Segfault in Perl_grok_number_flags under use feature 'bitwise'

[p5pRT]

Migrated from rt.perl.org#128204 (status was 'resolved')

Searchable as RT128204$

[p5pRT]

From @dcollinsn

I have compiled bleadperl with the afl-gcc compiler using​:

./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache afl-gcc' -Uuselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -Dusequadmath -DDEBUGGING -des
AFL_HARDEN=1 make && make test

And then fuzzed the resulting binary using​:

AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl -t -W @​@​

After reducing testcases using `afl-tmin` and performing additional minimization by hand, I have located the following testcase that triggers a segmentation fault in the perl interpreter. The testcase is the file below. On debug builds, this returns an assert fail.

use feature'​:all';@​0&=0

dcollins@​nightshade64​:~$ od -c f3i000134
0000000 u s e f e a t u r e ' : a l l
0000020 ' ; @​ 0 & = 0
0000027
dcollins@​nightshade64​:~$ cd perl/
dcollins@​nightshade64​:~/perl$ ./perl -Ilib ../f3i000134
The bitwise feature is experimental at ../f3i000134 line 1.
Segmentation fault
dcollins@​nightshade64​:~/perl$ cd ../perldebug/
dcollins@​nightshade64​:~/perldebug$ ./perl -Ilib ../f3i000134
The bitwise feature is experimental at ../f3i000134 line 1.
perl​: sv.c​:2531​: Perl_sv_2uv_flags​: Assertion `(((svtype)((sv)->sv_flags & 0xff)) == SVt_REGEXP || ((sv)->sv_flags & (0xff|0x00004000|0x00008000|0x01000000)) == (SVt_PVLV|0x01000000)) || ((sv)->sv_flags & 0x00004000)' failed.
Aborted

Debugging tool output is below. A git bisect was attempted, but this persists as far back as 5.22, which is when the bitwise feature was first introduced.

**GDB**

(gdb) run
Starting program​: /home/dcollins/perl/perl -Ilib ../f3i000134
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
The bitwise feature is experimental at ../f3i000134 line 1.

Program received signal SIGSEGV, Segmentation fault.
0x00000000005c41f2 in Perl_grok_number_flags (pv=0x0,
  len=18446744073709551615, valuep=0x7fffffffe300, flags=0) at numeric.c​:857
857 while (s < send && isSPACE(*s))
(gdb) bt
#0 0x00000000005c41f2 in Perl_grok_number_flags (pv=0x0,
  len=18446744073709551615, valuep=0x7fffffffe300, flags=0) at numeric.c​:857
#1 0x00000000005c4190 in Perl_grok_number (pv=0x0, len=18446744073709551615,
  valuep=0x7fffffffe300) at numeric.c​:841
#2 0x000000000051b25f in Perl_sv_2uv_flags (sv=0x86d650, flags=0)
  at sv.c​:2536
#3 0x0000000000542238 in Perl_pp_nbit_and () at pp.c​:2444
#4 0x0000000000508326 in Perl_runops_standard () at run.c​:41
#5 0x0000000000448e80 in S_run_body (oldscope=1) at perl.c​:2517
#6 0x0000000000448a2f in perl_run (my_perl=0x857010) at perl.c​:2440
#7 0x000000000041e730 in main (argc=3, argv=0x7fffffffe628,
  env=0x7fffffffe648) at perlmain.c​:116
(gdb) info locals
s = 0x0
send = 0xffffffffffffffff <error​: Cannot access memory at address 0xffffffffffffffff>
d = 0x490000000041e550 <error​: Cannot access memory at address 0x490000000041e550>
numtype = 0
(gdb) l
852 const char *d;
853 int numtype = 0;
854
855 PERL_ARGS_ASSERT_GROK_NUMBER_FLAGS;
856
857 while (s < send && isSPACE(*s))
858 s++;
859 if (s == send) {
860 return 0;
861 } else if (*s == '-') {
(gdb) q

(gdb) run
Starting program​: /home/dcollins/perldebug/perl -Ilib ../f3i000134
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
The bitwise feature is experimental at ../f3i000134 line 1.
perl​: sv.c​:2531​: Perl_sv_2uv_flags​: Assertion `(((svtype)((sv)->sv_flags & 0xff)) == SVt_REGEXP || ((sv)->sv_flags & (0xff|0x00004000|0x00008000|0x01000000)) == (SVt_PVLV|0x01000000)) || ((sv)->sv_flags & 0x00004000)' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff6cf9478 in raise () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x00007ffff6cf9478 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007ffff6cfa8fa in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007ffff6cf23a7 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#3 0x00007ffff6cf2452 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#4 0x00000000005ce153 in Perl_sv_2uv_flags (sv=0xab29e0, flags=0) at sv.c​:2531
#5 0x0000000000630232 in Perl_pp_nbit_and () at pp.c​:2444
#6 0x0000000000559af3 in Perl_runops_debug () at dump.c​:2239
#7 0x0000000000462138 in S_run_body (oldscope=1) at perl.c​:2517
#8 0x0000000000461763 in perl_run (my_perl=0xa9c010) at perl.c​:2440
#9 0x000000000041e8f0 in main (argc=3, argv=0x7fffffffe618, env=0x7fffffffe638) at perlmain.c​:116
(gdb) f 4
#4 0x00000000005ce153 in Perl_sv_2uv_flags (sv=0xab29e0, flags=0) at sv.c​:2531
2531 assert(isREGEXP(sv) || SvPOKp(sv));
(gdb) info locals
__PRETTY_FUNCTION__ = "Perl_sv_2uv_flags"
(gdb) l
2526
2527 if (SvVALID(sv) || isREGEXP(sv)) {
2528 /* FBMs use the space for SvIVX and SvNVX for other purposes, and use
2529 the same flag bit as SVf_IVisUV, so must not let them cache IVs.
2530 Regexps have no SvIVX and SvNVX fields. */
2531 assert(isREGEXP(sv) || SvPOKp(sv));
2532 {
2533 UV value;
2534 const char * const ptr =
2535 isREGEXP(sv) ? RX_WRAPPED((REGEXP*)sv) : SvPVX_const(sv);
(gdb)

**VALGRIND**

dcollins@​nightshade64​:~/perl$ valgrind ./perl -Ilib ../f3i000134
==60697== Memcheck, a memory error detector
==60697== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==60697== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==60697== Command​: ./perl -Ilib ../f3i000134
==60697==
The bitwise feature is experimental at ../f3i000134 line 1.
==60697== Invalid read of size 1
==60697== at 0x5C41F2​: Perl_grok_number_flags (numeric.c​:857)
==60697== by 0x5C418F​: Perl_grok_number (numeric.c​:841)
==60697== by 0x51B25E​: Perl_sv_2uv_flags (sv.c​:2536)
==60697== by 0x542237​: Perl_pp_nbit_and (pp.c​:2444)
==60697== by 0x508325​: Perl_runops_standard (run.c​:41)
==60697== by 0x448E7F​: S_run_body (perl.c​:2517)
==60697== by 0x448A2E​: perl_run (perl.c​:2440)
==60697== by 0x41E72F​: main (perlmain.c​:116)
==60697== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==60697==
==60697==
==60697== Process terminating with default action of signal 11 (SIGSEGV)
==60697== Access not within mapped region at address 0x0
==60697== at 0x5C41F2​: Perl_grok_number_flags (numeric.c​:857)
==60697== by 0x5C418F​: Perl_grok_number (numeric.c​:841)
==60697== by 0x51B25E​: Perl_sv_2uv_flags (sv.c​:2536)
==60697== by 0x542237​: Perl_pp_nbit_and (pp.c​:2444)
==60697== by 0x508325​: Perl_runops_standard (run.c​:41)
==60697== by 0x448E7F​: S_run_body (perl.c​:2517)
==60697== by 0x448A2E​: perl_run (perl.c​:2440)
==60697== by 0x41E72F​: main (perlmain.c​:116)
==60697== If you believe this happened as a result of a stack
==60697== overflow in your program's main thread (unlikely but
==60697== possible), you can try to increase the size of the
==60697== main thread stack using the --main-stacksize= flag.
==60697== The main thread stack size used in this run was 8388608.
==60697==
==60697== HEAP SUMMARY​:
==60697== in use at exit​: 204,449 bytes in 900 blocks
==60697== total heap usage​: 1,617 allocs, 717 frees, 325,916 bytes allocated
==60697==
==60697== LEAK SUMMARY​:
==60697== definitely lost​: 192 bytes in 1 blocks
==60697== indirectly lost​: 2,024 bytes in 22 blocks
==60697== possibly lost​: 44,648 bytes in 32 blocks
==60697== still reachable​: 157,585 bytes in 845 blocks
==60697== of which reachable via heuristic​:
==60697== newarray : 224 bytes in 7 blocks
==60697== suppressed​: 0 bytes in 0 blocks
==60697== Rerun with --leak-check=full to see details of leaked memory
==60697==
==60697== For counts of detected and suppressed errors, rerun with​: -v
==60697== ERROR SUMMARY​: 1 errors from 1 contexts (suppressed​: 0 from 0)
Segmentation fault

**PERL -V**

dcollins@​nightshade64​:~/perl$ ./perl -Ilib -V
Summary of my perl5 (revision 5 version 25 subversion 1) configuration​:
  Commit id​: 9e17953
  Platform​:
  osname=linux, osvers=4.5.0-2-amd64, archname=x86_64-linux-ld
  uname='linux nightshade64 4.5.0-2-amd64 #1 smp debian 4.5.3-2 (2016-05-08) x86_64 gnulinux '
  config_args='-Dusedevel -Dprefix=/usr/local/perl-afl -Dcc=ccache gcc-6.1 -Duselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -des'
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=undef, usemultiplicity=undef
  use64bitint=define, use64bitall=define, uselongdouble=define
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='ccache gcc-6.1', ccflags ='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
  optimize='-g',
  cppflags='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
  ccversion='', gccversion='6.1.0', gccosandvers=''
  intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678, doublekind=3
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16, longdblkind=3
  ivtype='long', ivsize=8, nvtype='long double', nvsize=16, Off_t='off_t', lseeksize=8
  alignbytes=16, prototype=define
  Linker and Libraries​:
  ld='ccache gcc-6.1', ldflags =' -fstack-protector-strong -L/usr/local/lib'
  libpth=/usr/local/lib /usr/local/lib/gcc/x86_64-pc-linux-gnu/6.1.0/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
  libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  libc=libc-2.22.so, so=so, useshrplib=false, libperl=libperl.a
  gnulibc_version='2.22'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
  cccdlflags='-fPIC', lddlflags='-shared -g -L/usr/local/lib -fstack-protector-strong'

Characteristics of this binary (from libperl)​:
  Compile-time options​: HAS_TIMES PERLIO_LAYERS PERL_COPY_ON_WRITE
  PERL_DONT_CREATE_GVSV
  PERL_HASH_FUNC_ONE_AT_A_TIME_HARD PERL_MALLOC_WRAP
  PERL_OP_PARENT PERL_PRESERVE_IVUV PERL_USE_DEVEL
  USE_64_BIT_ALL USE_64_BIT_INT USE_LARGE_FILES
  USE_LOCALE USE_LOCALE_COLLATE USE_LOCALE_CTYPE
  USE_LOCALE_NUMERIC USE_LOCALE_TIME USE_LONG_DOUBLE
  USE_PERLIO USE_PERL_ATOF
  Built under linux
  Compiled at May 17 2016 20​:01​:23
  @​INC​:
  lib
  /usr/local/perl-afl/lib/site_perl/5.25.1/x86_64-linux-ld
  /usr/local/perl-afl/lib/site_perl/5.25.1
  /usr/local/perl-afl/lib/5.25.1/x86_64-linux-ld
  /usr/local/perl-afl/lib/5.25.1
  /usr/local/perl-afl/lib/site_perl/5.24.0
  /usr/local/perl-afl/lib/site_perl
  .

[p5pRT]

From @cpansprout

On Fri May 20 19​:41​:40 2016, dcollinsn@​gmail.com wrote​:

I have compiled bleadperl with the afl-gcc compiler using​:

./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache
afl-gcc' -Uuselongdouble -Duse64bitall -Doptimize=-g -Uversiononly
-Uman1dir -Uman3dir -Dusequadmath -DDEBUGGING -des
AFL_HARDEN=1 make && make test

And then fuzzed the resulting binary using​:

AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl -t -W @​@​

After reducing testcases using `afl-tmin` and performing additional
minimization by hand, I have located the following testcase that
triggers a segmentation fault in the perl interpreter. The testcase is
the file below. On debug builds, this returns an assert fail.

use feature'​:all';@​0&=0

Thank you for the report. This is fixed in 76734a3.

--

Father Chrysostomos

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

@cpansprout - Status changed from 'open' to 'pending release'

[p5pRT]

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release today of Perl 5.26.0, this and 210 other issues have been
resolved.

Perl 5.26.0 may be downloaded via​:
https://metacpan.org/release/XSAWYERX/perl-5.26.0

If you find that the problem persists, feel free to reopen this ticket.

[p5pRT]

@khwilliamson - Status changed from 'pending release' to 'resolved'