Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEGV (gv.c:2445:12) in Perl_gv_fetchpvn_flags #17089

Open
p5pRT opened this issue Jul 9, 2019 · 4 comments
Open

SEGV (gv.c:2445:12) in Perl_gv_fetchpvn_flags #17089

p5pRT opened this issue Jul 9, 2019 · 4 comments

Comments

@p5pRT
Copy link

p5pRT commented Jul 9, 2019

Migrated from rt.perl.org#134276 (status was 'open')

Searchable as RT134276$

@p5pRT
Copy link
Author

p5pRT commented Jul 9, 2019

From imdb95@gmail.com

Hello,
I found this bug when fuzzing perl5.

**********Compilation and environment**********
root@​instance-2​:~/fuzz_perl# ./perl/perl -v

This is perl 5, version 31, subversion 2 (v5.31.2 (v5.31.1-6-g9649a81))
built for x86_64-linux

Copyright 1987-2019, Larry Wall

Perl may be copied only under the terms of either the Artistic License or
the
GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on
this system using "man perl" or "perldoc perl". If you have access to the
Internet, point your browser at http​://www.perl.org/, the Perl Home Page.


root@​instance-2​:~/fuzz_perl# uname -a
Linux instance-2 4.15.0-1036-gcp #38~16.04.1-Ubuntu SMP Tue Jun 25 15​:30​:46
UTC 2019 x86_64 x86_64 x86_64 GNU/Linux


root@​instance-2​:~/fuzz_perl# lsb_release -r
Release​: 16.04


Compilation​:
AFL_USE_ASAN=1 ./Configure -des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast
-Doptimize=-g && AFL_USE_ASAN=1 make

**********Reproduce*********
root@​instance-2​:~/fuzz_perl# cat test.pl
eval '"" =~ /${%​::=0}\i{$k{*k=\&0}/';

root@​instance-2​:~/fuzz_perl# ./perl/perl test.pl
ASAN​:DEADLYSIGNAL

==16882==ERROR​: AddressSanitizer​: SEGV on unknown address 0x000000000038
(pc 0x000000618d6b bp 0x7fff600e2950 sp 0x7fff600e27c0 T0)
==16882==The signal is caused by a READ memory access.
==16882==Hint​: address points to the zero page.
  #0 0x618d6a in Perl_gv_fetchpvn_flags /root/fuzz_perl/perl/gv.c​:2445​:12
  #1 0x61b1c7 in Perl_gv_fetchsv /root/fuzz_perl/perl/gv.c​:1588​:12
  #2 0x9fd20d in S_anonymise_cv_maybe /root/fuzz_perl/perl/sv.c​:6520​:14
  #3 0x9fd20d in Perl_sv_kill_backrefs /root/fuzz_perl/perl/sv.c​:6301
  #4 0x8d1781 in Perl_magic_killbackrefs /root/fuzz_perl/perl/mg.c​:2548​:5
  #5 0x9f9b4a in S_sv_unmagicext_flags /root/fuzz_perl/perl/sv.c​:5863​:3
  #6 0xa03991 in Perl_sv_unmagic /root/fuzz_perl/perl/sv.c​:5901​:12
  #7 0xa03991 in Perl_sv_clear /root/fuzz_perl/perl/sv.c​:6598
  #8 0xa0c16e in Perl_sv_free2 /root/fuzz_perl/perl/sv.c​:7093​:9
  #9 0x511504 in S_SvREFCNT_dec_NN /root/fuzz_perl/perl/./inline.h​:227​:2
  #10 0x511504 in S_op_clear_gv /root/fuzz_perl/perl/op.c​:970
  #11 0x511504 in Perl_op_clear /root/fuzz_perl/perl/op.c​:1003
  #12 0x50e165 in Perl_op_free /root/fuzz_perl/perl/op.c​:914​:9
  #13 0x50ddab in Perl_op_free /root/fuzz_perl/perl/op.c​:897​:21
  #14 0xaf8fa1 in Perl_leave_scope /root/fuzz_perl/perl/scope.c​:1127​:6
  #15 0xb31a86 in S_pop_eval_context_maybe_croak
/root/fuzz_perl/perl/pp_ctl.c​:1633​:5
  #16 0xb310b8 in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1785​:13
  #17 0x88fc1f in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #18 0x886a2a in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
#19 0x826976 in S_regatom /root/fuzz_perl/perl/regcomp.c
  #20 0x7f744b in S_regpiece /root/fuzz_perl/perl/regcomp.c​:12466​:11
  #21 0x7f744b in S_regbranch /root/fuzz_perl/perl/regcomp.c​:12386
  #22 0x752f1e in S_reg /root/fuzz_perl/perl/regcomp.c​:12097​:10
  #23 0x72ecf5 in Perl_re_op_compile /root/fuzz_perl/perl/regcomp.c​:7714​:9
  #24 0xb09f34 in Perl_pp_regcomp /root/fuzz_perl/perl/pp_ctl.c​:108​:14
  #25 0x88087c in Perl_runops_debug /root/fuzz_perl/perl/dump.c​:2537​:23
  #26 0x5e95f2 in S_run_body /root/fuzz_perl/perl/perl.c
  #27 0x5e95f2 in perl_run /root/fuzz_perl/perl/perl.c​:2639
  #28 0x50a398 in main /root/fuzz_perl/perl/perlmain.c​:127​:9
  #29 0x7f5fa777d82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
  #30 0x4368c8 in _start (/root/fuzz_perl/perl/perl+0x4368c8)

AddressSanitizer can not provide additional info.
SUMMARY​: AddressSanitizer​: SEGV /root/fuzz_perl/perl/gv.c​:2445​:12 in
Perl_gv_fetchpvn_flags
==16882==ABORTING

Please confirm the bug.

Thanks,
Manh Nguyen

@p5pRT
Copy link
Author

p5pRT commented Jul 9, 2019

From @iabyn

On Tue, Jul 09, 2019 at 02​:20​:37AM -0700, Nguyen Duc Manh wrote​:

eval '"" =~ /${%​::=0}\i{$k{*k=\&0}/';

The important part of that code is

  %​:: = (0);

i.e. its deleting the entire contents of the root stash. Bad things tend
to happen after that. Ideally we'd like for perl not to crash even then,
but its not a security issue, for the same reasons I stated in another
of your tickets today.

--
This is a great day for France!
  -- Nixon at Charles De Gaulle's funeral

@p5pRT
Copy link
Author

p5pRT commented Jul 9, 2019

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Aug 5, 2019

From @tonycoz

On Tue, 09 Jul 2019 03​:17​:25 -0700, davem wrote​:

On Tue, Jul 09, 2019 at 02​:20​:37AM -0700, Nguyen Duc Manh wrote​:

eval '"" =~ /${%​::=0}\i{$k{*k=\&0}/';

The important part of that code is

%​:: = \(0\);

i.e. its deleting the entire contents of the root stash. Bad things tend
to happen after that. Ideally we'd like for perl not to crash even then,
but its not a security issue, for the same reasons I stated in another
of your tickets today.

Agreed, now public.

Tony

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant