Segfault in Perl_pv_escape with assert fail, do qr/NUL/

[p5pRT]

Migrated from rt.perl.org#128182 (status was 'resolved')

Searchable as RT128182$

[p5pRT]

From @dcollinsn

Greetings Porters,

I have compiled bleadperl with the afl-gcc compiler using​:

./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache afl-gcc' -Uuselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -Dusequadmath -des
AFL_HARDEN=1 make && make test

And then fuzzed the resulting binary using​:

AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @​@​

After reducing testcases using `afl-tmin` and performing additional minimization by hand, I have located the following testcase that triggers an segfault in the perl interpreter. The testcase is the file below. On normal builds, this segfaults. On debug builds, this returns an assert fail.

dcollins@​nightshade64​:~$ cat f3i0
do
qr//dcollins@​nightshade64​:~$
dcollins@​nightshade64​:~$ od -c f3i0
0000000 d o \n q r / \0 /
0000010
dcollins@​nightshade64​:~$ ls -l f3i0
-rw-r----- 1 dcollins afl 8 May 18 17​:01 f3i0
dcollins@​nightshade64​:~$ ./perl/perl f3i0
Segmentation fault
dcollins@​nightshade64​:~$ ./perldebug/perl f3i0
perl​: pp_ctl.c​:3690​: S_require_file​: Assertion `PL_valid_types_PVX[((svtype)((_svcur)->sv_flags & 0xff)) & 0xf] || ((svtype)((_svcur)->sv_flags & 0xff)) == SVt_REGEXP' failed.
Aborted

Debugging tool output is below. A git bisect was performed and reported the following​:

41188aa is the first bad commit
commit 41188aa
Author​: Tony Cook <tony@​develop-help.com>
Date​: Tue Sep 3 10​:17​:35 2013 +1000

  [perl #117265] correctly handle overloaded strings

:100644 100644 d79bf44da7adb960f017908188b6b2563799066d 3988c788738312cc9dcc15e948114261e0a0ddac M doio.c
:100644 100644 896f709fc96234f8c6fb5ab73ae91432c65b412a 0f686d46d7078057cf210b3ef695fe404756ce08 M embed.fnc
:100644 100644 3662b97d3a21031dcc82bc6d610ac1dbab8fbbfc 7e0f83ea7f8735b6d3bf0e18cefa560cb5d5619f M embed.h
:040000 040000 83b4e1f174ce6d0bf2f6d6a573a74977289d51e5 5e26489a420e08692733eba6e747117749923c75 M ext
:100644 100644 a5742b892abb2a404ee66f5d23240d0a6dc1db3e a2727f41a17e6255a74a7a26652e4ceb0eafdfcb M inline.h
:100644 100644 e4cee6918c567c387e054bd57f097f7fda996bb6 5adc8d495a97bd15f6ecdb4ead223c01007c0c1b M perl.h
:100644 100644 7de7085d6b4f0352a08fa256c4885e891f617d35 c2cc3197ce67a8370b862c8fa28411a942fa1007 M perlio.c
:100644 100644 7fd27f8531f748818442e84176b7d3b52537b13f 243bcac7c303ef8386020730af72a341399ad215 M pp_ctl.c
:100644 100644 88aaa0a6b163ebe25f6c60f6a202f377708fde40 7281242c1c492479a47d8e8420da0b3150a32a25 M proto.h
:040000 040000 282fc858a0d9fe08d94515675db6a7f5326263f7 0d8ba633b8b0694cb278ba783a68566bca51bed7 M t
bisect run success

**GDB**

dcollins@​nightshade64​:~$ gdb --args ./perl/perl ./f3i0
GNU gdb (GDB) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+​: GNU GPL version 3 or later <http​://gnu.org/licenses/gpl.html>
This is free software​: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see​:
<http​://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at​:
<http​://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./perl/perl...done.
(gdb) run
Starting program​: /home/dcollins/perl/perl ./f3i0
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000004d1883 in Perl_pv_escape (dsv=0x86d120,
  str=0x86cfb8 "\b\206\207", count=8753688, max=17507376, escaped=0x0,
  flags=0) at dump.c​:213
213 else if ( (pv+readsize < end) && isDIGIT((U8)*(pv+r eadsize)) )
(gdb) bt
#0 0x00000000004d1883 in Perl_pv_escape (dsv=0x86d120,
  str=0x86cfb8 "\b\206\207", count=8753688, max=17507376, escaped=0x0,
  flags=0) at dump.c​:213
#1 0x0000000000565d27 in S_require_file (sv=0x859228) at pp_ctl.c​:3688
#2 0x00000000005675ff in Perl_pp_require () at pp_ctl.c​:4124
#3 0x0000000000508326 in Perl_runops_standard () at run.c​:41
#4 0x0000000000448e80 in S_run_body (oldscope=1) at perl.c​:2517
#5 0x0000000000448a2f in perl_run (my_perl=0x857010) at perl.c​:2440
#6 0x000000000041e730 in main (argc=2, argv=0x7fffffffe658,
  env=0x7fffffffe670) at perlmain.c​:116
(gdb) info locals
u = 0
c = 0 '\000'
esc = 92 '\\'
dq = 92 '\\'
octbuf = "\\0\000\064\000\065\066\067\070\071ABCDF", '\000' <repeats 16 times>
wrote = 290820
chsize = 2
readsize = 1
isuni = false
pv = 0x898fff ""
end = 0x10c61d0 <error​: Cannot access memory at address 0x10c61d0>
(gdb) l
208 if ( (flags & PERL_PV_ESCAPE_DWIM) && c != '\0' ) {
209 chsize = my_snprintf( octbuf, PV_ESCAPE_OCTBUFSIZE,
210 isuni ? "%cx{%02"UVxf"}" : "%cx%02"UVxf,
211 esc, u);
212 }
213 else if ( (pv+readsize < end) && isDIGIT((U8)*(pv+readsize)) )
214 chsize = my_snprintf( octbuf, PV_ESCAPE_OCTBUFSIZE,
215 "%c%03o", esc, c);
216 else
217 chsize = my_snprintf( octbuf, PV_ESCAPE_OCTBUFSIZE,
(gdb)

**VALGRIND**

dcollins@​nightshade64​:~$ valgrind ./perl/perl ./f3i0
==43712== Memcheck, a memory error detector
==43712== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==43712== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==43712== Command​: ./perl/perl ./f3i0
==43712==
==43712== Use of uninitialised value of size 8
==43712== at 0x4D188B​: Perl_pv_escape (dump.c​:213)
==43712== by 0x565D26​: S_require_file (pp_ctl.c​:3688)
==43712== by 0x5675FE​: Perl_pp_require (pp_ctl.c​:4124)
==43712== by 0x508325​: Perl_runops_standard (run.c​:41)
==43712== by 0x448E7F​: S_run_body (perl.c​:2517)
==43712== by 0x448A2E​: perl_run (perl.c​:2440)
==43712== by 0x41E72F​: main (perlmain.c​:116)
==43712==
==43712== Conditional jump or move depends on uninitialised value(s)
==43712== at 0x4D15E3​: Perl_pv_escape (dump.c​:169)
==43712== by 0x565D26​: S_require_file (pp_ctl.c​:3688)
==43712== by 0x5675FE​: Perl_pp_require (pp_ctl.c​:4124)
==43712== by 0x508325​: Perl_runops_standard (run.c​:41)
==43712== by 0x448E7F​: S_run_body (perl.c​:2517)
==43712== by 0x448A2E​: perl_run (perl.c​:2440)
==43712== by 0x41E72F​: main (perlmain.c​:116)
==43712==
==43712== Conditional jump or move depends on uninitialised value(s)
==43712== at 0x4D15F9​: Perl_pv_escape (dump.c​:171)
==43712== by 0x565D26​: S_require_file (pp_ctl.c​:3688)
==43712== by 0x5675FE​: Perl_pp_require (pp_ctl.c​:4124)
==43712== by 0x508325​: Perl_runops_standard (run.c​:41)
==43712== by 0x448E7F​: S_run_body (perl.c​:2517)
==43712== by 0x448A2E​: perl_run (perl.c​:2440)
==43712== by 0x41E72F​: main (perlmain.c​:116)
==43712==
==43712== Conditional jump or move depends on uninitialised value(s)
==43712== at 0x4D170F​: Perl_pv_escape (dump.c​:185)
==43712== by 0x565D26​: S_require_file (pp_ctl.c​:3688)
==43712== by 0x5675FE​: Perl_pp_require (pp_ctl.c​:4124)
==43712== by 0x508325​: Perl_runops_standard (run.c​:41)
==43712== by 0x448E7F​: S_run_body (perl.c​:2517)
==43712== by 0x448A2E​: perl_run (perl.c​:2440)
==43712== by 0x41E72F​: main (perlmain.c​:116)
==43712==
==43712== Conditional jump or move depends on uninitialised value(s)
==43712== at 0x4D171B​: Perl_pv_escape (dump.c​:185)
==43712== by 0x565D26​: S_require_file (pp_ctl.c​:3688)
==43712== by 0x5675FE​: Perl_pp_require (pp_ctl.c​:4124)
==43712== by 0x508325​: Perl_runops_standard (run.c​:41)
==43712== by 0x448E7F​: S_run_body (perl.c​:2517)
==43712== by 0x448A2E​: perl_run (perl.c​:2440)
==43712== by 0x41E72F​: main (perlmain.c​:116)
==43712==
==43712== Use of uninitialised value of size 8
==43712== at 0x4D1723​: Perl_pv_escape (dump.c​:185)
==43712== by 0x565D26​: S_require_file (pp_ctl.c​:3688)
==43712== by 0x5675FE​: Perl_pp_require (pp_ctl.c​:4124)
==43712== by 0x508325​: Perl_runops_standard (run.c​:41)
==43712== by 0x448E7F​: S_run_body (perl.c​:2517)
==43712== by 0x448A2E​: perl_run (perl.c​:2440)
==43712== by 0x41E72F​: main (perlmain.c​:116)
==43712==
==43712== Conditional jump or move depends on uninitialised value(s)
==43712== at 0x4D1749​: Perl_pv_escape (dump.c​:187)
==43712== by 0x565D26​: S_require_file (pp_ctl.c​:3688)
==43712== by 0x5675FE​: Perl_pp_require (pp_ctl.c​:4124)
==43712== by 0x508325​: Perl_runops_standard (run.c​:41)
==43712== by 0x448E7F​: S_run_body (perl.c​:2517)
==43712== by 0x448A2E​: perl_run (perl.c​:2440)
==43712== by 0x41E72F​: main (perlmain.c​:116)
==43712==
==43712== Conditional jump or move depends on uninitialised value(s)
==43712== at 0x4D174E​: Perl_pv_escape (dump.c​:187)
==43712== by 0x565D26​: S_require_file (pp_ctl.c​:3688)
==43712== by 0x5675FE​: Perl_pp_require (pp_ctl.c​:4124)
==43712== by 0x508325​: Perl_runops_standard (run.c​:41)
==43712== by 0x448E7F​: S_run_body (perl.c​:2517)
==43712== by 0x448A2E​: perl_run (perl.c​:2440)
==43712== by 0x41E72F​: main (perlmain.c​:116)
==43712==
==43712== Conditional jump or move depends on uninitialised value(s)
==43712== at 0x4D1753​: Perl_pv_escape (dump.c​:187)
==43712== by 0x565D26​: S_require_file (pp_ctl.c​:3688)
==43712== by 0x5675FE​: Perl_pp_require (pp_ctl.c​:4124)
==43712== by 0x508325​: Perl_runops_standard (run.c​:41)
==43712== by 0x448E7F​: S_run_body (perl.c​:2517)
==43712== by 0x448A2E​: perl_run (perl.c​:2440)
==43712== by 0x41E72F​: main (perlmain.c​:116)
==43712==
==43712== Conditional jump or move depends on uninitialised value(s)
==43712== at 0x4D1758​: Perl_pv_escape (dump.c​:187)
==43712== by 0x565D26​: S_require_file (pp_ctl.c​:3688)
==43712== by 0x5675FE​: Perl_pp_require (pp_ctl.c​:4124)
==43712== by 0x508325​: Perl_runops_standard (run.c​:41)
==43712== by 0x448E7F​: S_run_body (perl.c​:2517)
==43712== by 0x448A2E​: perl_run (perl.c​:2440)
==43712== by 0x41E72F​: main (perlmain.c​:116)
==43712==
==43712== Conditional jump or move depends on uninitialised value(s)
==43712== at 0x4D175D​: Perl_pv_escape (dump.c​:187)
==43712== by 0x565D26​: S_require_file (pp_ctl.c​:3688)
==43712== by 0x5675FE​: Perl_pp_require (pp_ctl.c​:4124)
==43712== by 0x508325​: Perl_runops_standard (run.c​:41)
==43712== by 0x448E7F​: S_run_body (perl.c​:2517)
==43712== by 0x448A2E​: perl_run (perl.c​:2440)
==43712== by 0x41E72F​: main (perlmain.c​:116)
==43712==
==43712== Use of uninitialised value of size 8
==43712== at 0x5BE9221​: _itoa_word (in /lib/x86_64-linux-gnu/libc-2.22.so)
==43712== by 0x5BEC98C​: vfprintf (in /lib/x86_64-linux-gnu/libc-2.22.so)
==43712== by 0x5C16248​: vsnprintf (in /lib/x86_64-linux-gnu/libc-2.22.so)
==43712== by 0x5BF3D11​: snprintf (in /lib/x86_64-linux-gnu/libc-2.22.so)
==43712== by 0x4D1912​: Perl_pv_escape (dump.c​:217)
==43712== by 0x565D26​: S_require_file (pp_ctl.c​:3688)
==43712== by 0x5675FE​: Perl_pp_require (pp_ctl.c​:4124)
==43712== by 0x508325​: Perl_runops_standard (run.c​:41)
==43712== by 0x448E7F​: S_run_body (perl.c​:2517)
==43712== by 0x448A2E​: perl_run (perl.c​:2440)
==43712== by 0x41E72F​: main (perlmain.c​:116)
==43712==
==43712== Conditional jump or move depends on uninitialised value(s)
==43712== at 0x5BE9228​: _itoa_word (in /lib/x86_64-linux-gnu/libc-2.22.so)
==43712== by 0x5BEC98C​: vfprintf (in /lib/x86_64-linux-gnu/libc-2.22.so)
==43712== by 0x5C16248​: vsnprintf (in /lib/x86_64-linux-gnu/libc-2.22.so)
==43712== by 0x5BF3D11​: snprintf (in /lib/x86_64-linux-gnu/libc-2.22.so)
==43712== by 0x4D1912​: Perl_pv_escape (dump.c​:217)
==43712== by 0x565D26​: S_require_file (pp_ctl.c​:3688)
==43712== by 0x5675FE​: Perl_pp_require (pp_ctl.c​:4124)
==43712== by 0x508325​: Perl_runops_standard (run.c​:41)
==43712== by 0x448E7F​: S_run_body (perl.c​:2517)
==43712== by 0x448A2E​: perl_run (perl.c​:2440)
==43712== by 0x41E72F​: main (perlmain.c​:116)
==43712==
==43712== Conditional jump or move depends on uninitialised value(s)
==43712== at 0x5BECA0F​: vfprintf (in /lib/x86_64-linux-gnu/libc-2.22.so)
==43712== by 0x5C16248​: vsnprintf (in /lib/x86_64-linux-gnu/libc-2.22.so)
==43712== by 0x5BF3D11​: snprintf (in /lib/x86_64-linux-gnu/libc-2.22.so)
==43712== by 0x4D1912​: Perl_pv_escape (dump.c​:217)
==43712== by 0x565D26​: S_require_file (pp_ctl.c​:3688)
==43712== by 0x5675FE​: Perl_pp_require (pp_ctl.c​:4124)
==43712== by 0x508325​: Perl_runops_standard (run.c​:41)
==43712== by 0x448E7F​: S_run_body (perl.c​:2517)
==43712== by 0x448A2E​: perl_run (perl.c​:2440)
==43712== by 0x41E72F​: main (perlmain.c​:116)
==43712==
==43712== Conditional jump or move depends on uninitialised value(s)
==43712== at 0x5BEC4B9​: vfprintf (in /lib/x86_64-linux-gnu/libc-2.22.so)
==43712== by 0x5C16248​: vsnprintf (in /lib/x86_64-linux-gnu/libc-2.22.so)
==43712== by 0x5BF3D11​: snprintf (in /lib/x86_64-linux-gnu/libc-2.22.so)
==43712== by 0x4D1912​: Perl_pv_escape (dump.c​:217)
==43712== by 0x565D26​: S_require_file (pp_ctl.c​:3688)
==43712== by 0x5675FE​: Perl_pp_require (pp_ctl.c​:4124)
==43712== by 0x508325​: Perl_runops_standard (run.c​:41)
==43712== by 0x448E7F​: S_run_body (perl.c​:2517)
==43712== by 0x448A2E​: perl_run (perl.c​:2440)
==43712== by 0x41E72F​: main (perlmain.c​:116)
==43712==
==43712== Conditional jump or move depends on uninitialised value(s)
==43712== at 0x5BEC542​: vfprintf (in /lib/x86_64-linux-gnu/libc-2.22.so)
==43712== by 0x5C16248​: vsnprintf (in /lib/x86_64-linux-gnu/libc-2.22.so)
==43712== by 0x5BF3D11​: snprintf (in /lib/x86_64-linux-gnu/libc-2.22.so)
==43712== by 0x4D1912​: Perl_pv_escape (dump.c​:217)
==43712== by 0x565D26​: S_require_file (pp_ctl.c​:3688)
==43712== by 0x5675FE​: Perl_pp_require (pp_ctl.c​:4124)
==43712== by 0x508325​: Perl_runops_standard (run.c​:41)
==43712== by 0x448E7F​: S_run_body (perl.c​:2517)
==43712== by 0x448A2E​: perl_run (perl.c​:2440)
==43712== by 0x41E72F​: main (perlmain.c​:116)
==43712==
==43712== Conditional jump or move depends on uninitialised value(s)
==43712== at 0x5BECA0F​: vfprintf (in /lib/x86_64-linux-gnu/libc-2.22.so)
==43712== by 0x5C16248​: vsnprintf (in /lib/x86_64-linux-gnu/libc-2.22.so)
==43712== by 0x5BF3D11​: snprintf (in /lib/x86_64-linux-gnu/libc-2.22.so)
==43712== by 0x4D18C0​: Perl_pv_escape (dump.c​:214)
==43712== by 0x565D26​: S_require_file (pp_ctl.c​:3688)
==43712== by 0x5675FE​: Perl_pp_require (pp_ctl.c​:4124)
==43712== by 0x508325​: Perl_runops_standard (run.c​:41)
==43712== by 0x448E7F​: S_run_body (perl.c​:2517)
==43712== by 0x448A2E​: perl_run (perl.c​:2440)
==43712== by 0x41E72F​: main (perlmain.c​:116)
==43712==
==43712== Conditional jump or move depends on uninitialised value(s)
==43712== at 0x5BEC4B9​: vfprintf (in /lib/x86_64-linux-gnu/libc-2.22.so)
==43712== by 0x5C16248​: vsnprintf (in /lib/x86_64-linux-gnu/libc-2.22.so)
==43712== by 0x5BF3D11​: snprintf (in /lib/x86_64-linux-gnu/libc-2.22.so)
==43712== by 0x4D18C0​: Perl_pv_escape (dump.c​:214)
==43712== by 0x565D26​: S_require_file (pp_ctl.c​:3688)
==43712== by 0x5675FE​: Perl_pp_require (pp_ctl.c​:4124)
==43712== by 0x508325​: Perl_runops_standard (run.c​:41)
==43712== by 0x448E7F​: S_run_body (perl.c​:2517)
==43712== by 0x448A2E​: perl_run (perl.c​:2440)
==43712== by 0x41E72F​: main (perlmain.c​:116)
==43712==
==43712== Conditional jump or move depends on uninitialised value(s)
==43712== at 0x5BEC542​: vfprintf (in /lib/x86_64-linux-gnu/libc-2.22.so)
==43712== by 0x5C16248​: vsnprintf (in /lib/x86_64-linux-gnu/libc-2.22.so)
==43712== by 0x5BF3D11​: snprintf (in /lib/x86_64-linux-gnu/libc-2.22.so)
==43712== by 0x4D18C0​: Perl_pv_escape (dump.c​:214)
==43712== by 0x565D26​: S_require_file (pp_ctl.c​:3688)
==43712== by 0x5675FE​: Perl_pp_require (pp_ctl.c​:4124)
==43712== by 0x508325​: Perl_runops_standard (run.c​:41)
==43712== by 0x448E7F​: S_run_body (perl.c​:2517)
==43712== by 0x448A2E​: perl_run (perl.c​:2440)
==43712== by 0x41E72F​: main (perlmain.c​:116)
==43712==
==43712== Invalid read of size 1
==43712== at 0x4D1883​: Perl_pv_escape (dump.c​:213)
==43712== by 0x565D26​: S_require_file (pp_ctl.c​:3688)
==43712== by 0x5675FE​: Perl_pp_require (pp_ctl.c​:4124)
==43712== by 0x508325​: Perl_runops_standard (run.c​:41)
==43712== by 0x448E7F​: S_run_body (perl.c​:2517)
==43712== by 0x448A2E​: perl_run (perl.c​:2440)
==43712== by 0x41E72F​: main (perlmain.c​:116)
==43712== Address 0x5f64dd0 is 0 bytes after a block of size 4,080 alloc'd
==43712== at 0x4C28C0F​: malloc (vg_replace_malloc.c​:299)
==43712== by 0x4DC92B​: Perl_safesysmalloc (util.c​:153)
==43712== by 0x51850E​: S_more_sv (sv.c​:307)
==43712== by 0x52CA51​: Perl_newSV_type (sv.c​:9559)
==43712== by 0x436656​: Perl_newXS_len_flags (op.c​:8997)
==43712== by 0x4363C8​: Perl_newXS_flags (op.c​:8939)
==43712== by 0x5BA3A1​: Perl_boot_core_UNIVERSAL (universal.c​:1090)
==43712== by 0x448343​: S_parse_body (perl.c​:2266)
==43712== by 0x4475CF​: perl_parse (perl.c​:1681)
==43712== by 0x41E717​: main (perlmain.c​:114)
==43712==
==43712== Invalid read of size 1
==43712== at 0x4D15CA​: Perl_pv_escape (dump.c​:166)
==43712== by 0x565D26​: S_require_file (pp_ctl.c​:3688)
==43712== by 0x5675FE​: Perl_pp_require (pp_ctl.c​:4124)
==43712== by 0x508325​: Perl_runops_standard (run.c​:41)
==43712== by 0x448E7F​: S_run_body (perl.c​:2517)
==43712== by 0x448A2E​: perl_run (perl.c​:2440)
==43712== by 0x41E72F​: main (perlmain.c​:116)
==43712== Address 0x5f64dd0 is 0 bytes after a block of size 4,080 alloc'd
==43712== at 0x4C28C0F​: malloc (vg_replace_malloc.c​:299)
==43712== by 0x4DC92B​: Perl_safesysmalloc (util.c​:153)
==43712== by 0x51850E​: S_more_sv (sv.c​:307)
==43712== by 0x52CA51​: Perl_newSV_type (sv.c​:9559)
==43712== by 0x436656​: Perl_newXS_len_flags (op.c​:8997)
==43712== by 0x4363C8​: Perl_newXS_flags (op.c​:8939)
==43712== by 0x5BA3A1​: Perl_boot_core_UNIVERSAL (universal.c​:1090)
==43712== by 0x448343​: S_parse_body (perl.c​:2266)
==43712== by 0x4475CF​: perl_parse (perl.c​:1681)
==43712== by 0x41E717​: main (perlmain.c​:114)
==43712==
==43712==
==43712== More than 10000000 total errors detected. I'm not reporting any more.
==43712== Final error counts will be inaccurate. Go fix your program!
==43712== Rerun with --error-limit=no to disable this cutoff. Note
==43712== that errors may occur in your program without prior warning from
==43712== Valgrind, because errors are no longer being displayed.
==43712==
==43712==
==43712== Process terminating with default action of signal 11 (SIGSEGV)
==43712== Access not within mapped region at address 0x6B571C8
==43712== at 0x4D15CA​: Perl_pv_escape (dump.c​:166)
==43712== by 0x565D26​: S_require_file (pp_ctl.c​:3688)
==43712== by 0x5675FE​: Perl_pp_require (pp_ctl.c​:4124)
==43712== by 0x508325​: Perl_runops_standard (run.c​:41)
==43712== by 0x448E7F​: S_run_body (perl.c​:2517)
==43712== by 0x448A2E​: perl_run (perl.c​:2440)
==43712== by 0x41E72F​: main (perlmain.c​:116)
==43712== If you believe this happened as a result of a stack
==43712== overflow in your program's main thread (unlikely but
==43712== possible), you can try to increase the size of the
==43712== main thread stack using the --main-stacksize= flag.
==43712== The main thread stack size used in this run was 8388608.
==43712==
==43712== HEAP SUMMARY​:
==43712== in use at exit​: 25,775,750 bytes in 553 blocks
==43712== total heap usage​: 758 allocs, 205 frees, 128,453,238 bytes allocated
==43712==
==43712== LEAK SUMMARY​:
==43712== definitely lost​: 184 bytes in 1 blocks
==43712== indirectly lost​: 1,972 bytes in 21 blocks
==43712== possibly lost​: 0 bytes in 0 blocks
==43712== still reachable​: 25,773,594 bytes in 531 blocks
==43712== suppressed​: 0 bytes in 0 blocks
==43712== Rerun with --leak-check=full to see details of leaked memory
==43712==
==43712== For counts of detected and suppressed errors, rerun with​: -v
==43712== Use --track-origins=yes to see where uninitialised values come from
==43712== ERROR SUMMARY​: 10000000 errors from 21 contexts (suppressed​: 0 from 0)
Segmentation fault

**PERL -V**

dcollins@​nightshade64​:~$ perl/perl -V
Summary of my perl5 (revision 5 version 25 subversion 1) configuration​:
  Commit id​: 9e17953
  Platform​:
  osname=linux, osvers=4.5.0-2-amd64, archname=x86_64-linux-ld
  uname='linux nightshade64 4.5.0-2-amd64 #1 smp debian 4.5.3-2 (2016-05-08) x86_64 gnulinux '
  config_args='-Dusedevel -Dprefix=/usr/local/perl-afl -Dcc=ccache afl-gcc -Duselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -DDEBUGGING -DDEBUG_LEAKING_SCALARS -des'
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=undef, usemultiplicity=undef
  use64bitint=define, use64bitall=define, uselongdouble=define
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='ccache afl-gcc', ccflags ='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
  optimize='-g',
  cppflags='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
  ccversion='', gccversion='6.1.0', gccosandvers=''
  intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678, doublekind=3
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16, longdblkind=3
  ivtype='long', ivsize=8, nvtype='long double', nvsize=16, Off_t='off_t', lseeksize=8
  alignbytes=16, prototype=define
  Linker and Libraries​:
  ld='ccache afl-gcc', ldflags =' -fstack-protector-strong -L/usr/local/lib'
  libpth=/usr/local/lib /usr/local/lib/gcc/x86_64-pc-linux-gnu/6.1.0/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
  libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  libc=libc-2.22.so, so=so, useshrplib=false, libperl=libperl.a
  gnulibc_version='2.22'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
  cccdlflags='-fPIC', lddlflags='-shared -g -L/usr/local/lib -fstack-protector-strong'

Characteristics of this binary (from libperl)​:
  Compile-time options​: HAS_TIMES PERLIO_LAYERS PERL_COPY_ON_WRITE
  PERL_DONT_CREATE_GVSV
  PERL_HASH_FUNC_ONE_AT_A_TIME_HARD PERL_MALLOC_WRAP
  PERL_OP_PARENT PERL_PRESERVE_IVUV PERL_USE_DEVEL
  USE_64_BIT_ALL USE_64_BIT_INT USE_LARGE_FILES
  USE_LOCALE USE_LOCALE_COLLATE USE_LOCALE_CTYPE
  USE_LOCALE_NUMERIC USE_LOCALE_TIME USE_LONG_DOUBLE
  USE_PERLIO USE_PERL_ATOF
  Built under linux
  Compiled at May 17 2016 20​:01​:23
  @​INC​:
  /usr/local/perl-afl/lib/site_perl/5.25.1/x86_64-linux-ld
  /usr/local/perl-afl/lib/site_perl/5.25.1
  /usr/local/perl-afl/lib/5.25.1/x86_64-linux-ld
  /usr/local/perl-afl/lib/5.25.1
  /usr/local/perl-afl/lib/site_perl/5.24.0
  /usr/local/perl-afl/lib/site_perl
  .

[p5pRT]

From @cpansprout

On Wed May 18 15​:26​:10 2016, dcollinsn@​gmail.com wrote​:

Greetings Porters,

I have compiled bleadperl with the afl-gcc compiler using​:

./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache
afl-gcc' -Uuselongdouble -Duse64bitall -Doptimize=-g -Uversiononly
-Uman1dir -Uman3dir -Dusequadmath -des
AFL_HARDEN=1 make && make test

And then fuzzed the resulting binary using​:

AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @​@​

After reducing testcases using `afl-tmin` and performing additional
minimization by hand, I have located the following testcase that
triggers an segfault in the perl interpreter. The testcase is the file
below. On normal builds, this segfaults. On debug builds, this returns
an assert fail.

dcollins@​nightshade64​:~$ cat f3i0
do
qr//dcollins@​nightshade64​:~$
dcollins@​nightshade64​:~$ od -c f3i0
0000000 d o \n q r / \0 /
0000010
dcollins@​nightshade64​:~$ ls -l f3i0
-rw-r----- 1 dcollins afl 8 May 18 17​:01 f3i0
dcollins@​nightshade64​:~$ ./perl/perl f3i0
Segmentation fault
dcollins@​nightshade64​:~$ ./perldebug/perl f3i0
perl​: pp_ctl.c​:3690​: S_require_file​: Assertion
`PL_valid_types_PVX[((svtype)((_svcur)->sv_flags & 0xff)) & 0xf] ||
((svtype)((_svcur)->sv_flags & 0xff)) == SVt_REGEXP' failed.
Aborted

Some of the code added by v5.19.3-130-gc8028aa to pp_ctl.c​:pp_require (now in S_require_file) uses SvPVX(sv) and SvCUR(sv) without making sure that the SV is a PV.

I believe that is the culprit.

In fact, the code in question could just use the name and len variables it already has, from stringifying the sv a few lines earlier.

(I may be wrong here. I have not even run this through gdb or done a bisect. I simply looked at the code.)

--

Father Chrysostomos

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From @cpansprout

On Wed May 18 16​:58​:27 2016, sprout wrote​:

On Wed May 18 15​:26​:10 2016, dcollinsn@​gmail.com wrote​:

Greetings Porters,

I have compiled bleadperl with the afl-gcc compiler using​:

./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache
afl-gcc' -Uuselongdouble -Duse64bitall -Doptimize=-g -Uversiononly
-Uman1dir -Uman3dir -Dusequadmath -des
AFL_HARDEN=1 make && make test

And then fuzzed the resulting binary using​:

AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @​@​

After reducing testcases using `afl-tmin` and performing additional
minimization by hand, I have located the following testcase that
triggers an segfault in the perl interpreter. The testcase is the
file
below. On normal builds, this segfaults. On debug builds, this
returns
an assert fail.

dcollins@​nightshade64​:~$ cat f3i0
do
qr//dcollins@​nightshade64​:~$
dcollins@​nightshade64​:~$ od -c f3i0
0000000 d o \n q r / \0 /
0000010
dcollins@​nightshade64​:~$ ls -l f3i0
-rw-r----- 1 dcollins afl 8 May 18 17​:01 f3i0
dcollins@​nightshade64​:~$ ./perl/perl f3i0
Segmentation fault
dcollins@​nightshade64​:~$ ./perldebug/perl f3i0
perl​: pp_ctl.c​:3690​: S_require_file​: Assertion
`PL_valid_types_PVX[((svtype)((_svcur)->sv_flags & 0xff)) & 0xf] ||
((svtype)((_svcur)->sv_flags & 0xff)) == SVt_REGEXP' failed.
Aborted

Some of the code added by v5.19.3-130-gc8028aa to pp_ctl.c​:pp_require
(now in S_require_file) uses SvPVX(sv) and SvCUR(sv) without making
sure that the SV is a PV.

I believe that is the culprit.

In fact, the code in question could just use the name and len
variables it already has, from stringifying the sv a few lines
earlier.

(I may be wrong here. I have not even run this through gdb or done a
bisect. I simply looked at the code.)

This is fixed in 08f800f and has a perldelta entry in f8591e0.

I think these should be candidates for backporting to maint-5.24 and maint-5.22 (and maint-5.20 if we are still doing that).

Thank you for the report.

--

Father Chrysostomos

[p5pRT]

@cpansprout - Status changed from 'open' to 'pending release'

[p5pRT]

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release today of Perl 5.26.0, this and 210 other issues have been
resolved.

Perl 5.26.0 may be downloaded via​:
https://metacpan.org/release/XSAWYERX/perl-5.26.0

If you find that the problem persists, feel free to reopen this ticket.

[p5pRT]

@khwilliamson - Status changed from 'pending release' to 'resolved'