New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Null pointer dereference in Perl_sv_setpvn() #16133
Comments
From fumfi.255@gmail.comAfter some fuzz testing I found a crashing test case. perl -v output: This is perl 5, version 27, subversion 4 (v5.27.4 Faulting test case in attachment. Command: perl perl_nullptr_Perl_sv_setpvn ASAN Context: ==19717==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 AddressSanitizer can not provide additional info. Pozdrawiam / Best Regards |
From @atoomicTo save some time to readers, the test case from attachment is the following $$_=0;$0=unpack'@'|'0'&~*0 On Thu, 31 Aug 2017 00:32:54 -0700, fumfi.255@gmail.com wrote:
|
The RT System itself - Status changed from 'new' to 'open' |
From @atoomicneed more investigation, seems this is happening in S_unpack_rec when calling SHIFT_VAR │1624 char *aptr; backtrace run Program received signal SIGBUS, Bus error. On Thu, 31 Aug 2017 00:32:54 -0700, fumfi.255@gmail.com wrote:
|
From @tonycozOn Fri, 01 Sep 2017 12:53:02 -0700, atoomic wrote:
The '@'|'0'&~*0 expression evaluates to 'P' so the program is equivalent to: $$_=0; $0=unpack"P" The $$_ = 0 auto-vivifies $_ into a scalar reference, so the unpack behaves like: $0 = unpack "P", "SCALAR(0x...)"; The P template for pack reads a pointer from the supplied scalar, so treating the bytes "SCAL" or "SCALAR(0" as a pointer, which very reasonably crashes. This isn't a bug. Tony |
@tonycoz - Status changed from 'open' to 'rejected' |
From @demerphqI agree it's not a bug but the P format is arguably a security concern. Yves On 4 Sep 2017 04:30, "Tony Cook via RT" <perlbug-followup@perl.org> wrote:
|
From @xsawyerxBefore we evaluate such an option, it would be good to have a cursory On 09/04/2017 12:18 PM, demerphq wrote:
|
From @khwilliamsonOn 09/05/2017 07:01 AM, Sawyer X wrote:
Since grep.cpan.me has been down for some time, such a check is
|
From @xsawyerxgrep.metacpan.org On 09/05/2017 05:57 PM, Karl Williamson wrote:
|
From @ilmariKarl Williamson <public@khwilliamson.com> writes:
However, https://grep.metacpan.org/ is up and running, and gives 44 https://grep.metacpan.org/search?q=\bunpack\s*\(%3F\s*\S%2BP&qd=&qft=
-- |
Migrated from rt.perl.org#132001 (status was 'rejected')
Searchable as RT132001$
The text was updated successfully, but these errors were encountered: