-
Notifications
You must be signed in to change notification settings - Fork 558
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Segmentation fault in Perl 5.23.2 while fuzzing Perl binary #14843
Comments
From @dcollinsnWhile fuzzing the blead Perl binary (as a learning exercise), I found a testcase that causes a segfault under -Duse64bitint but which works fine (exits with an error but without receiving a fatal signal) without 64bitint. Perl -V, Valgrind, and GDB output are below. The original testcase reads: f$x 1...888888888888888 hexdump: A reduced version of this testcase reads: f$0 1..880000000000000g hexdump: Miniperl simply hangs under this testcase. A git bisect revealed that under old versions of Perl, this resulted in a hang. The hang changed to "Killed" at: op.c:allocmy: Don’t depend on null termination This function has a len argument, but still depends on its argument’s :100644 100644 d54651bacf6748b59d4c76645aa3019191f00158 0f646ed853fdfb519512c85fc3d5839dd6e237b5 M op.c This may just be an out-of-memory condition, I can't actually find the first segfault right now, however it is definitely segfaulting in: optimize & rmv from public API Perl_tmps_grow and related code Previously in PUSH_EXTEND_MORTAL__SV_C, "PL_tmps_ix + 1" would execute Summary of my perl5 (revision 5 version 23 subversion 2) configuration: Characteristics of this binary (from libperl): ***VALGRIND OUTPUT*** valgrind: the 'impossible' happened: sched status: Thread 1: status = VgTs_Runnable ***GDB OUTPUT*** Program received signal SIGSEGV, Segmentation fault. |
From @tonycozOn Mon Aug 10 07:48:19 2015, dcollinsn@gmail.com wrote:
The attached fixes both of these for me. Tony |
From @tonycoz0001-perl-125781-handle-range-overflow-when-Size_t-is-sma.patchFrom ea697ae3ebfc94d365efb0e69a56c9b4f3ac44c0 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Tue, 11 Aug 2015 15:49:37 +1000
Subject: [perl #125781] handle range overflow when Size_t is smaller than IV
---
pp_ctl.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/pp_ctl.c b/pp_ctl.c
index cc6a55f..499e382 100644
--- a/pp_ctl.c
+++ b/pp_ctl.c
@@ -1206,7 +1206,11 @@ PP(pp_flop)
/* The wraparound of signed integers is undefined
* behavior, but here we aim for count >=1, and
* negative count is just wrong. */
- if (n < 1)
+ if (n < 1
+#if IVSIZE > Size_t_size
+ || n > SSize_t_MAX
+#endif
+ )
overflow = TRUE;
}
if (overflow)
--
2.5.0
|
The RT System itself - Status changed from 'new' to 'open' |
From @tonycozOn Mon Aug 10 23:13:43 2015, tonyc wrote:
Applied as a1e2717. Tony |
@tonycoz - Status changed from 'open' to 'resolved' |
Migrated from rt.perl.org#125781 (status was 'resolved')
Searchable as RT125781$
The text was updated successfully, but these errors were encountered: