 03 04 05 06 07
Heap left redzone​: fa
Freed heap region​: fd
Stack left redzone​: f1
Stack mid redzone​: f2
Stack right redzone​: f3
Stack after return​: f5
Stack use after scope​: f8
Global redzone​: f9
Global init order​: f6
Poisoned by user​: f7
Container overflow​: fc
Array cookie​: ac
Intra object redzone​: bb
ASan internal​: fe
Left alloca redzone​: ca
Right alloca redzone​: cb
==16743==ABORTING
Failed to build miniperl. Please run make minitest
makefile​:362​: recipe for target 'lib/buildcustomize.pl' failed
make​: *** [lib/buildcustomize.pl] Error 1
root@​instance-2​:~/Fuzz/perl# AFL_USE_ASAN=1 make
afl-clang-fast -fstack-protector-strong -L/usr/local/lib -o miniperl \
opmini.o perlmini.o gv.o toke.o perly.o pad.o regcomp.o dump.o
util.o
mg.o reentr.o mro_core.o keywords.o hv.o av.o run.o pp_hot.o sv.o pp.o
scope.o pp_ctl.o pp_sys.o doop.o doio.o regexec.o utf8.o taint.o deb.o
universal.o globals.o perlio.o perlapi.o numeric.o mathoms.o locale.o
pp_pack.o pp_sort.o caretx.o dquote.o time64.o miniperlmain.o
-lpthread
-lnsl -ldl -lm -lcrypt -lutil -lc
afl-clang-fast 2.52b by <lszekeres@​google.com>
./miniperl -w -Ilib -Idist/Exporter/lib -MExporter -e '<?>' || sh -c
'echo

&2 Failed to build miniperl. Please run make minitest; exit 1'
=================================================================
==16751==ERROR​: AddressSanitizer​: heap-use-after-free on address
0x6020000006b0 at pc 0x00000045c609 bp 0x7fffe6381650 sp
0x7fffe6380df8
READ of size 2 at 0x6020000006b0 thread T0
#0 0x45c608 in __interceptor_setlocale
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-
rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc​:2875​:5
#1 0x887905 in Perl_upg_version /root/Fuzz/perl/./vutil.c​:717​:17
#2 0x8853ed in Perl_new_version /root/Fuzz/perl/./vutil.c​:551​:12
#3 0xb31ee3 in S_require_version /root/Fuzz/perl/pp_ctl.c​:3719​:10
#4 0xb31ee3 in Perl_pp_require /root/Fuzz/perl/pp_ctl.c​:4345
#5 0x863dbc in Perl_runops_debug /root/Fuzz/perl/dump.c​:2537​:23
#6 0x5d0f4c in Perl_call_sv /root/Fuzz/perl/perl.c​:3043​:6
#7 0x5bbc7d in Perl_call_list /root/Fuzz/perl/perl.c​:5077​:6
#8 0x56962e in S_process_special_blocks
/root/Fuzz/perl/op.c​:10469​:6
#9 0x539626 in Perl_newATTRSUB_x /root/Fuzz/perl/op.c​:10395​:21
#10 0x541522 in Perl_utilize /root/Fuzz/perl/op.c​:7590​:5
#11 0x6dfaa0 in Perl_yyparse /root/Fuzz/perl/perly.y​:336​:6
#12 0x5c88c4 in S_parse_body /root/Fuzz/perl/perl.c​:2531​:9
#13 0x5bf965 in perl_parse /root/Fuzz/perl/perl.c​:1822​:2
#14 0xde129c in main /root/Fuzz/perl/miniperlmain.c​:132​:10
#15 0x7fb02aac582f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#16 0x41c358 in _start (/root/Fuzz/perl/miniperl+0x41c358)

0x6020000006b0 is located 0 bytes inside of 8-byte region
[0x6020000006b0,0x6020000006b8)
freed by thread T0 here​:
#0 0x4c2d0b in __interceptor_free
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-
rt/lib/asan/asan_malloc_linux.cc​:47​:3
#1 0x7fb02aad0049 in setlocale (/lib/x86_64-linux-
gnu/libc.so.6+0x2b049)

previously allocated by thread T0 here​:
#0 0x4c305c in malloc
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-
rt/lib/asan/asan_malloc_linux.cc​:66​:3
#1 0x7fb02ab30489 in __strdup (/lib/x86_64-linux-
gnu/libc.so.6+0x8b489)
#2 0x524f4c4f435f534b (<unknown module>)

SUMMARY​: AddressSanitizer​: heap-use-after-free
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-
rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc​:2875​:5
in __interceptor_setlocale
Shadow bytes around the buggy address​:
0x0c047fff8080​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff8090​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff80a0​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff80b0​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff80c0​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
=>0x0c047fff80d0​: fa fa 00 fa fa fa[fd]fa fa fa fd fa fa fa fd fa
0x0c047fff80e0​: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa fd fa
0x0c047fff80f0​: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8100​: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8110​: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 06 fa
0x0c047fff8120​: fa fa 00 fa fa fa fd fa fa fa 00 fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes)​:
Addressable​: 00
Partially addressable​: 01 02 03 04 05 06 07
Heap left redzone​: fa
Freed heap region​: fd
Stack left redzone​: f1
Stack mid redzone​: f2
Stack right redzone​: f3
Stack after return​: f5
Stack use after scope​: f8
Global redzone​: f9
Global init order​: f6
Poisoned by user​: f7
Container overflow​: fc
Array cookie​: ac
Intra object redzone​: bb
ASan internal​: fe
Left alloca redzone​: ca
Right alloca redzone​: cb
==16751==ABORTING
Failed to build miniperl. Please run make minitest
makefile​:362​: recipe for target 'lib/buildcustomize.pl' failed
make​: *** [lib/buildcustomize.pl] Error 1

[Run]​: AFL_USE_ASAN=1 make minitest
[Output]​: the same as above

Please fix the bug.
Thanks,
Manh Nguyen
********************************

Can you supply the full ./Configure command (i.e., all switches) which you
used in this attempt to build with AFL?

Thank you very much.

--
James E Keenan (jkeenan@​cpan.org)

On Sat, 22 Jun 2019 21​:12​:49 GMT, imdb95@​gmail.com wrote​:

The full commands I compiled​:
1. AFL_USE_ASAN=1 ./Configure -des -Dusedevel -DDEBUGGING
-Dcc=afl-clang-fast -Doptimize=-g

2. AFL_USE_ASAN=1 make

One important clue​: I built it on "Ubuntu 16.04 LTS Minimal" of Google
Cloud. When built on "Ubuntu 16.04 LTS", it's ok.
[image​: image.png]

Aha! You said the magic word​: Google Cloud.

This is probably the first bug report we have heard from some one attempting to build on Google Cloud. So we have no idea how well Perl 5 is supported on that platform.

So, several questions​:

1. Can you build perl-5.31.1 on Google clouds with these more typical configurations?

a. sh ./Configure -des -Dusedevel
b. sh ./Configure -des -Dusedevel -Duseithreads
c. sh ./Configure -des -Dusedevel -DDEBUGGING
d. sh ./Configure -des -Dusedevel -Duseithreads -DDEBUGGING

2. Can you build the latest *production* release of Perl (5.30.0) on Google Cloud with the above configurations?

3. Can you build perl-5.30.0 with the fuzzing switches on Google Cloud?

4. Have you been able to build earlier production releases of Perl (e.g., 5.24, 5.26, 5.28) with the fuzzing switches on Google Cloud?

Thank you very much.

--
James E Keenan (jkeenan@​cpan.org)

From @tonycoz

On Thu, 20 Jun 2019 02​:44​:34 -0700, imdb95@​gmail.com wrote​:

I am trying to build Perl with American Fuzzing Lop, but have failed.
I write this report with builtin perlbug.
Clang+llvm​: clang+llvm-4.0.0-x86_64-linux-gnu-ubuntu-16.04 (
http​://releases.llvm.org/4.0.0/clang+llvm-4.0.0-x86_64-linux-gnu-
ubuntu-16.04.tar.xz
)
AFL​: afl-2.52b
The version I want to build is​: perl 5, version 31, subversion 1
*******************************
./miniperl -v

This is perl 5, version 31, subversion 1 (v5.31.1 (UNKNOWN-miniperl))
built
for x86_64-linux
*******************************
Following is building log​:
********************************
[Run]​: AFL_USE_ASAN=1 ./Configure -des -Dusedevel -DDEBUGGING
-Dcc=afl-clang-fast -Doptimize=-g
[Output]​: => Success

[Run]​: AFL_USE_ASAN=1 make
[Output]​:
...
afl-clang-fast -fstack-protector-strong -L/usr/local/lib -o miniperl \
opmini.o perlmini.o gv.o toke.o perly.o pad.o regcomp.o dump.o
util.o
mg.o reentr.o mro_core.o keywords.o hv.o
av.o run.o pp_hot.o sv.o pp.o scope.o pp_ctl.o pp_sys.o doop.o doio.o
regexec.o utf8.o taint.o deb.o universal.o g
lobals.o perlio.o perlapi.o numeric.o mathoms.o locale.o pp_pack.o
pp_sort.o caretx.o dquote.o time64.o miniperlma
in.o -lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
afl-clang-fast 2.52b by <lszekeres@​google.com>
./miniperl -w -Ilib -Idist/Exporter/lib -MExporter -e '<?>' || sh -c
'echo

&2 Failed to build miniperl. Please ru
n make minitest; exit 1'
=================================================================
==16743==ERROR​: AddressSanitizer​: heap-use-after-free on address
0x6020000006b0 at pc 0x00000045c609 bp 0x7fff1fe02
b50 sp 0x7fff1fe022f8
READ of size 2 at 0x6020000006b0 thread T0
#0 0x45c608 in __interceptor_setlocale
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-
rt/lib/asa
n/../sanitizer_common/sanitizer_common_interceptors.inc​:2875​:5
#1 0x887905 in Perl_upg_version /root/Fuzz/perl/./vutil.c​:717​:17
#2 0x8853ed in Perl_new_version /root/Fuzz/perl/./vutil.c​:551​:12
#3 0xb31ee3 in S_require_version /root/Fuzz/perl/pp_ctl.c​:3719​:10
#4 0xb31ee3 in Perl_pp_require /root/Fuzz/perl/pp_ctl.c​:4345
#5 0x863dbc in Perl_runops_debug /root/Fuzz/perl/dump.c​:2537​:23
#6 0x5d0f4c in Perl_call_sv /root/Fuzz/perl/perl.c​:3043​:6
#7 0x5bbc7d in Perl_call_list /root/Fuzz/perl/perl.c​:5077​:6
#8 0x56962e in S_process_special_blocks
/root/Fuzz/perl/op.c​:10469​:6
#9 0x539626 in Perl_newATTRSUB_x /root/Fuzz/perl/op.c​:10395​:21
#10 0x541522 in Perl_utilize /root/Fuzz/perl/op.c​:7590​:5
#11 0x6dfaa0 in Perl_yyparse /root/Fuzz/perl/perly.y​:336​:6
#12 0x5c88c4 in S_parse_body /root/Fuzz/perl/perl.c​:2531​:9
#13 0x5bf965 in perl_parse /root/Fuzz/perl/perl.c​:1822​:2
#14 0xde129c in main /root/Fuzz/perl/miniperlmain.c​:132​:10
#15 0x7f21e137a82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#16 0x41c358 in _start (/root/Fuzz/perl/miniperl+0x41c358)

0x6020000006b0 is located 0 bytes inside of 8-byte region
[0x6020000006b0,0x6020000006b8)
freed by thread T0 here​:
#0 0x4c2d0b in __interceptor_free
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-
rt/lib/asan/asa
n_malloc_linux.cc​:47​:3
#1 0x7f21e1385049 in setlocale (/lib/x86_64-linux-
gnu/libc.so.6+0x2b049)
previously allocated by thread T0 here​:
#0 0x4c305c in malloc
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-
rt/lib/asan/asan_malloc_lin
ux.cc​:66​:3
#1 0x7f21e13e5489 in __strdup (/lib/x86_64-linux-
gnu/libc.so.6+0x8b489)
#2 0x524f4c4f435f534b (<unknown module>)
SUMMARY​: AddressSanitizer​: heap-use-after-free
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib
/asan/../sanitizer_common/sanitizer_common_interceptors.inc​:2875​:5 in
__interceptor_setlocale

Is there any chance you can get valgrind on the VM?

If so, can you run​:

  valgrind ./miniperl -w -Ilib -Idist/Exporter/lib -MExporter -e '<?>'

after the failed build?

valgrind tends to provide better diagnostics on a use after free than ASAN.

Thanks,
Tony

From @tonycoz

On Sun, 23 Jun 2019 18​:19​:35 -0700, tonyc wrote​:

Is there any chance you can get valgrind on the VM?

While this would still be useful, I have a suspicion of the cause.

