Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple suspicious Valgrind errors #15585

Closed
p5pRT opened this issue Sep 4, 2016 · 11 comments
Closed

Multiple suspicious Valgrind errors #15585

p5pRT opened this issue Sep 4, 2016 · 11 comments

Comments

@p5pRT
Copy link
Collaborator

@p5pRT p5pRT commented Sep 4, 2016

Migrated from rt.perl.org#129190 (status was 'resolved')

Searchable as RT129190$

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Sep 4, 2016

From @dcollinsn

The following "script" causes a host of Valgrind warnings, starting with a
use-after-free and followed by a number of uninitialized reads and
out-of-bounds reads. I am unable to find any related tickets at this time.

$ perl -e 'print "exec a00\$"' | valgrind ../bin/perl
==37759== Memcheck, a memory error detector
==37759== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==37759== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==37759== Command​: ../bin/perl
==37759==
==37759== Invalid read of size 1
==37759== at 0x49B97C​: Perl_yylex (toke.c​:4880)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f77888 is 8 bytes inside a block of size 10 free'd
==37759== at 0x4C2CB5C​: realloc (vg_replace_malloc.c​:785)
==37759== by 0x569571​: Perl_safesysrealloc (util.c​:274)
==37759== by 0x5D4FA4​: Perl_sv_grow (sv.c​:1602)
==37759== by 0x5F59CE​: Perl_sv_gets (sv.c​:8522)
==37759== by 0x496574​: S_filter_gets (toke.c​:4347)
==37759== by 0x496574​: Perl_lex_next_chunk (toke.c​:1309)
==37759== by 0x497853​: Perl_lex_read_space (toke.c​:1529)
==37759== by 0x4E5954​: S_skipspace_flags (toke.c​:1831)
==37759== by 0x4E5954​: S_intuit_method (toke.c​:4085)
==37759== by 0x4BE331​: Perl_yylex (toke.c​:7044)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Block was alloc'd at
==37759== at 0x4C2AC0F​: malloc (vg_replace_malloc.c​:299)
==37759== by 0x5692FC​: Perl_safesysmalloc (util.c​:153)
==37759== by 0x5D50AF​: Perl_sv_grow (sv.c​:1605)
==37759== by 0x5DD0C9​: Perl_sv_setpvn (sv.c​:4892)
==37759== by 0x5F8336​: Perl_newSVpvn (sv.c​:9234)
==37759== by 0x49406B​: Perl_lex_start (toke.c​:741)
==37759== by 0x4777D4​: S_parse_body (perl.c​:2362)
==37759== by 0x4777D4​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759==
==37759== Invalid read of size 1
==37759== at 0x4ACE11​: Perl_yylex (toke.c​:6316)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f77889 is 9 bytes inside a block of size 10 free'd
==37759== at 0x4C2CB5C​: realloc (vg_replace_malloc.c​:785)
==37759== by 0x569571​: Perl_safesysrealloc (util.c​:274)
==37759== by 0x5D4FA4​: Perl_sv_grow (sv.c​:1602)
==37759== by 0x5F59CE​: Perl_sv_gets (sv.c​:8522)
==37759== by 0x496574​: S_filter_gets (toke.c​:4347)
==37759== by 0x496574​: Perl_lex_next_chunk (toke.c​:1309)
==37759== by 0x497853​: Perl_lex_read_space (toke.c​:1529)
==37759== by 0x4E5954​: S_skipspace_flags (toke.c​:1831)
==37759== by 0x4E5954​: S_intuit_method (toke.c​:4085)
==37759== by 0x4BE331​: Perl_yylex (toke.c​:7044)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Block was alloc'd at
==37759== at 0x4C2AC0F​: malloc (vg_replace_malloc.c​:299)
==37759== by 0x5692FC​: Perl_safesysmalloc (util.c​:153)
==37759== by 0x5D50AF​: Perl_sv_grow (sv.c​:1605)
==37759== by 0x5DD0C9​: Perl_sv_setpvn (sv.c​:4892)
==37759== by 0x5F8336​: Perl_newSVpvn (sv.c​:9234)
==37759== by 0x49406B​: Perl_lex_start (toke.c​:741)
==37759== by 0x4777D4​: S_parse_body (perl.c​:2362)
==37759== by 0x4777D4​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759==
==37759== Invalid read of size 1
==37759== at 0x4DD873​: S_scan_ident (toke.c​:9110)
==37759== by 0x4C8016​: Perl_yylex (toke.c​:6336)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f77888 is 8 bytes inside a block of size 10 free'd
==37759== at 0x4C2CB5C​: realloc (vg_replace_malloc.c​:785)
==37759== by 0x569571​: Perl_safesysrealloc (util.c​:274)
==37759== by 0x5D4FA4​: Perl_sv_grow (sv.c​:1602)
==37759== by 0x5F59CE​: Perl_sv_gets (sv.c​:8522)
==37759== by 0x496574​: S_filter_gets (toke.c​:4347)
==37759== by 0x496574​: Perl_lex_next_chunk (toke.c​:1309)
==37759== by 0x497853​: Perl_lex_read_space (toke.c​:1529)
==37759== by 0x4E5954​: S_skipspace_flags (toke.c​:1831)
==37759== by 0x4E5954​: S_intuit_method (toke.c​:4085)
==37759== by 0x4BE331​: Perl_yylex (toke.c​:7044)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Block was alloc'd at
==37759== at 0x4C2AC0F​: malloc (vg_replace_malloc.c​:299)
==37759== by 0x5692FC​: Perl_safesysmalloc (util.c​:153)
==37759== by 0x5D50AF​: Perl_sv_grow (sv.c​:1605)
==37759== by 0x5DD0C9​: Perl_sv_setpvn (sv.c​:4892)
==37759== by 0x5F8336​: Perl_newSVpvn (sv.c​:9234)
==37759== by 0x49406B​: Perl_lex_start (toke.c​:741)
==37759== by 0x4777D4​: S_parse_body (perl.c​:2362)
==37759== by 0x4777D4​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759==
==37759== Invalid read of size 1
==37759== at 0x4DD94E​: S_scan_ident (toke.c​:9012)
==37759== by 0x4C8016​: Perl_yylex (toke.c​:6336)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f77889 is 9 bytes inside a block of size 10 free'd
==37759== at 0x4C2CB5C​: realloc (vg_replace_malloc.c​:785)
==37759== by 0x569571​: Perl_safesysrealloc (util.c​:274)
==37759== by 0x5D4FA4​: Perl_sv_grow (sv.c​:1602)
==37759== by 0x5F59CE​: Perl_sv_gets (sv.c​:8522)
==37759== by 0x496574​: S_filter_gets (toke.c​:4347)
==37759== by 0x496574​: Perl_lex_next_chunk (toke.c​:1309)
==37759== by 0x497853​: Perl_lex_read_space (toke.c​:1529)
==37759== by 0x4E5954​: S_skipspace_flags (toke.c​:1831)
==37759== by 0x4E5954​: S_intuit_method (toke.c​:4085)
==37759== by 0x4BE331​: Perl_yylex (toke.c​:7044)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Block was alloc'd at
==37759== at 0x4C2AC0F​: malloc (vg_replace_malloc.c​:299)
==37759== by 0x5692FC​: Perl_safesysmalloc (util.c​:153)
==37759== by 0x5D50AF​: Perl_sv_grow (sv.c​:1605)
==37759== by 0x5DD0C9​: Perl_sv_setpvn (sv.c​:4892)
==37759== by 0x5F8336​: Perl_newSVpvn (sv.c​:9234)
==37759== by 0x49406B​: Perl_lex_start (toke.c​:741)
==37759== by 0x4777D4​: S_parse_body (perl.c​:2362)
==37759== by 0x4777D4​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759==
==37759== Invalid read of size 1
==37759== at 0x49762A​: Perl_lex_read_space (toke.c​:1519)
==37759== by 0x4DDA49​: S_skipspace_flags (toke.c​:1831)
==37759== by 0x4DDA49​: S_scan_ident (toke.c​:9013)
==37759== by 0x4C8016​: Perl_yylex (toke.c​:6336)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f77889 is 9 bytes inside a block of size 10 free'd
==37759== at 0x4C2CB5C​: realloc (vg_replace_malloc.c​:785)
==37759== by 0x569571​: Perl_safesysrealloc (util.c​:274)
==37759== by 0x5D4FA4​: Perl_sv_grow (sv.c​:1602)
==37759== by 0x5F59CE​: Perl_sv_gets (sv.c​:8522)
==37759== by 0x496574​: S_filter_gets (toke.c​:4347)
==37759== by 0x496574​: Perl_lex_next_chunk (toke.c​:1309)
==37759== by 0x497853​: Perl_lex_read_space (toke.c​:1529)
==37759== by 0x4E5954​: S_skipspace_flags (toke.c​:1831)
==37759== by 0x4E5954​: S_intuit_method (toke.c​:4085)
==37759== by 0x4BE331​: Perl_yylex (toke.c​:7044)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Block was alloc'd at
==37759== at 0x4C2AC0F​: malloc (vg_replace_malloc.c​:299)
==37759== by 0x5692FC​: Perl_safesysmalloc (util.c​:153)
==37759== by 0x5D50AF​: Perl_sv_grow (sv.c​:1605)
==37759== by 0x5DD0C9​: Perl_sv_setpvn (sv.c​:4892)
==37759== by 0x5F8336​: Perl_newSVpvn (sv.c​:9234)
==37759== by 0x49406B​: Perl_lex_start (toke.c​:741)
==37759== by 0x4777D4​: S_parse_body (perl.c​:2362)
==37759== by 0x4777D4​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759==
==37759== Invalid read of size 1
==37759== at 0x4DDA9D​: S_scan_ident (toke.c​:9014)
==37759== by 0x4C8016​: Perl_yylex (toke.c​:6336)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f778a8 is 24 bytes after a block of size 16 in arena
"client"
==37759==
==37759== Invalid read of size 1
==37759== at 0x4DC13F​: S_parse_ident (toke.c​:8937)
==37759== by 0x4DDB0A​: S_scan_ident (toke.c​:9022)
==37759== by 0x4C8016​: Perl_yylex (toke.c​:6336)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f778a8 is 24 bytes after a block of size 16 in arena
"client"
==37759==
==37759== Invalid read of size 1
==37759== at 0x4DC1A3​: S_parse_ident (toke.c​:8939)
==37759== by 0x4DDB0A​: S_scan_ident (toke.c​:9022)
==37759== by 0x4C8016​: Perl_yylex (toke.c​:6336)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f778a8 is 24 bytes after a block of size 16 in arena
"client"
==37759==
==37759== Invalid read of size 1
==37759== at 0x4DC1B7​: S_parse_ident (toke.c​:8940)
==37759== by 0x4DDB0A​: S_scan_ident (toke.c​:9022)
==37759== by 0x4C8016​: Perl_yylex (toke.c​:6336)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f778a9 is 25 bytes after a block of size 16 in arena
"client"
==37759==
==37759== Invalid read of size 1
==37759== at 0x4DC486​: S_parse_ident (toke.c​:8947)
==37759== by 0x4DDB0A​: S_scan_ident (toke.c​:9022)
==37759== by 0x4C8016​: Perl_yylex (toke.c​:6336)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f778a9 is 25 bytes after a block of size 16 in arena
"client"
==37759==
==37759== Invalid read of size 1
==37759== at 0x4C8111​: Perl_yylex (toke.c​:6404)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f778a9 is 25 bytes after a block of size 16 in arena
"client"
==37759==
==37759== Invalid read of size 1
==37759== at 0x49762A​: Perl_lex_read_space (toke.c​:1519)
==37759== by 0x4C81EE​: S_skipspace_flags (toke.c​:1831)
==37759== by 0x4C81EE​: Perl_yylex (toke.c​:6356)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f778a9 is 25 bytes after a block of size 16 in arena
"client"
==37759==
==37759== Invalid read of size 1
==37759== at 0x4DC13F​: S_parse_ident (toke.c​:8937)
==37759== by 0x49E10E​: S_scan_word (toke.c​:8974)
==37759== by 0x49E10E​: Perl_yylex (toke.c​:6741)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f778b0 is 32 bytes before a block of size 16 in arena
"client"
==37759==
==37759== Invalid read of size 1
==37759== at 0x4DC1A3​: S_parse_ident (toke.c​:8939)
==37759== by 0x49E10E​: S_scan_word (toke.c​:8974)
==37759== by 0x49E10E​: Perl_yylex (toke.c​:6741)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f778b0 is 32 bytes before a block of size 16 in arena
"client"
==37759==
==37759== Invalid read of size 1
==37759== at 0x4DC1B7​: S_parse_ident (toke.c​:8940)
==37759== by 0x49E10E​: S_scan_word (toke.c​:8974)
==37759== by 0x49E10E​: Perl_yylex (toke.c​:6741)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f778b1 is 31 bytes before a block of size 16 in arena
"client"
==37759==
==37759== Invalid read of size 1
==37759== at 0x49E27F​: Perl_yylex (toke.c​:6747)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f778b1 is 31 bytes before a block of size 16 in arena
"client"
==37759==
==37759== Invalid read of size 1
==37759== at 0x49E47F​: Perl_yylex (toke.c​:6753)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f778b1 is 31 bytes before a block of size 16 in arena
"client"
==37759==
==37759== Invalid read of size 1
==37759== at 0x49E4F7​: Perl_yylex (toke.c​:6757)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f778b1 is 31 bytes before a block of size 16 in arena
"client"
==37759==
==37759== Invalid read of size 1
==37759== at 0x4BD0E3​: Perl_yylex (toke.c​:6933)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f778af is 31 bytes after a block of size 16 in arena
"client"
==37759==
==37759== Invalid read of size 1
==37759== at 0x4BD112​: Perl_yylex (toke.c​:6939)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f778b1 is 31 bytes before a block of size 16 in arena
"client"
==37759==
==37759== Invalid read of size 1
==37759== at 0x4EA4BC​: Perl_yyerror_pvn (toke.c​:11032)
==37759== by 0x4E1C61​: Perl_yyerror_pv (toke.c​:11002)
==37759== by 0x4E1C61​: S_yywarn (toke.c​:10987)
==37759== by 0x4E1C61​: S_no_op (toke.c​:520)
==37759== by 0x4BD3A2​: Perl_yylex (toke.c​:6958)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f77888 is 8 bytes inside a block of size 10 free'd
==37759== at 0x4C2CB5C​: realloc (vg_replace_malloc.c​:785)
==37759== by 0x569571​: Perl_safesysrealloc (util.c​:274)
==37759== by 0x5D4FA4​: Perl_sv_grow (sv.c​:1602)
==37759== by 0x5F59CE​: Perl_sv_gets (sv.c​:8522)
==37759== by 0x496574​: S_filter_gets (toke.c​:4347)
==37759== by 0x496574​: Perl_lex_next_chunk (toke.c​:1309)
==37759== by 0x497853​: Perl_lex_read_space (toke.c​:1529)
==37759== by 0x4E5954​: S_skipspace_flags (toke.c​:1831)
==37759== by 0x4E5954​: S_intuit_method (toke.c​:4085)
==37759== by 0x4BE331​: Perl_yylex (toke.c​:7044)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Block was alloc'd at
==37759== at 0x4C2AC0F​: malloc (vg_replace_malloc.c​:299)
==37759== by 0x5692FC​: Perl_safesysmalloc (util.c​:153)
==37759== by 0x5D50AF​: Perl_sv_grow (sv.c​:1605)
==37759== by 0x5DD0C9​: Perl_sv_setpvn (sv.c​:4892)
==37759== by 0x5F8336​: Perl_newSVpvn (sv.c​:9234)
==37759== by 0x49406B​: Perl_lex_start (toke.c​:741)
==37759== by 0x4777D4​: S_parse_body (perl.c​:2362)
==37759== by 0x4777D4​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759==
==37759== Invalid read of size 2
==37759== at 0x4C2F3A8​: memcpy@​@​GLIBC_2.14 (vg_replace_strmem.c​:1018)
==37759== by 0x608364​: Perl_sv_vcatpvfn_flags (sv.c​:12912)
==37759== by 0x5FD57E​: Perl_sv_catpvf (sv.c​:10727)
==37759== by 0x4EA9DF​: Perl_yyerror_pvn (toke.c​:11084)
==37759== by 0x4E1C61​: Perl_yyerror_pv (toke.c​:11002)
==37759== by 0x4E1C61​: S_yywarn (toke.c​:10987)
==37759== by 0x4E1C61​: S_no_op (toke.c​:520)
==37759== by 0x4BD3A2​: Perl_yylex (toke.c​:6958)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f77888 is 8 bytes inside a block of size 10 free'd
==37759== at 0x4C2CB5C​: realloc (vg_replace_malloc.c​:785)
==37759== by 0x569571​: Perl_safesysrealloc (util.c​:274)
==37759== by 0x5D4FA4​: Perl_sv_grow (sv.c​:1602)
==37759== by 0x5F59CE​: Perl_sv_gets (sv.c​:8522)
==37759== by 0x496574​: S_filter_gets (toke.c​:4347)
==37759== by 0x496574​: Perl_lex_next_chunk (toke.c​:1309)
==37759== by 0x497853​: Perl_lex_read_space (toke.c​:1529)
==37759== by 0x4E5954​: S_skipspace_flags (toke.c​:1831)
==37759== by 0x4E5954​: S_intuit_method (toke.c​:4085)
==37759== by 0x4BE331​: Perl_yylex (toke.c​:7044)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Block was alloc'd at
==37759== at 0x4C2AC0F​: malloc (vg_replace_malloc.c​:299)
==37759== by 0x5692FC​: Perl_safesysmalloc (util.c​:153)
==37759== by 0x5D50AF​: Perl_sv_grow (sv.c​:1605)
==37759== by 0x5DD0C9​: Perl_sv_setpvn (sv.c​:4892)
==37759== by 0x5F8336​: Perl_newSVpvn (sv.c​:9234)
==37759== by 0x49406B​: Perl_lex_start (toke.c​:741)
==37759== by 0x4777D4​: S_parse_body (perl.c​:2362)
==37759== by 0x4777D4​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759==
==37759== Invalid read of size 2
==37759== at 0x4C2F3B6​: memcpy@​@​GLIBC_2.14 (vg_replace_strmem.c​:1018)
==37759== by 0x608364​: Perl_sv_vcatpvfn_flags (sv.c​:12912)
==37759== by 0x5FD57E​: Perl_sv_catpvf (sv.c​:10727)
==37759== by 0x4EA9DF​: Perl_yyerror_pvn (toke.c​:11084)
==37759== by 0x4E1C61​: Perl_yyerror_pv (toke.c​:11002)
==37759== by 0x4E1C61​: S_yywarn (toke.c​:10987)
==37759== by 0x4E1C61​: S_no_op (toke.c​:520)
==37759== by 0x4BD3A2​: Perl_yylex (toke.c​:6958)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f7788c is 2 bytes after a block of size 10 free'd
==37759== at 0x4C2CB5C​: realloc (vg_replace_malloc.c​:785)
==37759== by 0x569571​: Perl_safesysrealloc (util.c​:274)
==37759== by 0x5D4FA4​: Perl_sv_grow (sv.c​:1602)
==37759== by 0x5F59CE​: Perl_sv_gets (sv.c​:8522)
==37759== by 0x496574​: S_filter_gets (toke.c​:4347)
==37759== by 0x496574​: Perl_lex_next_chunk (toke.c​:1309)
==37759== by 0x497853​: Perl_lex_read_space (toke.c​:1529)
==37759== by 0x4E5954​: S_skipspace_flags (toke.c​:1831)
==37759== by 0x4E5954​: S_intuit_method (toke.c​:4085)
==37759== by 0x4BE331​: Perl_yylex (toke.c​:7044)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Block was alloc'd at
==37759== at 0x4C2AC0F​: malloc (vg_replace_malloc.c​:299)
==37759== by 0x5692FC​: Perl_safesysmalloc (util.c​:153)
==37759== by 0x5D50AF​: Perl_sv_grow (sv.c​:1605)
==37759== by 0x5DD0C9​: Perl_sv_setpvn (sv.c​:4892)
==37759== by 0x5F8336​: Perl_newSVpvn (sv.c​:9234)
==37759== by 0x49406B​: Perl_lex_start (toke.c​:741)
==37759== by 0x4777D4​: S_parse_body (perl.c​:2362)
==37759== by 0x4777D4​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759==
==37759== Invalid read of size 1
==37759== at 0x4C2F3E0​: memcpy@​@​GLIBC_2.14 (vg_replace_strmem.c​:1018)
==37759== by 0x608364​: Perl_sv_vcatpvfn_flags (sv.c​:12912)
==37759== by 0x5FD57E​: Perl_sv_catpvf (sv.c​:10727)
==37759== by 0x4EA9DF​: Perl_yyerror_pvn (toke.c​:11084)
==37759== by 0x4E1C61​: Perl_yyerror_pv (toke.c​:11002)
==37759== by 0x4E1C61​: S_yywarn (toke.c​:10987)
==37759== by 0x4E1C61​: S_no_op (toke.c​:520)
==37759== by 0x4BD3A2​: Perl_yylex (toke.c​:6958)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f778b0 is 32 bytes before a block of size 16 in arena
"client"
==37759==
Bareword found where operator expected at - line 1, near "$PP"
==37759== Invalid read of size 1
==37759== at 0x4E1DB8​: S_no_op (toke.c​:525)
==37759== by 0x4BD3A2​: Perl_yylex (toke.c​:6958)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f77888 is 8 bytes inside a block of size 10 free'd
==37759== at 0x4C2CB5C​: realloc (vg_replace_malloc.c​:785)
==37759== by 0x569571​: Perl_safesysrealloc (util.c​:274)
==37759== by 0x5D4FA4​: Perl_sv_grow (sv.c​:1602)
==37759== by 0x5F59CE​: Perl_sv_gets (sv.c​:8522)
==37759== by 0x496574​: S_filter_gets (toke.c​:4347)
==37759== by 0x496574​: Perl_lex_next_chunk (toke.c​:1309)
==37759== by 0x497853​: Perl_lex_read_space (toke.c​:1529)
==37759== by 0x4E5954​: S_skipspace_flags (toke.c​:1831)
==37759== by 0x4E5954​: S_intuit_method (toke.c​:4085)
==37759== by 0x4BE331​: Perl_yylex (toke.c​:7044)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Block was alloc'd at
==37759== at 0x4C2AC0F​: malloc (vg_replace_malloc.c​:299)
==37759== by 0x5692FC​: Perl_safesysmalloc (util.c​:153)
==37759== by 0x5D50AF​: Perl_sv_grow (sv.c​:1605)
==37759== by 0x5DD0C9​: Perl_sv_setpvn (sv.c​:4892)
==37759== by 0x5F8336​: Perl_newSVpvn (sv.c​:9234)
==37759== by 0x49406B​: Perl_lex_start (toke.c​:741)
==37759== by 0x4777D4​: S_parse_body (perl.c​:2362)
==37759== by 0x4777D4​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759==
==37759== Invalid read of size 1
==37759== at 0x4C2F3E0​: memcpy@​@​GLIBC_2.14 (vg_replace_strmem.c​:1018)
==37759== by 0x608364​: Perl_sv_vcatpvfn_flags (sv.c​:12912)
==37759== by 0x5F941B​: Perl_sv_vsetpvfn (sv.c​:10809)
==37759== by 0x56C4A2​: Perl_vmess (util.c​:1560)
==37759== by 0x56EA2B​: Perl_vwarn (util.c​:1934)
==37759== by 0x56EA2B​: Perl_vwarner (util.c​:2050)
==37759== by 0x56EFA2​: Perl_warner (util.c​:2026)
==37759== by 0x4E2505​: S_no_op (toke.c​:537)
==37759== by 0x4BD3A2​: Perl_yylex (toke.c​:6958)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f778b0 is 32 bytes before a block of size 16 in arena
"client"
==37759==
  (Missing operator before P?)
==37759== Invalid read of size 1
==37759== at 0x49762A​: Perl_lex_read_space (toke.c​:1519)
==37759== by 0x4BE592​: S_skipspace_flags (toke.c​:1831)
==37759== by 0x4BE592​: Perl_yylex (toke.c​:7069)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f778b1 is 31 bytes before a block of size 16 in arena
"client"
==37759==
==37759== Conditional jump or move depends on uninitialised value(s)
==37759== at 0x497631​: Perl_lex_read_space (toke.c​:1506)
==37759== by 0x4E5FE3​: S_skipspace_flags (toke.c​:1831)
==37759== by 0x4E5FE3​: S_intuit_method (toke.c​:4111)
==37759== by 0x4C3E5A​: Perl_yylex (toke.c​:7130)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759==
==37759== Conditional jump or move depends on uninitialised value(s)
==37759== at 0x497639​: Perl_lex_read_space (toke.c​:1506)
==37759== by 0x4E5FE3​: S_skipspace_flags (toke.c​:1831)
==37759== by 0x4E5FE3​: S_intuit_method (toke.c​:4111)
==37759== by 0x4C3E5A​: Perl_yylex (toke.c​:7130)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759==
==37759== Use of uninitialised value of size 8
==37759== at 0x49777E​: Perl_lex_read_space (toke.c​:1519)
==37759== by 0x4E5FE3​: S_skipspace_flags (toke.c​:1831)
==37759== by 0x4E5FE3​: S_intuit_method (toke.c​:4111)
==37759== by 0x4C3E5A​: Perl_yylex (toke.c​:7130)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759==
==37759== Conditional jump or move depends on uninitialised value(s)
==37759== at 0x497924​: Perl_lex_read_space (toke.c​:1539)
==37759== by 0x4E5FE3​: S_skipspace_flags (toke.c​:1831)
==37759== by 0x4E5FE3​: S_intuit_method (toke.c​:4111)
==37759== by 0x4C3E5A​: Perl_yylex (toke.c​:7130)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759==
==37759== Invalid read of size 1
==37759== at 0x49762A​: Perl_lex_read_space (toke.c​:1519)
==37759== by 0x4E5FE3​: S_skipspace_flags (toke.c​:1831)
==37759== by 0x4E5FE3​: S_intuit_method (toke.c​:4111)
==37759== by 0x4C3E5A​: Perl_yylex (toke.c​:7130)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f778da is 0 bytes after a block of size 10 alloc'd
==37759== at 0x4C2AC0F​: malloc (vg_replace_malloc.c​:299)
==37759== by 0x5692FC​: Perl_safesysmalloc (util.c​:153)
==37759== by 0x5D50AF​: Perl_sv_grow (sv.c​:1605)
==37759== by 0x5DD0C9​: Perl_sv_setpvn (sv.c​:4892)
==37759== by 0x5F8336​: Perl_newSVpvn (sv.c​:9234)
==37759== by 0x477853​: S_parse_body (perl.c​:2365)
==37759== by 0x477853​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759==
==37759== Invalid read of size 1
==37759== at 0x4E6060​: S_intuit_method (toke.c​:4112)
==37759== by 0x4C3E5A​: Perl_yylex (toke.c​:7130)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f778f8 is 24 bytes after a block of size 16 in arena
"client"
==37759==
==37759== Invalid read of size 1
==37759== at 0x4E64DB​: S_intuit_method (toke.c​:4121)
==37759== by 0x4C3E5A​: Perl_yylex (toke.c​:7130)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f778f8 is 24 bytes after a block of size 16 in arena
"client"
==37759==
==37759== Invalid read of size 1
==37759== at 0x4BE5E7​: Perl_yylex (toke.c​:7129)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f77901 is 31 bytes before a block of size 4,800 in
arena "client"
==37759==
==37759== Invalid read of size 1
==37759== at 0x49C603​: Perl_yylex (toke.c​:4894)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f77901 is 31 bytes before a block of size 4,800 in
arena "client"
==37759==
==37759== Invalid read of size 1
==37759== at 0x4AD0EC​: Perl_yylex (toke.c​:4903)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f77901 is 31 bytes before a block of size 4,800 in
arena "client"
==37759==
==37759== Invalid read of size 1
==37759== at 0x4C2F3E0​: memcpy@​@​GLIBC_2.14 (vg_replace_strmem.c​:1018)
==37759== by 0x608364​: Perl_sv_vcatpvfn_flags (sv.c​:12912)
==37759== by 0x5F941B​: Perl_sv_vsetpvfn (sv.c​:10809)
==37759== by 0x56D945​: Perl_vmess (util.c​:1560)
==37759== by 0x56D945​: Perl_vcroak (util.c​:1789)
==37759== by 0x56DFFC​: Perl_croak (util.c​:1836)
==37759== by 0x4B0A93​: Perl_yylex (toke.c​:4910)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f778f7 is 23 bytes after a block of size 16 in arena
"client"
==37759==
==37759== Invalid read of size 1
==37759== at 0x4C2F3EE​: memcpy@​@​GLIBC_2.14 (vg_replace_strmem.c​:1018)
==37759== by 0x608364​: Perl_sv_vcatpvfn_flags (sv.c​:12912)
==37759== by 0x5F941B​: Perl_sv_vsetpvfn (sv.c​:10809)
==37759== by 0x56D945​: Perl_vmess (util.c​:1560)
==37759== by 0x56D945​: Perl_vcroak (util.c​:1789)
==37759== by 0x56DFFC​: Perl_croak (util.c​:1836)
==37759== by 0x4B0A93​: Perl_yylex (toke.c​:4910)
==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334)
==37759== by 0x4778BC​: S_parse_body (perl.c​:2373)
==37759== by 0x4778BC​: perl_parse (perl.c​:1689)
==37759== by 0x4231E9​: main (perlmain.c​:121)
==37759== Address 0x5f778f9 is 25 bytes after a block of size 16 in arena
"client"
==37759==
Unrecognized character \x13; marked by <-- HERE after P<-- HERE near column
-13806 at - line 1.
==37759==
==37759== HEAP SUMMARY​:
==37759== in use at exit​: 104,573 bytes in 522 blocks
==37759== total heap usage​: 693 allocs, 171 frees, 145,202 bytes allocated
==37759==
==37759== LEAK SUMMARY​:
==37759== definitely lost​: 0 bytes in 0 blocks
==37759== indirectly lost​: 0 bytes in 0 blocks
==37759== possibly lost​: 0 bytes in 0 blocks
==37759== still reachable​: 104,573 bytes in 522 blocks
==37759== suppressed​: 0 bytes in 0 blocks
==37759== Rerun with --leak-check=full to see details of leaked memory
==37759==
==37759== For counts of detected and suppressed errors, rerun with​: -v
==37759== Use --track-origins=yes to see where uninitialised values come
from
==37759== ERROR SUMMARY​: 202 errors from 39 contexts (suppressed​: 0 from 0)

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Sep 4, 2016

From @dcollinsn

AFL crash explorer reports that replacing "exec" with any of the following
strings will also reproduce this error​:

grep
pipe
getc
read
open
stat
seek
send
tell
bind
recv

Several similar cases involving the following strings were also identified​:

flock
write
0stat
fcntl
printf
select
socket

in general, it appears that this is the repro case​:

perl -e 'printf "%-7s_\$", "flock"' | valgrind ../bin/perl

In other words, exactly 7 characters consisting of a builtin rightpadded by
spaces, followed by a literal '_$'. It seems important that the '$' be the
9th character exactly. The characters between the string and the '$' seem
irrelevant. For example, we have 'exec(eq0$' as one of the fuzzer-generated
testcases, and 'exec(pow$' as another.

This seems to be so tight that it's unlikely to be exploitable. I'll let it
keep running, and update this thread if I find any cases that don't fit
this pattern.

On Sat, Sep 3, 2016 at 9​:45 PM, <perl5-security-report@​perl.org> wrote​:

Greetings,

This message has been automatically generated in response to the
creation of a perl security report regarding​:
"Multiple suspicious Valgrind errors".

There is no need to reply to this message right now. Your ticket has been
assigned an ID of [perl #129190].

Please include the string​:

[perl #129190]

in the subject line of all future correspondence about this issue. To do
so,
you may reply to this message (please delete unnecessary quotes and text.)

Thank you,
perl5-security-report@​perl.org

-------------------------------------------------------------------------
X-Virus-Checked​: Checked
X-Virus-Checked​: Checked
X-GM-Message-State​: AE9vXwPLbRwR0qJ6jUO75cN8Cl1JqP
OH8PVIGaBhrB621e7mxTME+eY8bRi+EZTUWMWN+IS06a/ZsIqwENn3iw==
X-Old-Spam-Check-BY​: la.mx.develooper.com
MIME-Version​: 1.0
X-Received​: by 10.36.16.138 with SMTP id 132mr14576013ity.60.1472953518162;
Sat, 03 Sep 2016 18​:45​:18 -0700 (PDT)
Return-Path​: <perlmail@​x6.develooper.com>
Date​: Sat, 3 Sep 2016 21​:44​:57 -0400
To​: perl5-security-report@​perl.org
Subject​: Multiple suspicious Valgrind errors
Received​: (qmail 2194 invoked from network); 4 Sep 2016 01​:45​:42 -0000
Received​: from localhost (HELO la.mx.develooper.com) (127.0.0.1) by
localhost with SMTP; 4 Sep 2016 01​:45​:42 -0000
Received​: (qmail 2191 invoked by alias); 4 Sep 2016 01​:45​:42 -0000
Received​: from x6.develooper.com (HELO x6.develooper.com) (207.171.7.86)
by la.mx.develooper.com (qpsmtpd/0.28) with ESMTP; Sat, 03 Sep 2016
18​:45​:35 -0700
Received​: by x6.develooper.com (Postfix, from userid 514) id 8CA381EA4;
Sat, 3 Sep 2016 18​:45​:31 -0700 (PDT)
Received​: (qmail 18725 invoked from network); 4 Sep 2016 01​:45​:31 -0000
Received​: from x1.develooper.com (207.171.7.70) by x6.develooper.com with
SMTP; 4 Sep 2016 01​:45​:31 -0000
Received​: (qmail 2184 invoked by uid 225); 4 Sep 2016 01​:45​:30 -0000
Received​: (qmail 2180 invoked by alias); 4 Sep 2016 01​:45​:30 -0000
Received​: from mail-it0-f48.google.com (HELO mail-it0-f48.google.com)
(209.85.214.48) by la.mx.develooper.com (qpsmtpd/0.28) with ESMTP; Sat,
03 Sep 2016 18​:45​:22 -0700
Received​: by mail-it0-f48.google.com with SMTP id c198so99792236ith.1 for
<perl5-security-report@​perl.org>; Sat, 03 Sep 2016 18​:45​:22 -0700 (PDT)
Received​: by 10.36.196.215 with HTTP; Sat, 3 Sep 2016 18​:44​:57 -0700 (PDT)
X-Spam-Check-BY​: la.mx.develooper.com
X-Google-Dkim-Signature​: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net;
s=20130820; h=x-gm-message-state​:mime-version​:from​:date​:message-id​:subject​:to;
bh=3rjGLiHGpWkRVqoYmrTJ0T9qeVXebCN0rIvSOel07IU=;
b=axBRm89wSuCtb0AP0pqda2o7/lvg1M8Qyt6NTqhcsIjeMHumq4PlEyfouyzhHsLYq9
yPZVt3aonaI9i+kHVE/248wCKtOqYXCvlVrNDmx0JCfQSZxGR/yUaW9rkPExJb1iiMKU
rVaF+UIEW2nUKA+1owPFrKuLUcoew/sGlk9rERu9vfT/4ImcsuQKvL535xuYb6YxSLp4
pVAm2lnO2b6pIxEEs8gnW09XBRs8t7o+kbPOY2zLdAtjv52AOicULp09DwPKOKRB20Uy
RGFyP+FukSxJce8b3KliwyasQQp5eONUYF3L2K+gXevHbH005lpsGUDTUwI3/q3CdWM6
hhMw==
Dkim-Signature​: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com;
s=20120113; h=mime-version​:from​:date​:message-id​:subject​:to; bh=
3rjGLiHGpWkRVqoYmrTJ0T9qeVXebCN0rIvSOel07IU=; b=zK6by3wH4+
dfjHpb5MigKK2wRTiWM0c2wXOnjjBCjIOXTzSxIH9+mvDbn71KkZI8xt
muUpXZYpWMa4SSg+3vNiJP/Ooo2E8zNUwB/7L02jsDTlV2QBEg6J+ktokzJg0tcHI7+M
d6NpQPgNTDpRXOc2rUdYj5Fw3KrvLV7C3W1Pt4Mt2oqf18IooQE6E1QB7tn4OewC3fn7
ECUUmAkUflNLb215sqkN80Qlc7/VCWE2HNZqssAl72+PJ6AtNK5FPLS0hkFDQeBNfKlE
GVJFfAZ4QlhlNzdmgChC8xJyzPUtHMfstFyk5aeL61pKCrFidsTyzexv1W64Zug1MxTW
x2mA==
X-Old-Spam-Status​: No, hits=-2.7 required=8.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,
RCVD_IN_DNSWL_LOW,RCVD_IN_SORBS_SPAM,SPF_PASS
Message-ID​: <CA+tt54KnB50wyKJ_q7YhuRrTLd7=FpWBfbZSqDy0Gg2Mz9vQSA@​mail.
gmail.com>
From​: Dan Collins <dcollinsn@​gmail.com>
From perlmail@​x6.develooper.com Sun Sep 04 01​:45​:43 2016
Content-Type​: multipart/alternative; boundary="
001a114382e8388b49053ba4b7bb"
X-Spam-Status​: No, hits=-8.5 required=8.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,
RCVD_IN_DNSWL_HI,RCVD_IN_SORBS_SPAM,RP_MATCHES_RCVD
Delivered-To​: rt-perl5-security@​rt.perl.org
Delivered-To​: perlmail-perl5-security-report@​onion.perl.org
Delivered-To​: perl5-security-report@​perl.org
X-RT-Interface​: Email

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Sep 8, 2016

From @tonycoz

On Sat Sep 03 21​:26​:50 2016, dcollinsn@​gmail.com wrote​:

AFL crash explorer reports that replacing "exec" with any of the
following
strings will also reproduce this error​:

...

Several similar cases involving the following strings were also
identified​:

flock
write
0stat
fcntl
printf
select
socket

in general, it appears that this is the repro case​:

perl -e 'printf "%-7s_\$", "flock"' | valgrind ../bin/perl

In other words, exactly 7 characters consisting of a builtin
rightpadded by
spaces, followed by a literal '_$'. It seems important that the '$' be
the
9th character exactly. The characters between the string and the '$'
seem
irrelevant. For example, we have 'exec(eq0$' as one of the fuzzer-
generated
testcases, and 'exec(pow$' as another.

Does the attached fix all your test cases for this?

As this involves feeding code to the perl parser, I don't think it's
a security issue.

Tony

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Sep 8, 2016

From @tonycoz

0001-perl-129190-intuit_method-can-move-the-line-buffer.patch
From e36eaa0b2f687d532fe3b2f0b0bbded8e8a1fa17 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Thu, 8 Sep 2016 13:21:02 +1000
Subject: (perl #129190) intuit_method() can move the line buffer

and broke PL_bufptr when it did.
---
 t/op/lex.t |  5 ++++-
 toke.c     | 10 +++++++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/t/op/lex.t b/t/op/lex.t
index a667183..6eac888 100644
--- a/t/op/lex.t
+++ b/t/op/lex.t
@@ -7,7 +7,7 @@ use warnings;
 
 BEGIN { chdir 't' if -d 't'; require './test.pl'; }
 
-plan(tests => 30);
+plan(tests => 31);
 
 {
     no warnings 'deprecated';
@@ -241,3 +241,6 @@ fresh_perl_is(
     {},
     '[perl #129069] - "Missing name" warning and valgrind clean'
 );
+
+fresh_perl_like('flock  _$', qr/Not enough arguments for flock/, {stderr => 1},
+                "[perl #129190] intuit_method() invalidates PL_bufptr");
diff --git a/toke.c b/toke.c
index 3ade32b..3779387 100644
--- a/toke.c
+++ b/toke.c
@@ -4079,11 +4079,12 @@ S_intuit_method(pTHX_ char *start, SV *ioname, CV *cv)
     }
 
     if (*start == '$') {
+        SSize_t start_off = start - SvPVX(PL_linestr);
 	if (cv || PL_last_lop_op == OP_PRINT || PL_last_lop_op == OP_SAY
             || isUPPER(*PL_tokenbuf))
 	    return 0;
 	s = skipspace(s);
-	PL_bufptr = start;
+	PL_bufptr = SvPVX(PL_linestr) + start_off;
 	PL_expect = XREF;
 	return *s == '(' ? FUNCMETH : METHOD;
     }
@@ -7034,17 +7035,24 @@ Perl_yylex(pTHX)
                                                                == OA_FILEREF))
 		{
 		    bool immediate_paren = *s == '(';
+                    SSize_t s_off;
 
 		    /* (Now we can afford to cross potential line boundary.) */
 		    s = skipspace(s);
 
 		    /* Two barewords in a row may indicate method call. */
 
+                    /* intuit_method() can indirectly call lex_next_chunk(),
+                     * invalidating s
+                     */
+                    s_off = s - SvPVX(PL_linestr);
 		    if ((isIDFIRST_lazy_if(s,UTF) || *s == '$')
                         && (tmp = intuit_method(s, lex ? NULL : sv, cv)))
                     {
+                        /* the code at method: doesn't use s */
 			goto method;
 		    }
+                    s = SvPVX(PL_linestr) + s_off;
 
 		    /* If not a declared subroutine, it's an indirect object. */
 		    /* (But it's an indir obj regardless for sort.) */
-- 
2.1.4

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Sep 8, 2016

The RT System itself - Status changed from 'new' to 'open'

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Sep 11, 2016

From @dcollinsn

Sorry for the delay in responding to this. Yes, Tony, the patch you
attached fixes my testcases.

On Wed, Sep 7, 2016 at 11​:23 PM, Tony Cook via RT <
perl5-security-report@​perl.org> wrote​:

On Sat Sep 03 21​:26​:50 2016, dcollinsn@​gmail.com wrote​:

AFL crash explorer reports that replacing "exec" with any of the
following
strings will also reproduce this error​:

...

Several similar cases involving the following strings were also
identified​:

flock
write
0stat
fcntl
printf
select
socket

in general, it appears that this is the repro case​:

perl -e 'printf "%-7s_\$", "flock"' | valgrind ../bin/perl

In other words, exactly 7 characters consisting of a builtin
rightpadded by
spaces, followed by a literal '_$'. It seems important that the '$' be
the
9th character exactly. The characters between the string and the '$'
seem
irrelevant. For example, we have 'exec(eq0$' as one of the fuzzer-
generated
testcases, and 'exec(pow$' as another.

Does the attached fix all your test cases for this?

As this involves feeding code to the perl parser, I don't think it's
a security issue.

Tony

From e36eaa0b2f687d532fe3b2f0b0bbded8e8a1fa17 Mon Sep 17 00​:00​:00 2001
From​: Tony Cook <tony@​develop-help.com>
Date​: Thu, 8 Sep 2016 13​:21​:02 +1000
Subject​: (perl #129190) intuit_method() can move the line buffer

and broke PL_bufptr when it did.
---
t/op/lex.t | 5 ++++-
toke.c | 10 +++++++++-
2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/t/op/lex.t b/t/op/lex.t
index a667183..6eac888 100644
--- a/t/op/lex.t
+++ b/t/op/lex.t
@​@​ -7,7 +7,7 @​@​ use warnings;

BEGIN { chdir 't' if -d 't'; require './test.pl'; }

-plan(tests => 30);
+plan(tests => 31);

{
no warnings 'deprecated';
@​@​ -241,3 +241,6 @​@​ fresh_perl_is(
{},
'[perl #129069] - "Missing name" warning and valgrind clean'
);
+
+fresh_perl_like('flock _$', qr/Not enough arguments for flock/, {stderr
=> 1},
+ "[perl #129190] intuit_method() invalidates PL_bufptr");
diff --git a/toke.c b/toke.c
index 3ade32b..3779387 100644
--- a/toke.c
+++ b/toke.c
@​@​ -4079,11 +4079,12 @​@​ S_intuit_method(pTHX_ char *start, SV *ioname, CV
*cv)
}

 if \(\*start == '$'\) \{

+ SSize_t start_off = start - SvPVX(PL_linestr);
if (cv || PL_last_lop_op == OP_PRINT || PL_last_lop_op == OP_SAY
|| isUPPER(*PL_tokenbuf))
return 0;
s = skipspace(s);
- PL_bufptr = start;
+ PL_bufptr = SvPVX(PL_linestr) + start_off;
PL_expect = XREF;
return *s == '(' ? FUNCMETH : METHOD;
}
@​@​ -7034,17 +7035,24 @​@​ Perl_yylex(pTHX)
==
OA_FILEREF))
{
bool immediate_paren = *s == '(';
+ SSize_t s_off;

                /\* \(Now we can afford to cross potential line

boundary.) */
s = skipspace(s);

                /\* Two barewords in a row may indicate method call\. \*/

+ /* intuit_method() can indirectly call
lex_next_chunk(),
+ * invalidating s
+ */
+ s_off = s - SvPVX(PL_linestr);
if ((isIDFIRST_lazy_if(s,UTF) || *s == '$')
&& (tmp = intuit_method(s, lex ? NULL : sv, cv)))
{
+ /* the code at method​: doesn't use s */
goto method;
}
+ s = SvPVX(PL_linestr) + s_off;

                /\* If not a declared subroutine\, it's an indirect

object. */
/* (But it's an indir obj regardless for sort.) */
--
2.1.4

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Dec 12, 2016

From @iabyn

On Sun, Sep 11, 2016 at 01​:02​:44AM -0400, Dan Collins wrote​:

Sorry for the delay in responding to this. Yes, Tony, the patch you
attached fixes my testcases.

Tony, any particular reason you haven't applied your patch yet?

--
But Pity stayed his hand. "It's a pity I've run out of bullets",
he thought. -- "Bored of the Rings"

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Jan 24, 2017

From @tonycoz

On Mon, 12 Dec 2016 07​:54​:39 -0800, davem wrote​:

On Sun, Sep 11, 2016 at 01​:02​:44AM -0400, Dan Collins wrote​:

Sorry for the delay in responding to this. Yes, Tony, the patch you
attached fixes my testcases.

Tony, any particular reason you haven't applied your patch yet?

I lost track of it.

Applied as 743e3e7 (with some noise.)

Since this isn't a security issue, the ticket is now public, and closed since it's patched.

Tony

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Jan 24, 2017

@tonycoz - Status changed from 'open' to 'pending release'

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented May 30, 2017

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release today of Perl 5.26.0, this and 210 other issues have been
resolved.

Perl 5.26.0 may be downloaded via​:
https://metacpan.org/release/XSAWYERX/perl-5.26.0

If you find that the problem persists, feel free to reopen this ticket.

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented May 30, 2017

@khwilliamson - Status changed from 'pending release' to 'resolved'

@p5pRT p5pRT closed this May 30, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.