Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stack overflow during exception unwind in Perl_croak #16031

Open
p5pRT opened this issue Jun 22, 2017 · 3 comments
Open

Stack overflow during exception unwind in Perl_croak #16031

p5pRT opened this issue Jun 22, 2017 · 3 comments

Comments

@p5pRT
Copy link

p5pRT commented Jun 22, 2017

Migrated from rt.perl.org#131630 (status was 'open')

Searchable as RT131630$

@p5pRT
Copy link
Author

p5pRT commented Jun 22, 2017

From @dur-randir

Created by @dur-randir

While fuzzing perl v5.27.1-37-g4c95ee9f29 built with afl and run
under libdislocator, I found the following program

eval q!split*@​=\0!

to cause a stack overflow. GDB info about the crash location is​:

#0 0x0000563bc3865cf3 in Perl_sv_grow (sv=0x0, newlen=0x0) at sv.c​:1546
#1 0x0000563bc388f439 in Perl_sv_catpvn_flags (dsv=0x563bc4147d70,
sstr=0x563bc3ad2020 <PL_no_modify> "Modification of a read-only value
attempted", slen=0x2b, flags=0x0) at sv.c​:5529
#2 0x0000563bc3890c17 in Perl_sv_catpv_flags (dstr=0x563bc4147d70,
sstr=0x563bc3ad2020 <PL_no_modify> "Modification of a read-only value
attempted", flags=0x0) at sv.c​:5646
#3 0x0000563bc38b2a50 in Perl_sv_vcatpvfn_flags (sv=0x563bc4147d70,
pat=0x563bc3a705cf "%s", patlen=0x2, args=0x7ffce05bb780, svargs=0x0,
sv_count=0x0, maybe_tainted=0x0, flags=0x0) at sv.c​:11911
#4 0x0000563bc38b0941 in Perl_sv_vsetpvfn (sv=0x563bc4147d70,
pat=0x563bc3a705cf "%s", patlen=0x2, args=0x7ffce05bb780, svargs=0x0,
sv_count=0x0, maybe_tainted=0x0) at sv.c​:10961
#5 0x0000563bc37f7dd0 in Perl_vmess (pat=0x563bc3a705cf "%s",
args=0x7ffce05bb780) at util.c​:1487
#6 0x0000563bc37f8e38 in Perl_vcroak (pat=0x563bc3a705cf "%s",
args=0x7ffce05bb780) at util.c​:1716
#7 0x0000563bc37f912e in Perl_croak (pat=0x563bc3a705cf "%s") at util.c​:1763
#8 0x0000563bc37f914a in Perl_croak_no_modify () at util.c​:1781
#9 0x0000563bc388d2c2 in Perl_sv_force_normal_flags
(sv=0x563bc40b8ae8, flags=0x4) at sv.c​:5325
#10 0x0000563bc3882216 in Perl_sv_setsv_flags (dstr=0x563bc40b8ae8,
sstr=0x563bc4147d58, flags=0x612) at sv.c​:4347
#11 0x0000563bc390d135 in Perl_die_unwind (msv=0x563bc4147d58) at pp_ctl.c​:1726
#12 0x0000563bc37f907d in Perl_vcroak (pat=0x563bc3a705cf "%s",
args=0x7ffce05bbe70) at util.c​:1718
#13 0x0000563bc37f912e in Perl_croak (pat=0x563bc3a705cf "%s") at util.c​:1763
#14 0x0000563bc37f914a in Perl_croak_no_modify () at util.c​:1781
#15 0x0000563bc388d2c2 in Perl_sv_force_normal_flags
(sv=0x563bc40b8ae8, flags=0x4) at sv.c​:5325
...
#28306 0x0000563bc3882216 in Perl_sv_setsv_flags (dstr=0x563bc40b8ae8,
sstr=0x563bc40b9418, flags=0x612) at sv.c​:4347
#28307 0x0000563bc390d135 in Perl_die_unwind (msv=0x563bc40b9418) at
pp_ctl.c​:1726
#28308 0x0000563bc37f907d in Perl_vcroak (pat=0x563bc3a676e8 "%s in
regex; marked by <-- HERE in m/%d%lu%4p <-- HERE %d%lu%4p/",
args=0x7ffce0db8bb0) at util.c​:1718
#28309 0x0000563bc37f912e in Perl_croak (pat=0x563bc3a676e8 "%s in
regex; marked by <-- HERE in m/%d%lu%4p <-- HERE %d%lu%4p/") at
util.c​:1763
#28310 0x0000563bc37ba100 in S_regatom (pRExC_state=0x7ffce0db99a0,
flagp=0x7ffce0db8fd0, depth=0x4) at regcomp.c​:12641
#28311 0x0000563bc37b403b in S_regpiece (pRExC_state=0x7ffce0db99a0,
flagp=0x7ffce0db90fc, depth=0x3) at regcomp.c​:11668
#28312 0x0000563bc37b3989 in S_regbranch (pRExC_state=0x7ffce0db99a0,
flagp=0x7ffce0db91a8, first=0x1, depth=0x2) at regcomp.c​:11593
#28313 0x0000563bc37b126c in S_reg (pRExC_state=0x7ffce0db99a0,
paren=0x0, flagp=0x7ffce0db95e4, depth=0x1) at regcomp.c​:11331
#28314 0x0000563bc3799859 in Perl_re_op_compile
(patternp=0x563bc409fb58, pat_count=0x1, expr=0x0, eng=0x563bc3cff540
<PL_core_reg_engine>, old_re=0x0, is_bare_re=0x7ffce0db9d5a,
orig_rx_flags=0x800, pm_flags=0x800) at regcomp.c​:7100
#28315 0x0000563bc39019b5 in Perl_pp_regcomp () at pp_ctl.c​:108
#28316 0x0000563bc37f2a7d in Perl_runops_debug () at dump.c​:2451
#28317 0x0000563bc36e8b3d in S_run_body (oldscope=0x1) at perl.c​:2548
#28318 0x0000563bc36e80bb in perl_run (my_perl=0x563bc409b010) at perl.c​:2471
#28319 0x0000563bc36a0f3e in main (argc=0x2, argv=0x7ffce0dba128,
env=0x7ffce0dba140) at perlmain.c​:123

Perl Info

Flags:
    category=core
    severity=medium

Site configuration information for perl 5.27.1:

Configured by root at Sun May 28 01:44:41 MSK 2017.

Summary of my perl5 (revision 5 version 26 subversion 0) configuration:
  Derived from: 4c95ee9f298c2edfc1382d540ff89288790e78b6
  Platform:
    osname=linux
    osvers=4.9.0-3-amd64
    archname=x86_64-linux
    uname='linux dorothy 4.9.0-3-amd64 #1 smp debian 4.9.25-1
(2017-05-02) x86_64 gnulinux '
    config_args='-des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast
-Doptimize=-O0 -g -ggdb3 -fno-omit-frame-pointer'
    hint=previous
    useposix=true
    d_sigaction=define
    useithreads=undef
    usemultiplicity=undef
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    default_inc_excludes_dot=define
    bincompat5005=undef
  Compiler:
    cc='afl-clang-fast'
    ccflags ='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2'
    optimize='-O0 -g -ggdb3 -fno-omit-frame-pointer'
    cppflags='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include'
    ccversion=''
    gccversion='4.2.1 Compatible Clang 3.9.1 (tags/RELEASE_391/rc2)'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='afl-clang-fast'
    ldflags =' -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/lib/llvm-3.9/bin/../lib/clang/3.9.1/lib
/usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu
/lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
/usr/local/lib /usr/lib/llvm-3.9/bin/../lib/clang/3.9.1/lib
/usr/include/x86_64-linux-gnu /usr/lib
    libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    libc=libc-2.24.so
    so=so
    useshrplib=false
    libperl=libperl.a
    gnulibc_version='2.24'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=so
    d_dlsymun=undef
    ccdlflags='-Wl,-E'
    cccdlflags='-fPIC'
    lddlflags='-shared -O0 -g -ggdb3 -fno-omit-frame-pointer
-L/usr/local/lib -fstack-protector-strong'

Locally applied patches:
    uncommitted-changes


@INC for perl 5.27.1:
    lib
    /usr/local/lib/perl5/site_perl/5.26.0/x86_64-linux
    /usr/local/lib/perl5/site_perl/5.26.0
    /usr/local/lib/perl5/5.26.0/x86_64-linux
    /usr/local/lib/perl5/5.26.0


Environment for perl 5.27.1:
    HOME=/home/afl
    LANG=en_US.UTF-8
    LANGUAGE=en_US:en
    LC_CTYPE=en_US.UTF-8
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.24.1-dbg/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
    PERLBREW_BASHRC_VERSION=0.78
    PERLBREW_HOME=/home/afl/.perlbrew
    PERLBREW_MANPATH=/home/afl/perlbrew/perls/perl-5.24.1-dbg/man
    PERLBREW_PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.24.1-dbg/bin
    PERLBREW_PERL=perl-5.24.1-dbg
    PERLBREW_ROOT=/home/afl/perlbrew
    PERLBREW_VERSION=0.78
    PERL_BADLANG (unset)
    SHELL=/usr/bin/zsh

@p5pRT
Copy link
Author

p5pRT commented Aug 8, 2017

From @iabyn

On Thu, Jun 22, 2017 at 11​:55​:56AM -0700, Sergey Aleynikov wrote​:

eval q!split*@​=\0!

*@​ = \0 aliases $@​ to a read-only value. Subsequent attempts to set $@​
will cause a "Modification of a read-only value attempted" croak,
which will also try to set $@​, and so on until the stack overflows.

I think this comes under "doctor it hurts if I do this".

--
That he said that that that that is is is debatable, is debatable.

@p5pRT
Copy link
Author

p5pRT commented Aug 8, 2017

The RT System itself - Status changed from 'new' to 'open'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants