From nguyenmanhdung1710@gmail.com

Hi All,
I found an invalid read bug of size 4 in the commit *45f8e7b* on branch
*blead*. This bug causes Perl to crash. I use gcc v5.5.0 to compile Perl on
Ubuntu 16.04 (64 bit) as follows​:
  ./Configure -des -Dusedevel -Dprefix=`pwd` -Dccflags="-g" -Dloclibpth='
'; make

Thanks,
Manh Dung

======================================
*perl -v*
This is perl 5, version 31, subversion 3 (v5.31.3 (v5.31.2-37-ga3c7756))
built for x86_64-linux

- Crafted PoC​:
https://github.com/strongcourage/PoCs/blob/master/perl_82007f7/PoC_segv_mro_core.c:501
- Command​: perl $PoC

Valgrind says​:
==10475== Invalid read of size 4
==10475== at 0x4B4EC7​: Perl_mro_isa_changed_in (mro_core.c​:501)
==10475== by 0x4B5769​: Perl_mro_package_moved (mro_core.c​:877)
==10475== by 0x4DD485​: S_glob_assign_glob (sv.c​:3936)
==10475== by 0x4D7917​: Perl_sv_setsv_flags (sv.c​:4418)
==10475== by 0x4C2328​: Perl_pp_sassign (pp_hot.c​:226)
==10475== by 0x4C1C72​: Perl_runops_standard (run.c​:41)
==10475== by 0x446595​: S_run_body (perl.c​:2701)
==10475== by 0x446595​: perl_run (perl.c​:2624)
==10475== by 0x421814​: main (perlmain.c​:127)
==10475== Address 0x4 is not stack'd, malloc'd or (recently) free'd

ASAN says​:
==7970==ERROR​: AddressSanitizer​: SEGV on unknown address 0x000000000004 (pc
0x0000005d02a7 bp 0x7ffea50397e0 sp 0x7ffea50396f0 T0)
  #0 0x5d02a6 in Perl_mro_isa_changed_in
/home/dungnguyen/gueb-testing/perl-head/mro_core.c​:501
  #1 0x5d1c43 in Perl_mro_package_moved
/home/dungnguyen/gueb-testing/perl-head/mro_core.c​:877
  #2 0x64a131 in S_glob_assign_glob
/home/dungnguyen/gueb-testing/perl-head/sv.c​:3936
  #3 0x6375dd in Perl_sv_setsv_flags
/home/dungnguyen/gueb-testing/perl-head/sv.c​:4418
  #4 0x5fb863 in Perl_pp_sassign
/home/dungnguyen/gueb-testing/perl-head/pp_hot.c​:226
  #5 0x5fa20a in Perl_runops_standard
/home/dungnguyen/gueb-testing/perl-head/run.c​:41
  #6 0x48f0b7 in S_run_body
/home/dungnguyen/gueb-testing/perl-head/perl.c​:2696
  #7 0x48f0b7 in perl_run
/home/dungnguyen/gueb-testing/perl-head/perl.c​:2624
  #8 0x425674 in main
/home/dungnguyen/gueb-testing/perl-head/perlmain.c​:127
  #9 0x7fcc2a3cc82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
  #10 0x425be8 in _start
(/home/dungnguyen/PoCs/perl_82007f7/perl-asan+0x425be8)

From @iabyn

On Wed, Aug 07, 2019 at 01​:38​:21AM -0700, Manh-Dung Nguyen (via RT) wrote​:

I found an invalid read bug of size 4 in the commit *45f8e7b* on branch
*blead*. This bug causes Perl to crash. I use gcc v5.5.0 to compile Perl on
Ubuntu 16.04 (64 bit) as follows​:

That PoC code is just one long list of lines which assign things to *​::.
While ideally we'd like perl to be robust in the face of such provocation,
I don't think fixing this is a very high priority.

--
"You're so sadly neglected, and often ignored.
A poor second to Belgium, When going abroad."
  -- Monty Python, "Finland"

The RT System itself - Status changed from 'new' to 'open'

@iabyn, this is now core dumping in blead

@khwilliamson I'm not sure of your point - the demo code has always core-dumped AFAIKT. My comment from 2019 was words to the effect that doing lots of messing around assigning to %:: etc is very likely to crash things. In an ideal world it wouldn't, but fixing it is not a very high priority for me . (And fixing the stack-not-refcounted bug is a much higher priority, and might make this problem go away anyway).

I wasn't thinking straight. Sorry for the noise