heap-buffer-overflow Perl_sv_setpvn (sv.c:4910)

[p5pRT]

Migrated from rt.perl.org#129848 (status was 'resolved')

Searchable as RT129848$

[p5pRT]

From @geeknik

Triggered in Perl v5.25.6 (v5.25.5-72-g2814f4b) with AFL+ASAN. Valgrind +
Perl 5.20.2 follows at the end of this message.

od -tx1 test03
0000000 2f 28 3f 7b 3c 3c 3c 3c 3c 3c 24 30 7d 29 2f 0a
0000020 0a 30 0a
0000023

==21794==ERROR​: AddressSanitizer​: heap-buffer-overflow on address
0x60200000e1fc at pc 0x0000004a9d62 bp 0x7fff1d9fb0a0 sp 0x7fff1d9fa860
READ of size 45 at 0x60200000e1fc thread T0
  #0 0x4a9d61 in __asan_memmove (/root/perl/perl+0x4a9d61)
  #1 0x90e225 in Perl_sv_setpvn /root/perl/sv.c​:4910​:5
  #2 0x9683d6 in Perl_newSVpvn /root/perl/sv.c​:9251​:5
  #3 0x615d1b in Perl_yylex /root/perl/toke.c​:4745​:16
  #4 0x6ade3e in Perl_yyparse /root/perl/perly.c​:334​:19
  #5 0x59c4e1 in S_parse_body /root/perl/perl.c​:2374​:9
  #6 0x59287c in perl_parse /root/perl/perl.c​:1689​:2
  #7 0x4de5a5 in main /root/perl/perlmain.c​:121​:18
  #8 0x7f6a9d907b44 in __libc_start_main
/build/glibc-daoqzt/glibc-2.19/csu/libc-start.c​:287
  #9 0x4de23c in _start (/root/perl/perl+0x4de23c)

0x60200000e1fc is located 0 bytes to the right of 12-byte region
[0x60200000e1f0,0x60200000e1fc)
allocated by thread T0 here​:
  #0 0x4c0bbb in malloc (/root/perl/perl+0x4c0bbb)
  #1 0x7f8337 in Perl_safesysmalloc /root/perl/util.c​:153​:21
  #2 0x6ade3e in Perl_yyparse /root/perl/perly.c​:334​:19
  #3 0x59c4e1 in S_parse_body /root/perl/perl.c​:2374​:9
  #4 0x59287c in perl_parse /root/perl/perl.c​:1689​:2
  #5 0x4de5a5 in main /root/perl/perlmain.c​:121​:18
  #6 0x7f6a9d907b44 in __libc_start_main
/build/glibc-daoqzt/glibc-2.19/csu/libc-start.c​:287

SUMMARY​: AddressSanitizer​: heap-buffer-overflow ??​:0 __asan_memmove
Shadow bytes around the buggy address​:
  0x0c047fff9be0​: fa fa 00 02 fa fa fd fd fa fa 00 02 fa fa fd fd
  0x0c047fff9bf0​: fa fa fd fd fa fa fd fd fa fa fd fd fa fa 00 02
  0x0c047fff9c00​: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c047fff9c10​: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff9c20​: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
=>0x0c047fff9c30​: fa fa fd fd fa fa fd fa fa fa fd fd fa fa 00[04]
  0x0c047fff9c40​: fa fa 00 06 fa fa 00 02 fa fa fd fd fa fa 00 04
  0x0c047fff9c50​: fa fa 02 fa fa fa 00 02 fa fa 00 07 fa fa 00 fa
  0x0c047fff9c60​: fa fa 00 02 fa fa 05 fa fa fa 00 02 fa fa 06 fa
  0x0c047fff9c70​: fa fa 00 02 fa fa 05 fa fa fa 00 05 fa fa 04 fa
  0x0c047fff9c80​: fa fa 05 fa fa fa 05 fa fa fa 00 00 fa fa 00 02
Shadow byte legend (one shadow byte represents 8 application bytes)​:
  Addressable​: 00
  Partially addressable​: 01 02 03 04 05 06 07
  Heap left redzone​: fa
  Heap right redzone​: fb
  Freed heap region​: fd
  Stack left redzone​: f1
  Stack mid redzone​: f2
  Stack right redzone​: f3
  Stack partial redzone​: f4
  Stack after return​: f5
  Stack use after scope​: f8
  Global redzone​: f9
  Global init order​: f6
  Poisoned by user​: f7
  Container overflow​: fc
  ASan internal​: fe
==21794==ABORTING

Valgrind + Perl 5.20.2​:
Use of bare << to mean <<"" is deprecated at test03 line 1.
Use of bare << to mean <<"" is deprecated at test03 line 1.
Scalar found where operator expected at test03 line 1, near "$0"
==17658== Invalid read of size 1
==17658== at 0x4E9A670​: ??? (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==17658== by 0x4EA75C1​: Perl_yylex (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==17658== by 0x4EB1A47​: Perl_yyparse (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==17658== by 0x4E8A427​: perl_parse (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==17658== by 0x400D7A​: main (in /usr/bin/perl)
==17658== Address 0x5f391c0 is 0 bytes inside a block of size 16 free'd
==17658== at 0x4C29E90​: free (vg_replace_malloc.c​:473)
==17658== by 0x4F0CFAB​: Perl_sv_clear (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==17658== by 0x4F0D289​: Perl_sv_free2 (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==17658== by 0x4EA58CB​: Perl_yylex (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==17658== by 0x4EB1A47​: Perl_yyparse (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==17658== by 0x4E8A427​: perl_parse (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==17658== by 0x400D7A​: main (in /usr/bin/perl)
==17658==
  (Missing operator before $0?)
syntax error at test03 line 1, near "$0"
panic​: sv_setpvn called with negative strlen -67 at test03 line 1.

[p5pRT]

From @geeknik

test03.gz

[p5pRT]

From @hvds

I can't replicate this with valgrind on blead@​2814f4b; with 5.20.2 I get a different report​:
  Invalid read of size 1
  at 0x46BD1F​: S_no_op (toke.c​:555)
  by 0x4880B2​: Perl_yylex (toke.c​:6603)
[...]
  Address 0x576e890 is 0 bytes inside a block of size 16 free'd
  [...] by 0x49F48E​: S_scan_heredoc (toke.c​:10288)
[...]

I see one relevant commit in the intervening period, 488bc57, but that doesn't seem to affect this case. I'll have a go at building with ASAN.

Hugo

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From @geeknik

This test case does not crash with Valgrind under blead (v5.25.6
(v5.25.5-76-g91dca83), but does still crash with ASAN​:

AFL_PRELOAD=/root/afl-2.34b/libdislocator/libdislocator.so
ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer-3.5 ASAN_OPTIONS=symbolizer=1
./blead -Dtxsv -e '/(?{<<<<<<$0})/

0'
Use of bare << to mean <<"" is deprecated at -e line 1.
Use of bare << to mean <<"" is deprecated at -e line 1.
Scalar found where operator expected at -e line 1, near "<<$0"
  (Missing operator before $0?)

STACK 0​: MAIN
  CX 0​: EVAL =>
  retop=(null)

(19786​:-e​:1) null

STACK 0​: MAIN
  CX 0​: EVAL =>
  retop=(null)

(19786​:-e​:1) const(PV(""\0))

STACK 0​: MAIN
  CX 0​: EVAL => PV(""\0)
  retop=(null)

(19786​:-e​:1) scalar

STACK 0​: MAIN
  CX 0​: EVAL => PV(""\0)
  retop=(null)

(19786​:-e​:1) null

STACK 0​: MAIN
  CX 0​: EVAL => PV(""\0)
  retop=(null)

(19786​:-e​:1) const(PV("0\n"\0))

STACK 0​: MAIN
  CX 0​: EVAL => PV(""\0) PV("0\n"\0)
  retop=(null)

(19786​:-e​:1) scalar

STACK 0​: MAIN
  CX 0​: EVAL => PV(""\0) PV("0\n"\0)
  retop=(null)

(19786​:-e​:1) left_shift

==19786==ERROR​: AddressSanitizer​: heap-buffer-overflow on address
0x60200000e21c at pc 0x0000004a9d62 bp 0x7ffcc7745980 sp 0x7ffcc7745140
READ of size 45 at 0x60200000e21c thread T0
  #0 0x4a9d61 in __asan_memmove (/root/perl-blead/perl+0x4a9d61)
  #1 0x90e1d5 in Perl_sv_setpvn /root/perl-blead/sv.c​:4910​:5
  #2 0x968376 in Perl_newSVpvn /root/perl-blead/sv.c​:9251​:5
  #3 0x615d4b in Perl_yylex /root/perl-blead/toke.c​:4745​:16
  #4 0x6ade4e in Perl_yyparse /root/perl-blead/perly.c​:334​:19
  #5 0x59c4f1 in S_parse_body /root/perl-blead/perl.c​:2374​:9
  #6 0x59288c in perl_parse /root/perl-blead/perl.c​:1689​:2
  #7 0x4de5a5 in main /root/perl-blead/perlmain.c​:121​:18
  #8 0x7fd666338b44 in __libc_start_main
/build/glibc-daoqzt/glibc-2.19/csu/libc-start.c​:287
  #9 0x4de23c in _start (/root/perl-blead/perl+0x4de23c)

