Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

perl panic caused by large integer in precision for POSIX::sprintf #9850

Open
p5pRT opened this issue Aug 24, 2009 · 5 comments
Open

perl panic caused by large integer in precision for POSIX::sprintf #9850

p5pRT opened this issue Aug 24, 2009 · 5 comments
Labels
distro-Linux type-library

Comments

@p5pRT
Copy link

p5pRT commented Aug 24, 2009

Migrated from rt.perl.org#68764 (status was 'open')

Searchable as RT68764$
@p5pRT
Copy link
Author

p5pRT commented Aug 24, 2009

From mmaslano@redhat.com

Created by mmaslano@redhat.com

Description of problem​:
perl panics if large number is used in the format section for sprintf.

Steps to Reproduce​:
$ perl -MPOSIX -e 'POSIX​::sprintf("%.2147483640f", 1);'

Actual results​:

panic​: malloc at ../../lib/POSIX.pm (autosplit into
../../lib/auto/POSIX/sprintf.al) line 387

Expected results​:

exits with a zero

Additional info​:

perl also seems to hang for a long time with using the slightly smaller number
of 214748369

Version of perl​: 5.10.0
Version of POSIX​: 1.16

Perl Info 

Flags:
    category=library
    severity=low


This perlbug was built using Perl 5.10.0 in the Fedora build system.
It is being executed now by Perl 5.10.0 - Tue Jul 28 03:44:43 EDT 2009.

Site configuration information for perl 5.10.0:

Configured by Red Hat, Inc. at Tue Jul 28 03:44:43 EDT 2009.

Summary of my perl5 (revision 5 version 10 subversion 0) configuration:
  Platform:
    osname=linux, osvers=2.6.18-128.2.1.el5, archname=x86_64-linux-thread-multi
    uname='linux x86-2.fedora.phx.redhat.com 2.6.18-128.2.1.el5 #1 smp wed jul 8 11:54:47 edt 2009 x86_64 x86_64 x86_64 gnulinux '
    config_args='-des -Doptimize=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Accflags=-DPERL_USE_SAFE_PUTENV -Dversion=5.10.0 -Dmyhostname=localhost -Dperladmin=root@localhost -Dcc=gcc -Dcf_by=Red Hat, Inc. -Dprefix=/usr -Dvendorprefix=/usr -Dsiteprefix=/usr/local -Dprivlib=/usr/lib/perl5/5.10.0 -Dsitelib=/usr/local/lib/perl5/site_perl/5.10.0 -Dvendorlib=/usr/lib/perl5/vendor_perl/5.10.0 -Darchlib=/usr/lib64/perl5/5.10.0/x86_64-linux-thread-multi -Dsitearch=/usr/local/lib64/perl5/site_perl/5.10.0/x86_64-linux-thread-multi -Dvendorarch=/usr/lib64/perl5/vendor_perl/5.10.0/x86_64-linux-thread-multi -Dinc_version_list=none -Darchname=x86_64-linux-thread-multi -Dlibpth=/usr/local/lib64 /lib64 /usr/lib64 -Duseshrplib -Dusethreads -Duseithreads -Duselargefiles -Dd_dosuid -Dd_semctl_semun -Di_db -Ui_ndbm -Di_gdbm -Di_shadow -Di_syslog -Dman3ext=3pm -Duseperlio -Dinstallusrbinperl=n -Ubincompat5005 -Uversiononly -Dpager=/usr/bin/less -isr -Dd_gethostent_r_proto -Ud_endhostent_r_proto -Ud_sethostent_r_proto -Ud_endprotoent_r_proto -Ud_setprotoent_r_proto -Ud_endservent_r_proto -Ud_setservent_r_proto -Dscriptdir=/usr/bin -Dotherlibdirs=/usr/lib/perl5/site_perl'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=define, usemultiplicity=define
    useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
    use64bitint=define, use64bitall=define, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='gcc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DPERL_USE_SAFE_PUTENV -DDEBUGGING -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm',
    optimize='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -DPERL_USE_SAFE_PUTENV -DDEBUGGING -fno-strict-aliasing -pipe -I/usr/local/include -I/usr/include/gdbm'
    ccversion='', gccversion='4.4.1 20090725 (Red Hat 4.4.1-3)', gccosandvers=''
    intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
    ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='gcc', ldflags =''
    libpth=/usr/local/lib64 /lib64 /usr/lib64
    libs=-lresolv -lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lpthread -lc
    perllibs=-lresolv -lnsl -ldl -lm -lcrypt -lutil -lpthread -lc
    libc=, so=so, useshrplib=true, libperl=libperl.so
    gnulibc_version='2.10.90'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E -Wl,-rpath,/usr/lib64/perl5/5.10.0/x86_64-linux-thread-multi/CORE'
    cccdlflags='-fPIC', lddlflags='-shared -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'

Locally applied patches:

@INC for perl 5.10.0:
    /usr/local/lib64/perl5/site_perl/5.10.0/x86_64-linux-thread-multi
    /usr/local/lib/perl5/site_perl/5.10.0
    /usr/lib64/perl5/vendor_perl/5.10.0/x86_64-linux-thread-multi
    /usr/lib/perl5/vendor_perl/5.10.0
    /usr/lib/perl5/vendor_perl
    /usr/lib64/perl5/5.10.0/x86_64-linux-thread-multi
    /usr/lib/perl5/5.10.0
    /usr/lib/perl5/site_perl
    .


Environment for perl 5.10.0:
    HOME=/home/marca
    LANG=en_US.UTF-8
    LANGUAGE=
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/usr/lib64/qt-3.3/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/bin:/usr/bin:/bin:/usr/games:/usr/local/sbin:/usr/sbin:/sbin:/home/marca/bin
    PERL_BADLANG (unset)
    SHELL=/bin/bash

@p5pRT
Copy link
Author

p5pRT commented Aug 24, 2009

From zefram@fysh.org

Marcela Maslanova wrote​:

$ perl -MPOSIX -e 'POSIX​::sprintf("%.2147483640f", 1);'
panic​: malloc at ../../lib/POSIX.pm (autosplit into
../../lib/auto/POSIX/sprintf.al) line 387

The defence pleads provocation.

-zefram

@p5pRT
Copy link
Author

p5pRT commented Aug 24, 2009

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Jul 22, 2010

From mmaslano@redhat.com

On Mon Aug 24 05​:22​:18 2009, zefram@​fysh.org wrote​:

Marcela Maslanova wrote​:

$ perl -MPOSIX -e 'POSIX​::sprintf("%.2147483640f", 1);'
panic​: malloc at ../../lib/POSIX.pm (autosplit into
../../lib/auto/POSIX/sprintf.al) line 387

The defence pleads provocation.

-zefram

It looks like it's reproducible only on computer with more memory. The
reporter of this bug has 4Gb of RAM.

@p5pRT
Copy link
Author

p5pRT commented Oct 5, 2011

From @ppisar

Dne čt 22.čec.2010 02​:06​:30, mmaslano napsal(a)​:

On Mon Aug 24 05​:22​:18 2009, zefram@​fysh.org wrote​:

Marcela Maslanova wrote​:

$ perl -MPOSIX -e 'POSIX​::sprintf("%.2147483640f", 1);'
panic​: malloc at ../../lib/POSIX.pm (autosplit into
../../lib/auto/POSIX/sprintf.al) line 387

The defence pleads provocation.

-zefram

It looks like it's reproducible only on computer with more memory. The
reporter of this bug has 4Gb of RAM.

There is correlation between precision number in formatting string and
memory available to perl process. I can reproduce it even on virtual
machine with 2965 MB virtual memory in the operating system. Requesting
insane big precision (e.g. by prepending digit `9') makes `Out of memory!'.

The message "panic​: snprintf buffer overflow" comes from perl.h​:1666
(Perl 5.14) where following macro is defined (formatted by me)​:

#define my_snprintf(buffer, len, ...) \
({ int __len__ = snprintf(buffer, len, __VA_ARGS__); \
  if ((len) > 0 && (Size_t)__len__ >= (len)) \
  Perl_croak_nocontext("panic​: snprintf buffer overflow");\
  __len__; })

Thus it just says the requested string could not fit into buffer (see
snprintf(3)). And dies.

So the problem is why buffer has not been preallocated large enough and
`len' set to the length to accommodate the string. I would expect pass
or out-of-memory message, but not the buffer-overflow.

This can be sign of badly calculated memory size to allocate or some
integer wrap of the memory size counter.

I compared <http​://use.perl.org/article.pl?sid=05/12/15/0916221> patch
with 5.14.2 and all relevant parts are applied except the sprintf
op-code value change (0x0004280f → 0x0004280d), sprintf op-code option
change (mfst@​ → mst@​), and missing vecsv = &PL_sv_undef in
if-(vectorize) block.

@xenu xenu removed the affects-5.10 label Nov 19, 2021
@xenu xenu removed the Severity Low label Dec 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
distro-Linux type-library
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xenu @p5pRT