READ of size 2 at 0x6020000006b0 thread T0
  #0 0x45c608 in __interceptor_setlocale
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asa
n/../sanitizer_common/sanitizer_common_interceptors.inc​:2875​:5
  #1 0x887905 in Perl_upg_version /root/Fuzz/perl/./vutil.c​:717​:17
  #2 0x8853ed in Perl_new_version /root/Fuzz/perl/./vutil.c​:551​:12
  #3 0xb31ee3 in S_require_version /root/Fuzz/perl/pp_ctl.c​:3719​:10
  #4 0xb31ee3 in Perl_pp_require /root/Fuzz/perl/pp_ctl.c​:4345
  #5 0x863dbc in Perl_runops_debug /root/Fuzz/perl/dump.c​:2537​:23
  #6 0x5d0f4c in Perl_call_sv /root/Fuzz/perl/perl.c​:3043​:6
  #7 0x5bbc7d in Perl_call_list /root/Fuzz/perl/perl.c​:5077​:6
  #8 0x56962e in S_process_special_blocks /root/Fuzz/perl/op.c​:10469​:6
  #9 0x539626 in Perl_newATTRSUB_x /root/Fuzz/perl/op.c​:10395​:21
  #10 0x541522 in Perl_utilize /root/Fuzz/perl/op.c​:7590​:5
  #11 0x6dfaa0 in Perl_yyparse /root/Fuzz/perl/perly.y​:336​:6
  #12 0x5c88c4 in S_parse_body /root/Fuzz/perl/perl.c​:2531​:9
  #13 0x5bf965 in perl_parse /root/Fuzz/perl/perl.c​:1822​:2
  #14 0xde129c in main /root/Fuzz/perl/miniperlmain.c​:132​:10
  #15 0x7f21e137a82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
  #16 0x41c358 in _start (/root/Fuzz/perl/miniperl+0x41c358)

Here's the code in question (minus the irrelevant code)​:

  const char * locale_name_on_entry;

  LC_NUMERIC_LOCK(0); /* Start critical section */

  locale_name_on_entry = setlocale(LC_NUMERIC, NULL); <-- get current locale name (possibly malloced())
  if ( strNE(locale_name_on_entry, "C")
  && strNE(locale_name_on_entry, "POSIX"))
  {
  setlocale(LC_NUMERIC, "C"); <-- change locale, possibly freeing locale_name_on_entry
  }
  else { /* This value indicates to the restore code that we didn't
  change the locale */
  locale_name_on_entry = NULL;
  }

...

  if (locale_name_on_entry) {
  setlocale(LC_NUMERIC, locale_name_on_entry); <-- use freed value
  }

The lifetime of the string returned by setlocale() isn't well documented, but it is documented that it *may* be return a pointer to static storage, in which case the setlocale(LC_NUMERIC, "C") may overwrite it, making the value useless for restoring the locale.

The attached should fix it.

#134182 (which I found after checking the version.pm PRs) has an incomplete patch for this.

Tony

From @tonycoz

From 1fe5ce568b3606d1c33ff4e8cb5cace78c2cbaf4 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Mon, 16 Sep 2019 16:38:26 +1000
Subject: (perl #134212) ensure locale_name_on_entry isn't clobbered

If the return value of setlocale() is static storage, the call to
setlocale(LC_NUMERIC, "C"); could overwrite it.

If the return value of setlocale() is malloced, the call to
setlocale(LC_NUMERIC, "C"); could free it.

Either way, we need to copy it
---
 t/porting/customized.dat | 2 +-
 vutil.c                  | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/t/porting/customized.dat b/t/porting/customized.dat
index b386353b7c..d3af0693e7 100644
--- a/t/porting/customized.dat
+++ b/t/porting/customized.dat
@@ -24,4 +24,4 @@ autodie cpan/autodie/t/mkdir.t 9e70d2282a3cc7d76a78bf8144fccba20fb37dac
 autodie cpan/autodie/t/recv.t 63bea2daa330e44b67714527ddf701c1bf3a6954
 experimental cpan/experimental/t/basic.t cb9da8dd05b854375809872a05dd32637508d5da
 version cpan/version/lib/version.pm 7ef9219d1d5f1d71f08a79f3b0577df138b21b12
-version vutil.c 317c25a807f9503282d58917a4a53b667232a6c5
+version vutil.c 601cc57bbc0070ae33eab7fd2d667f20efbe15f8
diff --git a/vutil.c b/vutil.c
index 4314fb9280..23627bea78 100644
--- a/vutil.c
+++ b/vutil.c
@@ -643,6 +643,8 @@ VER_NV:
             if (   strNE(locale_name_on_entry, "C")
                 && strNE(locale_name_on_entry, "POSIX"))
             {
+                /* the setlocale() call might free or overwrite the name */
+                locale_name_on_entry = savepv(locale_name_on_entry);
                 setlocale(LC_NUMERIC, "C");
             }
             else {  /* This value indicates to the restore code that we didn't
@@ -666,6 +668,8 @@ VER_NV:
                 if (   strNE(locale_name_on_entry, "C")
                     && strNE(locale_name_on_entry, "POSIX"))
                 {
+                    /* the setlocale() call might free or overwrite the name */
+                    locale_name_on_entry = savepv(locale_name_on_entry);
                     setlocale(LC_NUMERIC, "C");
                 }
                 else {  /* This value indicates to the restore code that we
@@ -715,6 +719,7 @@ VER_NV:
 
             if (locale_name_on_entry) {
                 setlocale(LC_NUMERIC, locale_name_on_entry);
+                Safefree(locale_name_on_entry);
             }
 
             LC_NUMERIC_UNLOCK;  /* End critical section */
@@ -723,6 +728,7 @@ VER_NV:
 
             if (locale_name_on_entry) {
                 setlocale(LC_NUMERIC, locale_name_on_entry);
+                Safefree(locale_name_on_entry);
                 LC_NUMERIC_UNLOCK;
             }
             else if (locale_obj_on_entry == PL_underlying_numeric_obj) {
-- 
2.11.0

From @khwilliamson

On Sun, 15 Sep 2019 23​:53​:04 -0700, tonyc wrote​:

On Sun, 23 Jun 2019 18​:19​:35 -0700, tonyc wrote​:

Is there any chance you can get valgrind on the VM?

While this would still be useful, I have a suspicion of the cause.

READ of size 2 at 0x6020000006b0 thread T0
#0 0x45c608 in __interceptor_setlocale
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-
rt/lib/asa
n/../sanitizer_common/sanitizer_common_interceptors.inc​:2875​:5
#1 0x887905 in Perl_upg_version /root/Fuzz/perl/./vutil.c​:717​:17
#2 0x8853ed in Perl_new_version /root/Fuzz/perl/./vutil.c​:551​:12
#3 0xb31ee3 in S_require_version /root/Fuzz/perl/pp_ctl.c​:3719​:10
#4 0xb31ee3 in Perl_pp_require /root/Fuzz/perl/pp_ctl.c​:4345
#5 0x863dbc in Perl_runops_debug /root/Fuzz/perl/dump.c​:2537​:23
#6 0x5d0f4c in Perl_call_sv /root/Fuzz/perl/perl.c​:3043​:6
#7 0x5bbc7d in Perl_call_list /root/Fuzz/perl/perl.c​:5077​:6
#8 0x56962e in S_process_special_blocks
/root/Fuzz/perl/op.c​:10469​:6
#9 0x539626 in Perl_newATTRSUB_x /root/Fuzz/perl/op.c​:10395​:21
#10 0x541522 in Perl_utilize /root/Fuzz/perl/op.c​:7590​:5
#11 0x6dfaa0 in Perl_yyparse /root/Fuzz/perl/perly.y​:336​:6
#12 0x5c88c4 in S_parse_body /root/Fuzz/perl/perl.c​:2531​:9
#13 0x5bf965 in perl_parse /root/Fuzz/perl/perl.c​:1822​:2
#14 0xde129c in main /root/Fuzz/perl/miniperlmain.c​:132​:10
#15 0x7f21e137a82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#16 0x41c358 in _start (/root/Fuzz/perl/miniperl+0x41c358)

Here's the code in question (minus the irrelevant code)​:

const char * locale_name_on_entry;

LC_NUMERIC_LOCK(0); /* Start critical section */

locale_name_on_entry = setlocale(LC_NUMERIC, NULL); <-- get current
locale name (possibly malloced())
if ( strNE(locale_name_on_entry, "C")
&& strNE(locale_name_on_entry, "POSIX"))
{
setlocale(LC_NUMERIC, "C"); <-- change locale, possibly freeing
locale_name_on_entry
}
else { /* This value indicates to the restore code that we didn't
change the locale */
locale_name_on_entry = NULL;
}

...

if (locale_name_on_entry) {
setlocale(LC_NUMERIC, locale_name_on_entry); <-- use freed value
}

The lifetime of the string returned by setlocale() isn't well
documented, but it is documented that it *may* be return a pointer to
static storage, in which case the setlocale(LC_NUMERIC, "C") may
overwrite it, making the value useless for restoring the locale.

The attached should fix it.

#134182 (which I found after checking the version.pm PRs) has an
incomplete patch for this.

Tony

Why not just do a saave the first time? It would be less code that could get out of sync. When it is unclear what is going to happen in the interim, locale.c makes it a SAVEFREEPV
--
Karl Williamson

From @tonycoz

On Mon, Sep 16, 2019 at 01​:37​:00PM -0700, Karl Williamson via RT wrote​:

On Sun, 15 Sep 2019 23​:53​:04 -0700, tonyc wrote​:

On Sun, 23 Jun 2019 18​:19​:35 -0700, tonyc wrote​:

Is there any chance you can get valgrind on the VM?

While this would still be useful, I have a suspicion of the cause.

READ of size 2 at 0x6020000006b0 thread T0
#0 0x45c608 in __interceptor_setlocale
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-
rt/lib/asa
n/../sanitizer_common/sanitizer_common_interceptors.inc​:2875​:5
#1 0x887905 in Perl_upg_version /root/Fuzz/perl/./vutil.c​:717​:17
#2 0x8853ed in Perl_new_version /root/Fuzz/perl/./vutil.c​:551​:12
#3 0xb31ee3 in S_require_version /root/Fuzz/perl/pp_ctl.c​:3719​:10
#4 0xb31ee3 in Perl_pp_require /root/Fuzz/perl/pp_ctl.c​:4345
#5 0x863dbc in Perl_runops_debug /root/Fuzz/perl/dump.c​:2537​:23
#6 0x5d0f4c in Perl_call_sv /root/Fuzz/perl/perl.c​:3043​:6
#7 0x5bbc7d in Perl_call_list /root/Fuzz/perl/perl.c​:5077​:6
#8 0x56962e in S_process_special_blocks
/root/Fuzz/perl/op.c​:10469​:6
#9 0x539626 in Perl_newATTRSUB_x /root/Fuzz/perl/op.c​:10395​:21
#10 0x541522 in Perl_utilize /root/Fuzz/perl/op.c​:7590​:5
#11 0x6dfaa0 in Perl_yyparse /root/Fuzz/perl/perly.y​:336​:6
#12 0x5c88c4 in S_parse_body /root/Fuzz/perl/perl.c​:2531​:9
#13 0x5bf965 in perl_parse /root/Fuzz/perl/perl.c​:1822​:2
#14 0xde129c in main /root/Fuzz/perl/miniperlmain.c​:132​:10
#15 0x7f21e137a82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#16 0x41c358 in _start (/root/Fuzz/perl/miniperl+0x41c358)

Here's the code in question (minus the irrelevant code)​:

const char * locale_name_on_entry;

LC_NUMERIC_LOCK(0); /* Start critical section */

locale_name_on_entry = setlocale(LC_NUMERIC, NULL); <-- get current
locale name (possibly malloced())
if ( strNE(locale_name_on_entry, "C")
&& strNE(locale_name_on_entry, "POSIX"))
{
setlocale(LC_NUMERIC, "C"); <-- change locale, possibly freeing
locale_name_on_entry
}
else { /* This value indicates to the restore code that we didn't
change the locale */
locale_name_on_entry = NULL;
}

...

if (locale_name_on_entry) {
setlocale(LC_NUMERIC, locale_name_on_entry); <-- use freed value
}

The lifetime of the string returned by setlocale() isn't well
documented, but it is documented that it *may* be return a pointer to
static storage, in which case the setlocale(LC_NUMERIC, "C") may
overwrite it, making the value useless for restoring the locale.

The attached should fix it.

#134182 (which I found after checking the version.pm PRs) has an
incomplete patch for this.

Tony

Why not just do a saave the first time? It would be less code that could get out of sync. When it is unclear what is going to happen in the interim, locale.c makes it a SAVEFREEPV

I had a WIP that used SAVEFREEPV(), but in this case we have an
obvious place to do the free(), and while SAVEFREEPV() isn't expensive
(most of the cost is fixed in the LEAVE itself) it isn't free either.

Or did I misunderstand what you're asking here?

Tony

From @khwilliamson

On 9/16/19 7​:23 PM, Tony Cook wrote​:

On Mon, Sep 16, 2019 at 01​:37​:00PM -0700, Karl Williamson via RT wrote​:

On Sun, 15 Sep 2019 23​:53​:04 -0700, tonyc wrote​:

On Sun, 23 Jun 2019 18​:19​:35 -0700, tonyc wrote​:

Is there any chance you can get valgrind on the VM?

While this would still be useful, I have a suspicion of the cause.

READ of size 2 at 0x6020000006b0 thread T0
#0 0x45c608 in __interceptor_setlocale
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-
rt/lib/asa
n/../sanitizer_common/sanitizer_common_interceptors.inc​:2875​:5
#1 0x887905 in Perl_upg_version /root/Fuzz/perl/./vutil.c​:717​:17
#2 0x8853ed in Perl_new_version /root/Fuzz/perl/./vutil.c​:551​:12
#3 0xb31ee3 in S_require_version /root/Fuzz/perl/pp_ctl.c​:3719​:10
#4 0xb31ee3 in Perl_pp_require /root/Fuzz/perl/pp_ctl.c​:4345
#5 0x863dbc in Perl_runops_debug /root/Fuzz/perl/dump.c​:2537​:23
#6 0x5d0f4c in Perl_call_sv /root/Fuzz/perl/perl.c​:3043​:6
#7 0x5bbc7d in Perl_call_list /root/Fuzz/perl/perl.c​:5077​:6
#8 0x56962e in S_process_special_blocks
/root/Fuzz/perl/op.c​:10469​:6
#9 0x539626 in Perl_newATTRSUB_x /root/Fuzz/perl/op.c​:10395​:21
#10 0x541522 in Perl_utilize /root/Fuzz/perl/op.c​:7590​:5
#11 0x6dfaa0 in Perl_yyparse /root/Fuzz/perl/perly.y​:336​:6
#12 0x5c88c4 in S_parse_body /root/Fuzz/perl/perl.c​:2531​:9
#13 0x5bf965 in perl_parse /root/Fuzz/perl/perl.c​:1822​:2
#14 0xde129c in main /root/Fuzz/perl/miniperlmain.c​:132​:10
#15 0x7f21e137a82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#16 0x41c358 in _start (/root/Fuzz/perl/miniperl+0x41c358)

Here's the code in question (minus the irrelevant code)​:

const char * locale_name_on_entry;

LC_NUMERIC_LOCK(0); /* Start critical section */

locale_name_on_entry = setlocale(LC_NUMERIC, NULL); <-- get current
locale name (possibly malloced())
if ( strNE(locale_name_on_entry, "C")
&& strNE(locale_name_on_entry, "POSIX"))
{
setlocale(LC_NUMERIC, "C"); <-- change locale, possibly freeing
locale_name_on_entry
}
else { /* This value indicates to the restore code that we didn't
change the locale */
locale_name_on_entry = NULL;
}

...

if (locale_name_on_entry) {
setlocale(LC_NUMERIC, locale_name_on_entry); <-- use freed value
}

The lifetime of the string returned by setlocale() isn't well
documented, but it is documented that it *may* be return a pointer to
static storage, in which case the setlocale(LC_NUMERIC, "C") may
overwrite it, making the value useless for restoring the locale.

The attached should fix it.

#134182 (which I found after checking the version.pm PRs) has an
incomplete patch for this.

Tony

Why not just do a saave the first time? It would be less code that could get out of sync. When it is unclear what is going to happen in the interim, locale.c makes it a SAVEFREEPV

I had a WIP that used SAVEFREEPV(), but in this case we have an
obvious place to do the free(), and while SAVEFREEPV() isn't expensive
(most of the cost is fixed in the LEAVE itself) it isn't free either.

Or did I misunderstand what you're asking here?

I hadn't examined it enough in detail to realize there was only one
place to do the free. I was trying to suggest that if it could return
early, you would use that. locale.c does both, depending on the situation.

Tony

From imdb95@gmail.com

I tried valgrind and valgrind seems detect nothing​:

root@​manh-ubuntu16​:~/fuzz/fuzz_perl/perl_dbg# valgrind ./miniperl -w -Ilib
-Idist/Exporter/lib -MExporter -e '<?>'
==15475== Memcheck, a memory error detector
==15475== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==15475== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==15475== Command​: ./miniperl -w -Ilib -Idist/Exporter/lib -MExporter -e
\<?\>
==15475==
==15475==
==15475== HEAP SUMMARY​:
==15475== in use at exit​: 226,768 bytes in 1,029 blocks
==15475== total heap usage​: 1,711 allocs, 682 frees, 437,028 bytes
allocated
==15475==
==15475== LEAK SUMMARY​:
==15475== definitely lost​: 0 bytes in 0 blocks
==15475== indirectly lost​: 0 bytes in 0 blocks
==15475== possibly lost​: 47,733 bytes in 53 blocks
==15475== still reachable​: 179,035 bytes in 976 blocks
==15475== of which reachable via heuristic​:
==15475== newarray : 216 bytes in 7 blocks
==15475== suppressed​: 0 bytes in 0 blocks
==15475== Rerun with --leak-check=full to see details of leaked memory
==15475==
==15475== For counts of detected and suppressed errors, rerun with​: -v
==15475== ERROR SUMMARY​: 0 errors from 0 contexts (suppressed​: 0 from 0)

Still there's no patch?

On Thu, Sep 19, 2019 at 7​:31 AM karl williamson via RT <
perlbug-followup@​perl.org> wrote​:

On 9/16/19 7​:23 PM, Tony Cook wrote​:

On Mon, Sep 16, 2019 at 01​:37​:00PM -0700, Karl Williamson via RT wrote​:

On Sun, 15 Sep 2019 23​:53​:04 -0700, tonyc wrote​:

On Sun, 23 Jun 2019 18​:19​:35 -0700, tonyc wrote​:

Is there any chance you can get valgrind on the VM?

While this would still be useful, I have a suspicion of the cause.

READ of size 2 at 0x6020000006b0 thread T0
#0 0x45c608 in __interceptor_setlocale
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-
rt/lib/asa
n/../sanitizer_common/sanitizer_common_interceptors.inc​:2875​:5
#1 0x887905 in Perl_upg_version /root/Fuzz/perl/./vutil.c​:717​:17
#2 0x8853ed in Perl_new_version /root/Fuzz/perl/./vutil.c​:551​:12
#3 0xb31ee3 in S_require_version /root/Fuzz/perl/pp_ctl.c​:3719​:10
#4 0xb31ee3 in Perl_pp_require /root/Fuzz/perl/pp_ctl.c​:4345
#5 0x863dbc in Perl_runops_debug /root/Fuzz/perl/dump.c​:2537​:23
#6 0x5d0f4c in Perl_call_sv /root/Fuzz/perl/perl.c​:3043​:6
#7 0x5bbc7d in Perl_call_list /root/Fuzz/perl/perl.c​:5077​:6
#8 0x56962e in S_process_special_blocks
/root/Fuzz/perl/op.c​:10469​:6
#9 0x539626 in Perl_newATTRSUB_x /root/Fuzz/perl/op.c​:10395​:21
#10 0x541522 in Perl_utilize /root/Fuzz/perl/op.c​:7590​:5
#11 0x6dfaa0 in Perl_yyparse /root/Fuzz/perl/perly.y​:336​:6
#12 0x5c88c4 in S_parse_body /root/Fuzz/perl/perl.c​:2531​:9
#13 0x5bf965 in perl_parse /root/Fuzz/perl/perl.c​:1822​:2
#14 0xde129c in main /root/Fuzz/perl/miniperlmain.c​:132​:10
#15 0x7f21e137a82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#16 0x41c358 in _start (/root/Fuzz/perl/miniperl+0x41c358)

Here's the code in question (minus the irrelevant code)​:

const char * locale_name_on_entry;

LC_NUMERIC_LOCK(0); /* Start critical section */

locale_name_on_entry = setlocale(LC_NUMERIC, NULL); <-- get current
locale name (possibly malloced())
if ( strNE(locale_name_on_entry, "C")
&& strNE(locale_name_on_entry, "POSIX"))
{
setlocale(LC_NUMERIC, "C"); <-- change locale, possibly freeing
locale_name_on_entry
}
else { /* This value indicates to the restore code that we didn't
change the locale */
locale_name_on_entry = NULL;
}

...

if (locale_name_on_entry) {
setlocale(LC_NUMERIC, locale_name_on_entry); <-- use freed value
}

The lifetime of the string returned by setlocale() isn't well
documented, but it is documented that it *may* be return a pointer to
static storage, in which case the setlocale(LC_NUMERIC, "C") may
overwrite it, making the value useless for restoring the locale.

The attached should fix it.

#134182 (which I found after checking the version.pm PRs) has an
incomplete patch for this.

Tony

Why not just do a saave the first time? It would be less code that
could get out of sync. When it is unclear what is going to happen in the
interim, locale.c makes it a SAVEFREEPV

I had a WIP that used SAVEFREEPV(), but in this case we have an
obvious place to do the free(), and while SAVEFREEPV() isn't expensive
(most of the cost is fixed in the LEAVE itself) it isn't free either.

Or did I misunderstand what you're asking here?

I hadn't examined it enough in detail to realize there was only one
place to do the free. I was trying to suggest that if it could return
early, you would use that. locale.c does both, depending on the situation.

Tony

From imdb95@gmail.com

Here's the link for reference: https://sourceware.org/bugzilla/show_bug.cgi?id=25123

@tonycoz ^^

@ManhNDd ^^

Pull request #17217 has been merged providing commit 0927980. Closing case.