Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crash in Perl_yyerror due to missing check for NULL #7954

Closed
p5pRT opened this issue Jun 6, 2005 · 4 comments
Closed

crash in Perl_yyerror due to missing check for NULL #7954

p5pRT opened this issue Jun 6, 2005 · 4 comments

Comments

@p5pRT
Copy link

p5pRT commented Jun 6, 2005

Migrated from rt.perl.org#36193 (status was 'resolved')

Searchable as RT36193$

@p5pRT
Copy link
Author

p5pRT commented Jun 6, 2005

From @millert

Created by @millert

We (OpenBSD) had a recent report of a simple perl script with
a syntax error causing perl to dump core​:

$ cat > a.pl
#!/usr/bin/perl -w
print "##"';
$ chmod u+x a.pl
$ ./a.pl

This behavior corresponded to a change in the OpenBSD malloc
to use 1) mmap() instead of sbrk() and 2) return randomized
memory addresses. The breakage appears to be triggered by 2).

In this specific case, PL_oldbufptr is NULL and, depending on the
addresses of the other buf pointers, the while() loop that trims
spaces can go off into la la land.

The fix is to simply check that the buf ptr is non-NULL before
dereferencing it. This may fix the Netware case as well.

Index​: toke.c

RCS file​: /home/cvs/openbsd/src/gnu/usr.bin/perl/toke.c,v
retrieving revision 1.9
diff -u -r1.9 toke.c
--- toke.c 15 Jan 2005 21​:30​:22 -0000 1.9
+++ toke.c 6 Jun 2005 23​:15​:03 -0000
@​@​ -7755,8 +7755,9 @​@​

  if (!yychar || (yychar == ';' && !PL_rsfp))
  where = "at EOF";
- else if (PL_bufptr > PL_oldoldbufptr && PL_bufptr - PL_oldoldbufptr < 200 &&
- PL_oldoldbufptr != PL_oldbufptr && PL_oldbufptr != PL_bufptr) {
+ else if (PL_oldoldbufptr && PL_bufptr > PL_oldoldbufptr &&
+ PL_bufptr - PL_oldoldbufptr < 200 && PL_oldoldbufptr != PL_oldbufptr &&
+ PL_oldbufptr != PL_bufptr) {
  /*
  Only for NetWare​:
  The code below is removed for NetWare because it abends/crashes on NetWare
@​@​ -7771,8 +7772,8 @​@​
  context = PL_oldoldbufptr;
  contlen = PL_bufptr - PL_oldoldbufptr;
  }
- else if (PL_bufptr > PL_oldbufptr && PL_bufptr - PL_oldbufptr < 200 &&
- PL_oldbufptr != PL_bufptr) {
+ else if (PL_oldbufptr && PL_bufptr > PL_oldbufptr &&
+ PL_bufptr - PL_oldbufptr < 200 && PL_oldbufptr != PL_bufptr) {
  /*
  Only for NetWare​:
  The code below is removed for NetWare because it abends/crashes on NetWare

Perl Info

Flags:
    category=core
    severity=medium

Site configuration information for perl v5.8.6:

Configured by root at Thu Jan  1  0:00:00 UTC 1970.

Summary of my perl5 (revision 5 version 8 subversion 6) configuration:
  Platform:
    osname=openbsd, osvers=3.7, archname=i386-openbsd
    uname='openbsd'
    config_args='-dsE -Dopenbsd_distribution=defined -Dusethreads'
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=define use5005threads=undef useithreads=define usemultiplicity=define
    useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
    use64bitint=undef use64bitall=undef uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-pthread -fno-strict-aliasing -fno-delete-null-pointer-checks -pipe -I/usr/local/include',
    optimize='-O2',
    cppflags='-pthread -fno-strict-aliasing -fno-delete-null-pointer-checks -pipe -I/usr/local/include'
    ccversion='', gccversion='3.3.5 (propolice)', gccosandvers='openbsd3.7'
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='cc', ldflags ='-pthread -Wl,-E '
    libpth=/usr/lib
    libs=-lm -lutil -lc
    perllibs=-lm -lutil -lc
    libc=/usr/lib/libc.a, so=so, useshrplib=true, libperl=libperl.so.10.0
    gnulibc_version=''
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-R/usr/libdata/perl5/i386-openbsd/5.8.6/CORE'
    cccdlflags='-DPIC -fPIC ', lddlflags='-shared -fPIC '

Locally applied patches:
    SUIDPERLIO1 - fix PERLIO_DEBUG buffer overflow (CAN-2005-0156)


@INC for perl v5.8.6:
    /usr/libdata/perl5/i386-openbsd/5.8.6
    /usr/local/libdata/perl5/i386-openbsd/5.8.6
    /usr/libdata/perl5
    /usr/local/libdata/perl5
    /usr/local/libdata/perl5/site_perl/i386-openbsd
    /usr/libdata/perl5/site_perl/i386-openbsd
    /usr/local/libdata/perl5/site_perl
    /usr/libdata/perl5/site_perl
    /usr/local/lib/perl5/site_perl
    .


Environment for perl v5.8.6:
    HOME=/home/millert
    LANG (unset)
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/millert/bin/OpenBSD.i386:/home/millert/bin:/home/millert/bin/scripts:/usr/local/gnu/bin:/usr/local/bin:/usr/local/sbin:/usr/local/etc:/usr/local/rcs/bin:/usr/local/nmh/bin:/usr/local/news/bin:/usr/local/emacs/bin:/usr/local/netpbm/bin:/usr/local/mtools/bin:/usr/local/netscape/bin:/usr/local/ghostscript/bin:/usr/local/frame-5.5.6/bin:/usr/local/teTeX/bin:/usr/local/cvs-1.10.1/bin:/usr/local/games/bin:/usr/local/archivers/bin:/usr/local/skey/bin:/usr/local/audio/bin:/usr/local/rtty/bin:/bin:/sbin:/usr/games:/usr/bin:/usr/sbin:/usr/etc:/etc:/usr/X11/bin:/usr/X11R6/bin:/usr/local/bin:/usr/obj/bin:/usr/src.STOCK/bin:/usr/src/bin
    PERL_BADLANG (unset)
    SHELL=/usr/local/bin/tcsh

@p5pRT
Copy link
Author

p5pRT commented Jun 7, 2005

From @rgs

Todd C. Miller wrote​:

The fix is to simply check that the buf ptr is non-NULL before
dereferencing it. This may fix the Netware case as well.

Thanks, your patch applied as change #24718 to bleadperl.

@p5pRT
Copy link
Author

p5pRT commented Jun 7, 2005

The RT System itself - Status changed from 'new' to 'open'

@p5pRT p5pRT closed this as completed Jun 7, 2005
@p5pRT
Copy link
Author

p5pRT commented Jun 7, 2005

@rgs - Status changed from 'new' to 'resolved'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant