Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Segmentation fault in Perl_sv_catpvn_flags #14976

Closed
p5pRT opened this issue Oct 10, 2015 · 8 comments
Closed

Segmentation fault in Perl_sv_catpvn_flags #14976

p5pRT opened this issue Oct 10, 2015 · 8 comments
Labels

Comments

@p5pRT
Copy link
Collaborator

@p5pRT p5pRT commented Oct 10, 2015

Migrated from rt.perl.org#126319 (status was 'resolved')

Searchable as RT126319$

@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Oct 10, 2015

From @dcollinsn

Greetings Porters,

I have compiled bleadperl with the afl-gcc compiler using​:

./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache afl-gcc' -Duselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -des
AFL_HARDEN=1 make && make test

And then fuzzed the resulting binary using​:

AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @​@​

After reducing testcases using `afl-tmin` and performing additional minimization by hand, I have located the following testcase that triggers a segmentation fault in the perl interpreter. The testcase is the file​:

/\b{sb}\b{wb}//b{}//>s>>>g>>0

The fuzzer seems to have started from the testcase in [perl #126260], but is does not appear to be at all related - that is a regexp related bug, while this bug is occurring in sv.c.

**GDB**

(gdb) run
Starting program​: /usr/local/perl-afl/bin/perl allcrash/f4i000027
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6df5b9c in ?? () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x00007ffff6df5b9c in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00000000009f5567 in memmove (__len=18446744073709551615, __src=0x1213001,
  __dest=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/string3.h​:57
#2 Perl_sv_catpvn_flags (dsv=0x12056a0, sstr=0x1213001 "",
  slen=18446744073709551615, flags=16384) at sv.c​:5370
#3 0x000000000090410e in Perl_pp_subst () at pp_hot.c​:3055
#4 0x00000000007dec7f in Perl_runops_debug () at dump.c​:2224
#5 0x0000000000544469 in S_run_body (oldscope=1) at perl.c​:2456
#6 perl_run (my_perl=<optimized out>) at perl.c​:2379
#7 0x000000000042c6f8 in main (argc=2, argv=0x7fffffffe348, env=0x7fffffffe360)
  at perlmain.c​:116

**VALGRIND**

==19889== Memcheck, a memory error detector
==19889== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==19889== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==19889== Command​: ../bin/perl allcrash/f4i000027
==19889==
==19889== Invalid write of size 8
==19889== at 0x4C2C04B​: memcpy@​GLIBC_2.2.5 (vg_replace_strmem.c​:1017)
==19889== by 0x9F5566​: memmove (string3.h​:57)
==19889== by 0x9F5566​: Perl_sv_catpvn_flags (sv.c​:5370)
==19889== by 0x90410D​: Perl_pp_subst (pp_hot.c​:3055)
==19889== by 0x7DEC7E​: Perl_runops_debug (dump.c​:2224)
==19889== by 0x544468​: S_run_body (perl.c​:2456)
==19889== by 0x544468​: perl_run (perl.c​:2379)
==19889== by 0x42C6F7​: main (perlmain.c​:116)
==19889== Address 0x5f814c8 is 8 bytes inside a block of size 10 alloc'd
==19889== at 0x4C27C0F​: malloc (vg_replace_malloc.c​:299)
==19889== by 0x7EFD6C​: Perl_safesysmalloc (util.c​:153)
==19889== by 0x98BD5F​: Perl_sv_grow (sv.c​:1624)
==19889== by 0x9BBDBB​: Perl_sv_setpvn (sv.c​:4849)
==19889== by 0x9BD012​: Perl_newSVpvn_flags (sv.c​:9085)
==19889== by 0x901BF4​: Perl_pp_subst (pp_hot.c​:3001)
==19889== by 0x7DEC7E​: Perl_runops_debug (dump.c​:2224)
==19889== by 0x544468​: S_run_body (perl.c​:2456)
==19889== by 0x544468​: perl_run (perl.c​:2379)
==19889== by 0x42C6F7​: main (perlmain.c​:116)
==19889==
==19889== Invalid read of size 8
==19889== at 0x4C2C048​: memcpy@​GLIBC_2.2.5 (vg_replace_strmem.c​:1017)
==19889== by 0x9F5566​: memmove (string3.h​:57)
==19889== by 0x9F5566​: Perl_sv_catpvn_flags (sv.c​:5370)
==19889== by 0x90410D​: Perl_pp_subst (pp_hot.c​:3055)
==19889== by 0x7DEC7E​: Perl_runops_debug (dump.c​:2224)
==19889== by 0x544468​: S_run_body (perl.c​:2456)
==19889== by 0x544468​: perl_run (perl.c​:2379)
==19889== by 0x42C6F7​: main (perlmain.c​:116)
==19889== Address 0x5f81420 is 6 bytes after a block of size 10 alloc'd
==19889== at 0x4C27C0F​: malloc (vg_replace_malloc.c​:299)
==19889== by 0x7EFD6C​: Perl_safesysmalloc (util.c​:153)
==19889== by 0x98BD5F​: Perl_sv_grow (sv.c​:1624)
==19889== by 0x9EA7D7​: Perl_sv_pvn_force_flags (sv.c​:9871)
==19889== by 0x901316​: Perl_pp_subst (pp_hot.c​:2991)
==19889== by 0x7DEC7E​: Perl_runops_debug (dump.c​:2224)
==19889== by 0x544468​: S_run_body (perl.c​:2456)
==19889== by 0x544468​: perl_run (perl.c​:2379)
==19889== by 0x42C6F7​: main (perlmain.c​:116)
==19889==
==19889== Invalid read of size 8
==19889== at 0x4C2C056​: memcpy@​GLIBC_2.2.5 (vg_replace_strmem.c​:1017)
==19889== by 0x9F5566​: memmove (string3.h​:57)
==19889== by 0x9F5566​: Perl_sv_catpvn_flags (sv.c​:5370)
==19889== by 0x90410D​: Perl_pp_subst (pp_hot.c​:3055)
==19889== by 0x7DEC7E​: Perl_runops_debug (dump.c​:2224)
==19889== by 0x544468​: S_run_body (perl.c​:2456)
==19889== by 0x544468​: perl_run (perl.c​:2379)
==19889== by 0x42C6F7​: main (perlmain.c​:116)
==19889== Address 0x5f81428 is 14 bytes after a block of size 10 alloc'd
==19889== at 0x4C27C0F​: malloc (vg_replace_malloc.c​:299)
==19889== by 0x7EFD6C​: Perl_safesysmalloc (util.c​:153)
==19889== by 0x98BD5F​: Perl_sv_grow (sv.c​:1624)
==19889== by 0x9EA7D7​: Perl_sv_pvn_force_flags (sv.c​:9871)
==19889== by 0x901316​: Perl_pp_subst (pp_hot.c​:2991)
==19889== by 0x7DEC7E​: Perl_runops_debug (dump.c​:2224)
==19889== by 0x544468​: S_run_body (perl.c​:2456)
==19889== by 0x544468​: perl_run (perl.c​:2379)
==19889== by 0x42C6F7​: main (perlmain.c​:116)
==19889==
==19889==
==19889== Process terminating with default action of signal 11 (SIGSEGV)
==19889== Access not within mapped region at address 0x6350000
==19889== at 0x4C2C04B​: memcpy@​GLIBC_2.2.5 (vg_replace_strmem.c​:1017)
==19889== by 0x9F5566​: memmove (string3.h​:57)
==19889== by 0x9F5566​: Perl_sv_catpvn_flags (sv.c​:5370)
==19889== by 0x90410D​: Perl_pp_subst (pp_hot.c​:3055)
==19889== by 0x7DEC7E​: Perl_runops_debug (dump.c​:2224)
==19889== by 0x544468​: S_run_body (perl.c​:2456)
==19889== by 0x544468​: perl_run (perl.c​:2379)
==19889== by 0x42C6F7​: main (perlmain.c​:116)
==19889== If you believe this happened as a result of a stack
==19889== overflow in your program's main thread (unlikely but
==19889== possible), you can try to increase the size of the
==19889== main thread stack using the --main-stacksize= flag.
==19889== The main thread stack size used in this run was 8388608.
==19889==
==19889== HEAP SUMMARY​:
==19889== in use at exit​: 122,132 bytes in 648 blocks
==19889== total heap usage​: 783 allocs, 135 frees, 148,398 bytes allocated
==19889==
==19889== LEAK SUMMARY​:
==19889== definitely lost​: 328 bytes in 1 blocks
==19889== indirectly lost​: 2,631 bytes in 39 blocks
==19889== possibly lost​: 0 bytes in 0 blocks
==19889== still reachable​: 119,173 bytes in 608 blocks
==19889== suppressed​: 0 bytes in 0 blocks
==19889== Rerun with --leak-check=full to see details of leaked memory
==19889==
==19889== For counts of detected and suppressed errors, rerun with​: -v
==19889== ERROR SUMMARY​: 998087 errors from 3 contexts (suppressed​: 0 from 0)

**PERL -V**

Summary of my perl5 (revision 5 version 23 subversion 4) configuration​:
  Commit id​: 94757bf
  Platform​:
  osname=linux, osvers=3.16.0-4-amd64, archname=x86_64-linux-ld
  uname='linux nightshade64 3.16.0-4-amd64 #1 smp debian 3.16.7-ckt11-1+deb8u4 (2015-09-19) x86_64 gnulinux '
  config_args='-Dusedevel -Dprefix=/usr/local/perl-afl -Dcc=ccache afl-gcc -Duselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -DDEBUGGING -DPERL_POISON -des'
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=undef, usemultiplicity=undef
  use64bitint=define, use64bitall=define, uselongdouble=define
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='ccache afl-gcc', ccflags ='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
  optimize='-g',
  cppflags='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
  ccversion='', gccversion='4.9.2', gccosandvers=''
  intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678, doublekind=3
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16, longdblkind=3
  ivtype='long', ivsize=8, nvtype='long double', nvsize=16, Off_t='off_t', lseeksize=8
  alignbytes=16, prototype=define
  Linker and Libraries​:
  ld='ccache afl-gcc', ldflags =' -fstack-protector-strong -L/usr/local/lib'
  libpth=/usr/local/lib /usr/lib/gcc/x86_64-linux-gnu/4.9/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
  libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  libc=libc-2.19.so, so=so, useshrplib=false, libperl=libperl.a
  gnulibc_version='2.19'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
  cccdlflags='-fPIC', lddlflags='-shared -g -L/usr/local/lib -fstack-protector-strong'

Characteristics of this binary (from libperl)​:
  Compile-time options​: DEBUGGING HAS_TIMES PERLIO_LAYERS PERL_COPY_ON_WRITE
  PERL_DONT_CREATE_GVSV
  PERL_HASH_FUNC_ONE_AT_A_TIME_HARD PERL_MALLOC_WRAP
  PERL_PRESERVE_IVUV PERL_USE_DEVEL USE_64_BIT_ALL
  USE_64_BIT_INT USE_LARGE_FILES USE_LOCALE
  USE_LOCALE_COLLATE USE_LOCALE_CTYPE
  USE_LOCALE_NUMERIC USE_LOCALE_TIME USE_LONG_DOUBLE
  USE_PERLIO USE_PERL_ATOF
  Built under linux
  Compiled at Sep 30 2015 16​:39​:59
  @​INC​:
  /usr/local/perl-afl/lib/site_perl/5.23.4/x86_64-linux-ld
  /usr/local/perl-afl/lib/site_perl/5.23.4
  /usr/local/perl-afl/lib/5.23.4/x86_64-linux-ld
  /usr/local/perl-afl/lib/5.23.4
  .

@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Oct 15, 2015

From @tonycoz

On Sat Oct 10 14​:20​:55 2015, dcollinsn@​gmail.com wrote​:

Greetings Porters,

I have compiled bleadperl with the afl-gcc compiler using​:

./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache
afl-gcc' -Duselongdouble -Duse64bitall -Doptimize=-g -Uversiononly
-Uman1dir -Uman3dir -des
AFL_HARDEN=1 make && make test

And then fuzzed the resulting binary using​:

AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @​@​

After reducing testcases using `afl-tmin` and performing additional
minimization by hand, I have located the following testcase that
triggers a segmentation fault in the perl interpreter. The testcase is
the file​:

/\b{sb}\b{wb}//b{}//>s>>>g>>0

The fuzzer seems to have started from the testcase in [perl #126260],
but is does not appear to be at all related - that is a regexp related
bug, while this bug is occurring in sv.c.

This can be simplified​:

tony@​mars​:.../git/perl$ ./perl -e '/\b{wb}/; s///g'
Segmentation fault
tony@​mars​:.../git/perl$ ./perl -e '/\b{sb}/; s///g'
Segmentation fault
tony@​mars​:.../git/perl$ ./perl -e '/\b{gcb}/; s///g'
Segmentation fault
tony@​mars​:.../git/perl$ ./perl -e '/\b/; s///g'
tony@​mars​:.../git/perl$

Looking at it further.

Tony

@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Oct 15, 2015

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Oct 19, 2015

From @khwilliamson

This is now fixed in blead by commit
f0bd363

Thank you for spotting this. It led to me finding several more bugs with this feature.
--
Karl Williamson

@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Oct 19, 2015

@khwilliamson - Status changed from 'open' to 'pending release'

@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Oct 19, 2015

From @khwilliamson

On 10/19/2015 12​:52 PM, Karl Williamson via RT wrote​:

This is now fixed in blead by commit
f0bd363

Thank you for spotting this. It led to me finding several more bugs with this feature.

I meant to include text, but forgot, in the final commit message talking
about how these bugs cancelled each other out except in rare cases, so
that everything passed the extensive test suite furnished by Unicode,
until I started fixing things.

The commit message for 139a998
also was supposed to have said the TODOs were instituted 6 commits earlier.

@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented May 13, 2016

From @khwilliamson

Thank you for submitting this report. You have helped make Perl better.
 
With the release of Perl 5.24.0 on May 9, 2016, this and 149 other issues have been resolved.

Perl 5.24.0 may be downloaded via https://metacpan.org/release/RJBS/perl-5.24.0

@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented May 13, 2016

@khwilliamson - Status changed from 'pending release' to 'resolved'

@p5pRT p5pRT closed this May 13, 2016
@p5pRT p5pRT added the Severity Low label Oct 19, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
You can’t perform that action at this time.