Perl_pad_fixup_inner_anons Null reference Memory corruption

[p5pRT]

Migrated from rt.perl.org#129090 (status was 'resolved')

Searchable as RT129090$

[p5pRT]

From riusksk@qq.com

valgrind ../../perl poc
==31369== Memcheck, a memory error detector
==31369== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==31369== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==31369== Command​: ../../perl id​:000079,sig​:11,src​:024262,op​:havoc,rep​:4
==31369==
==31369== Invalid read of size 8
==31369== at 0x533C3E​: Perl_pad_fixup_inner_anons (pad.c​:2382)
==31369== by 0x44323C​: Perl_newATTRSUB_x (op.c​:8711)
==31369== by 0x522E8D​: Perl_yyparse (perly.y​:296)
==31369== by 0x48EDC9​: S_parse_body (perl.c​:2373)
==31369== by 0x48897F​: perl_parse (perl.c​:1689)
==31369== by 0x41F1D3​: main (perlmain.c​:121)
==31369== Address 0x5fb9020 is 16 bytes after a block of size 48 in arena "client"
==31369==
==31369== Invalid read of size 1
==31369== at 0x533C42​: Perl_pad_fixup_inner_anons (pad.c​:2378)
==31369== by 0x44323C​: Perl_newATTRSUB_x (op.c​:8711)
==31369== by 0x522E8D​: Perl_yyparse (perly.y​:296)
==31369== by 0x48EDC9​: S_parse_body (perl.c​:2373)
==31369== by 0x48897F​: perl_parse (perl.c​:1689)
==31369== by 0x41F1D3​: main (perlmain.c​:121)
==31369== Address 0x29 is not stack'd, malloc'd or (recently) free'd
==31369==
==31369==
==31369== Process terminating with default action of signal 11 (SIGSEGV)
==31369== Access not within mapped region at address 0x29
==31369== at 0x533C42​: Perl_pad_fixup_inner_anons (pad.c​:2378)
==31369== by 0x44323C​: Perl_newATTRSUB_x (op.c​:8711)
==31369== by 0x522E8D​: Perl_yyparse (perly.y​:296)
==31369== by 0x48EDC9​: S_parse_body (perl.c​:2373)
==31369== by 0x48897F​: perl_parse (perl.c​:1689)
==31369== by 0x41F1D3​: main (perlmain.c​:121)
==31369== If you believe this happened as a result of a stack
==31369== overflow in your program's main thread (unlikely but
==31369== possible), you can try to increase the size of the
==31369== main thread stack using the --main-stacksize= flag.
==31369== The main thread stack size used in this run was 8388608.
==31369==
==31369== HEAP SUMMARY​:
==31369== in use at exit​: 173,452 bytes in 783 blocks
==31369== total heap usage​: 991 allocs, 208 frees, 190,415 bytes allocated
==31369==
==31369== LEAK SUMMARY​:
==31369== definitely lost​: 320 bytes in 1 blocks
==31369== indirectly lost​: 2,601 bytes in 38 blocks
==31369== possibly lost​: 12,552 bytes in 16 blocks
==31369== still reachable​: 157,979 bytes in 728 blocks
==31369== suppressed​: 0 bytes in 0 blocks
==31369== Rerun with --leak-check=full to see details of leaked memory
==31369==
==31369== For counts of detected and suppressed errors, rerun with​: -v
==31369== ERROR SUMMARY​: 2 errors from 2 contexts (suppressed​: 0 from 0)
Segmentation fault

─➤$ ./perl ../poc.pl 2 ↵
ASAN​:SIGSEGV

==14425==ERROR​: AddressSanitizer​: SEGV on unknown address 0x00000000000c (pc 0x000108490338 bp 0x7fff579b32f0 sp 0x7fff579b32a0 T0)
  #0 0x108490337 in Perl_pad_fixup_inner_anons pad.c​:2386
  #1 0x1082a1f05 in Perl_newATTRSUB_x op.c​:8711
  #2 0x10845cf16 in Perl_yyparse perly.y​:296
  #3 0x108355087 in perl_parse perl.c​:2373
  #4 0x10824c7ee in main perlmain.c​:121
  #5 0x7fff985a95ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
  #6 0x1 (<unknown module>)

[p5pRT]

From riusksk@qq.com

poc.pl

[p5pRT]

From @dcollinsn

dcollins@​nightshade64​:~/toolchain/perl$ afl-tmin -i poc.pl -o pocmin.pl -- ./perl -Ilib @​@​
afl-tmin 2.32b by <lcamtuf@​google.com>

[+] Read 5780 bytes from 'poc.pl'.
[*] Performing dry run (mem limit = 50 MB, timeout = 1000 ms)...
[+] Program exits with a signal, minimizing in crash mode.
[*] Stage #0​: One-time block normalization...
[+] Block normalization complete, 4564 bytes replaced.
[*] --- Pass #1 ---
[*] Stage #1​: Removing blocks of data...
  Block length = 512, remaining size = 5780
  Block length = 256, remaining size = 1536
  Block length = 128, remaining size = 1280
  Block length = 64, remaining size = 1024
  Block length = 32, remaining size = 832
  Block length = 16, remaining size = 576
  Block length = 8, remaining size = 384
  Block length = 4, remaining size = 232
  Block length = 2, remaining size = 164
  Block length = 1, remaining size = 104
[+] Block removal complete, 5702 bytes deleted.
[*] Stage #2​: Minimizing symbols (24 code points)...
[+] Symbol minimization finished, 5 symbols (15 bytes) replaced.
[*] Stage #3​: Character minimization...
[+] Character minimization done, 3 bytes replaced.
[*] --- Pass #2 ---
[*] Stage #1​: Removing blocks of data...
  Block length = 4, remaining size = 78
  Block length = 2, remaining size = 74
  Block length = 1, remaining size = 70
[+] Block removal complete, 9 bytes deleted.
[*] Stage #2​: Minimizing symbols (19 code points)...
[+] Symbol minimization finished, 0 symbols (0 bytes) replaced.
[*] Stage #3​: Character minimization...
[+] Character minimization done, 0 bytes replaced.
[*] --- Pass #3 ---
[*] Stage #1​: Removing blocks of data...
  Block length = 4, remaining size = 69
  Block length = 2, remaining size = 69
  Block length = 1, remaining size = 69
[+] Block removal complete, 0 bytes deleted.

  File size reduced by : 98.81% (to 69 bytes)
  Characters simplified : 6640.58%
  Number of execs done : 893
  Fruitless execs : path=666 crash=0 hang=15

[*] Writing output to 'pocmin.pl'...
[+] We're done here. Have a nice day!

dcollins@​nightshade64​:~/toolchain/perl$ cat pocmin.pl
$0=s()0&lt;$&gt;;0;my sub i0i0;()=((%fi0s0));sub fi0s0{sub i0i0{}sub fi0s0}

Further minimized by hand to​:

$ ./perl -Ilib -wle '$a="a$a";my sub b;%c;sub c{sub b;sub c}'
Segmentation fault

--
Respectfully,
Dan Collins

[p5pRT]

From [Unknown Contact. See original ticket]

dcollins@​nightshade64​:~/toolchain/perl$ afl-tmin -i poc.pl -o pocmin.pl -- ./perl -Ilib @​@​
afl-tmin 2.32b by <lcamtuf@​google.com>

[+] Read 5780 bytes from 'poc.pl'.
[*] Performing dry run (mem limit = 50 MB, timeout = 1000 ms)...
[+] Program exits with a signal, minimizing in crash mode.
[*] Stage #0​: One-time block normalization...
[+] Block normalization complete, 4564 bytes replaced.
[*] --- Pass #1 ---
[*] Stage #1​: Removing blocks of data...
  Block length = 512, remaining size = 5780
  Block length = 256, remaining size = 1536
  Block length = 128, remaining size = 1280
  Block length = 64, remaining size = 1024
  Block length = 32, remaining size = 832
  Block length = 16, remaining size = 576
  Block length = 8, remaining size = 384
  Block length = 4, remaining size = 232
  Block length = 2, remaining size = 164
  Block length = 1, remaining size = 104
[+] Block removal complete, 5702 bytes deleted.
[*] Stage #2​: Minimizing symbols (24 code points)...
[+] Symbol minimization finished, 5 symbols (15 bytes) replaced.
[*] Stage #3​: Character minimization...
[+] Character minimization done, 3 bytes replaced.
[*] --- Pass #2 ---
[*] Stage #1​: Removing blocks of data...
  Block length = 4, remaining size = 78
  Block length = 2, remaining size = 74
  Block length = 1, remaining size = 70
[+] Block removal complete, 9 bytes deleted.
[*] Stage #2​: Minimizing symbols (19 code points)...
[+] Symbol minimization finished, 0 symbols (0 bytes) replaced.
[*] Stage #3​: Character minimization...
[+] Character minimization done, 0 bytes replaced.
[*] --- Pass #3 ---
[*] Stage #1​: Removing blocks of data...
  Block length = 4, remaining size = 69
  Block length = 2, remaining size = 69
  Block length = 1, remaining size = 69
[+] Block removal complete, 0 bytes deleted.

  File size reduced by : 98.81% (to 69 bytes)
  Characters simplified : 6640.58%
  Number of execs done : 893
  Fruitless execs : path=666 crash=0 hang=15

[*] Writing output to 'pocmin.pl'...
[+] We're done here. Have a nice day!

dcollins@​nightshade64​:~/toolchain/perl$ cat pocmin.pl
$0=s()0&lt;$&gt;;0;my sub i0i0;()=((%fi0s0));sub fi0s0{sub i0i0{}sub fi0s0}

Further minimized by hand to​:

$ ./perl -Ilib -wle '$a="a$a";my sub b;%c;sub c{sub b;sub c}'
Segmentation fault

--
Respectfully,
Dan Collins

[p5pRT]

From riusksk@qq.com

在2016-八月-26 06​:01​:53 星期五时，dcollinsn@​gmail.com写到：

dcollins@​nightshade64​:~/toolchain/perl$ afl-tmin -i poc.pl -o
pocmin.pl -- ./perl -Ilib @​@​
afl-tmin 2.32b by <lcamtuf@​google.com>

[+] Read 5780 bytes from 'poc.pl'.
[*] Performing dry run (mem limit = 50 MB, timeout = 1000 ms)...
[+] Program exits with a signal, minimizing in crash mode.
[*] Stage #0​: One-time block normalization...
[+] Block normalization complete, 4564 bytes replaced.
[*] --- Pass #1 ---
[*] Stage #1​: Removing blocks of data...
Block length = 512, remaining size = 5780
Block length = 256, remaining size = 1536
Block length = 128, remaining size = 1280
Block length = 64, remaining size = 1024
Block length = 32, remaining size = 832
Block length = 16, remaining size = 576
Block length = 8, remaining size = 384
Block length = 4, remaining size = 232
Block length = 2, remaining size = 164
Block length = 1, remaining size = 104
[+] Block removal complete, 5702 bytes deleted.
[*] Stage #2​: Minimizing symbols (24 code points)...
[+] Symbol minimization finished, 5 symbols (15 bytes) replaced.
[*] Stage #3​: Character minimization...
[+] Character minimization done, 3 bytes replaced.
[*] --- Pass #2 ---
[*] Stage #1​: Removing blocks of data...
Block length = 4, remaining size = 78
Block length = 2, remaining size = 74
Block length = 1, remaining size = 70
[+] Block removal complete, 9 bytes deleted.
[*] Stage #2​: Minimizing symbols (19 code points)...
[+] Symbol minimization finished, 0 symbols (0 bytes) replaced.
[*] Stage #3​: Character minimization...
[+] Character minimization done, 0 bytes replaced.
[*] --- Pass #3 ---
[*] Stage #1​: Removing blocks of data...
Block length = 4, remaining size = 69
Block length = 2, remaining size = 69
Block length = 1, remaining size = 69
[+] Block removal complete, 0 bytes deleted.

File size reduced by : 98.81% (to 69 bytes)
Characters simplified : 6640.58%
Number of execs done : 893
Fruitless execs : path=666 crash=0 hang=15

[*] Writing output to 'pocmin.pl'...
[+] We're done here. Have a nice day!

dcollins@​nightshade64​:~/toolchain/perl$ cat pocmin.pl
$0=s()0&lt;$&gt;;0;my sub i0i0;()=((%fi0s0));sub fi0s0{sub i0i0{}sub fi0s0}

Further minimized by hand to​:

$ ./perl -Ilib -wle '$a="a$a";my sub b;%c;sub c{sub b;sub c}'
Segmentation fault

thank dcollinsn for min poc, I run it with asan​:

╭─riusksk@​MacBook ~/Downloads/perl ‹› ‹blead*›
╰─➤$ ./perl -Ilib -wle '$a="a$a";my sub b;%c;sub c{sub b;sub c}'

==3513==ERROR​: AddressSanitizer​: heap-buffer-overflow on address 0x60300000d378 at pc 0x0001056791e0 bp 0x7fff5a7cb250 sp 0x7fff5a7cb248
READ of size 8 at 0x60300000d378 thread T0
  #0 0x1056791df in Perl_pad_fixup_inner_anons pad.c​:2382
  #1 0x105489f05 in Perl_newATTRSUB_x op.c​:8711
  #2 0x105644f16 in Perl_yyparse perly.y​:296
  #3 0x10553d087 in perl_parse perl.c​:2373
  #4 0x1054347ee in main perlmain.c​:121
  #5 0x7fff965865ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
  #6 0x3 (<unknown module>)

0x60300000d378 is located 0 bytes to the right of 24-byte region [0x60300000d360,0x60300000d378)
allocated by thread T0 here​:
  #0 0x105f732f7 in wrap_realloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/7.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x432f7)
  #1 0x1057d438c in Perl_safesysrealloc util.c​:274
  #2 0x1058ad808 in Perl_av_extend_guts av.c​:163
  #3 0x1056646bb in Perl_pad_add_weakref pad.c​:2665
  #4 0x10548cadc in Perl_newATTRSUB_x op.c​:8846
  #5 0x105644f16 in Perl_yyparse perly.y​:296
  #6 0x10553d087 in perl_parse perl.c​:2373
  #7 0x1054347ee in main perlmain.c​:121
  #8 0x7fff965865ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
  #9 0x3 (<unknown module>)

[p5pRT]

From @cpansprout

On Fri Aug 26 06​:01​:53 2016, dcollinsn@​gmail.com wrote​:

$ ./perl -Ilib -wle '$a="a$a";my sub b;%c;sub c{sub b;sub c}'
Segmentation fault

Thank you. Fixed in 95c0a76.

--

Father Chrysostomos

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

@cpansprout - Status changed from 'open' to 'pending release'

[p5pRT]

From @mauke

Created by @mauke

The following code loops forever (in the compiler)​:

$ perl -e '\&f2; sub f2 { sub f2; eval "" }'

The loop happens in Perl_pad_tidy because somehow cv == CvOUTSIDE(cv).

Instead of eval "" you can also use the -d switch​:

$ perl -d -e '\&f2; sub f2 { sub f2; }'

This means Devel​::Confess, Devel​::Cover, etc are also affected.

Perl Info

Flags:
    category=core
    severity=low

Site configuration information for perl 5.24.1:

Configured by mauke at Sun Feb 19 23:06:44 CET 2017.

Summary of my perl5 (revision 5 version 24 subversion 1) configuration:
   
  Platform:
    osname=linux, osvers=4.9.6-1-arch, archname=i686-linux
    uname='linux simplicio 4.9.6-1-arch #1 smp preempt thu jan 26 09:41:20 cet 2017 i686 gnulinux '
    config_args=''
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=undef, usemultiplicity=undef
    use64bitint=undef, use64bitall=undef, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O2 -flto',
    cppflags='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
    ccversion='', gccversion='6.3.1 20170109', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234, doublekind=3
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12, longdblkind=3
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='cc', ldflags ='-fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/lib/gcc/i686-pc-linux-gnu/6.3.1/include-fixed /usr/lib /lib
    libs=-lpthread -lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc -lgdbm_compat
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    libc=libc-2.24.so, so=so, useshrplib=false, libperl=libperl.a
    gnulibc_version='2.24'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
    cccdlflags='-fPIC', lddlflags='-shared -O2 -flto -L/usr/local/lib -fstack-protector-strong'



@INC for perl 5.24.1:
    /home/mauke/usr/lib/perl5/site_perl/5.24.1/i686-linux
    /home/mauke/usr/lib/perl5/site_perl/5.24.1
    /home/mauke/usr/lib/perl5/5.24.1/i686-linux
    /home/mauke/usr/lib/perl5/5.24.1


Environment for perl 5.24.1:
    HOME=/home/mauke
    LANG=en_US.UTF-8
    LANGUAGE=en_US
    LC_COLLATE=C
    LC_MONETARY=de_DE.UTF-8
    LC_TIME=de_DE.UTF-8
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/mauke/perl5/perlbrew/bin:/home/mauke/bin:/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl
    PERLBREW_BASHRC_VERSION=0.73
    PERLBREW_HOME=/home/mauke/.perlbrew
    PERLBREW_ROOT=/home/mauke/perl5/perlbrew
    PERL_BADLANG (unset)
    PERL_UNICODE=SAL
    SHELL=/bin/bash

[p5pRT]

From @mauke

On Thu, 13 Apr 2017 14​:19​:18 -0700, mauke- wrote​:

The following code loops forever (in the compiler)​:

$ perl -e '\&f2; sub f2 { sub f2; eval "" }'

The loop happens in Perl_pad_tidy because somehow cv == CvOUTSIDE(cv).

This might be fixed in blead​:

<Zefram> only happened from 5.21.7 to 5.25.4

I can reproduce it on 5.22 and 5.24, but not 5.20.

[p5pRT]

From @mauke

On Thu, 13 Apr 2017 14​:28​:53 -0700, mauke- wrote​:

On Thu, 13 Apr 2017 14​:19​:18 -0700, mauke- wrote​:

The following code loops forever (in the compiler)​:

$ perl -e '\&f2; sub f2 { sub f2; eval "" }'

The loop happens in Perl_pad_tidy because somehow cv == CvOUTSIDE(cv).

This might be fixed in blead​:

<Zefram> only happened from 5.21.7 to 5.25.4

I can reproduce it on 5.22 and 5.24, but not 5.20.

I was able to bisect the fix to commit 6da1306, which means this ticket might be a duplicate of bug #129090.

[p5pRT]

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release today of Perl 5.26.0, this and 210 other issues have been
resolved.

Perl 5.26.0 may be downloaded via​:
https://metacpan.org/release/XSAWYERX/perl-5.26.0

If you find that the problem persists, feel free to reopen this ticket.

[p5pRT]

@khwilliamson - Status changed from 'pending release' to 'resolved'