0x60200000e21c is located 0 bytes to the right of 12-byte region
[0x60200000e210,0x60200000e21c)
allocated by thread T0 here​:
  #0 0x4c0bbb in malloc (/root/perl-blead/perl+0x4c0bbb)
  #1 0x7f82d7 in Perl_safesysmalloc /root/perl-blead/util.c​:153​:21
  #2 0x6ade4e in Perl_yyparse /root/perl-blead/perly.c​:334​:19
  #3 0x59c4f1 in S_parse_body /root/perl-blead/perl.c​:2374​:9
  #4 0x59288c in perl_parse /root/perl-blead/perl.c​:1689​:2
  #5 0x4de5a5 in main /root/perl-blead/perlmain.c​:121​:18
  #6 0x7fd666338b44 in __libc_start_main
/build/glibc-daoqzt/glibc-2.19/csu/libc-start.c​:287

SUMMARY​: AddressSanitizer​: heap-buffer-overflow ??​:0 __asan_memmove
Shadow bytes around the buggy address​:
  0x0c047fff9bf0​: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff9c00​: fa fa 00 02 fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c047fff9c10​: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c047fff9c20​: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa
  0x0c047fff9c30​: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
=>0x0c047fff9c40​: fa fa 00[04]fa fa 00 06 fa fa 00 02 fa fa fd fd
  0x0c047fff9c50​: fa fa 00 04 fa fa 02 fa fa fa 00 02 fa fa 00 07
  0x0c047fff9c60​: fa fa 00 fa fa fa 00 02 fa fa 05 fa fa fa 00 02
  0x0c047fff9c70​: fa fa 06 fa fa fa 00 02 fa fa 05 fa fa fa 00 05
  0x0c047fff9c80​: fa fa 04 fa fa fa 05 fa fa fa 05 fa fa fa 00 00
  0x0c047fff9c90​: fa fa 00 02 fa fa 05 fa fa fa 00 02 fa fa 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes)​:
  Addressable​: 00
  Partially addressable​: 01 02 03 04 05 06 07
  Heap left redzone​: fa
  Heap right redzone​: fb
  Freed heap region​: fd
  Stack left redzone​: f1
  Stack mid redzone​: f2
  Stack right redzone​: f3
  Stack partial redzone​: f4
  Stack after return​: f5
  Stack use after scope​: f8
  Global redzone​: f9
  Global init order​: f6
  Poisoned by user​: f7
  Container overflow​: fc
  ASan internal​: fe
==19786==ABORTING

On Mon, Oct 10, 2016 at 7​:16 PM, Hugo van der Sanden via RT <
perl5-security-report@​perl.org> wrote​:

I can't replicate this with valgrind on blead@​2814f4b; with 5.20.2 I get
a different report​:
Invalid read of size 1
at 0x46BD1F​: S_no_op (toke.c​:555)
by 0x4880B2​: Perl_yylex (toke.c​:6603)
[...]
Address 0x576e890 is 0 bytes inside a block of size 16 free'd
[...] by 0x49F48E​: S_scan_heredoc (toke.c​:10288)
[...]

I see one relevant commit in the intervening period, 488bc57, but that
doesn't seem to affect this case. I'll have a go at building with ASAN.

Hugo

[p5pRT]

From @hvds

Ugh, I'm not getting very far with this. I believe the problem occurs if the call to lex_grow_linestr() from the 3rd scan_heredoc() causes the buffer to be reallocated - it appears this eventually gets us to toke.c​:4745​:
  else sv = newSVpvn(PL_parser->lex_shared->re_eval_start,
  PL_bufptr - PL_parser->lex_shared->re_eval_start);
.. with PL_bufptr and re_eval_start pointing into different buffers, so we have a bad length for the newSVpvn() call. However neither appears to be pointing into either the old or the new buffer from that lex_grow_linestr realloc, and I haven't been able to understand where things are actually going wrong.

Hugo

[p5pRT]

From @geeknik

I have a new test case that triggers this bug, plus some valgrind output
and I have to say, I've never seen `Syscall param write(buf) points to
uninitialised byte(s)` before​:

Passing malformed UTF-8 to "_Perl_IDStart" is deprecated at test009 line 1.
==19611== Invalid read of size 2
==19611== at 0x4C2D670​: memcpy@​GLIBC_2.2.5 (vg_replace_strmem.c​:914)
==19611== by 0x52F80C​: memmove (string3.h​:57)
==19611== by 0x52F80C​: Perl_sv_setpvn (sv.c​:4910)
==19611== by 0x5300E4​: Perl_newSVpvn_flags (sv.c​:9165)
==19611== by 0x476A72​: Perl_yylex (toke.c​:4899)
==19611== by 0x48AA3A​: Perl_yyparse (perly.c​:334)
==19611== by 0x450F87​: S_parse_body (perl.c​:2374)
==19611== by 0x452B1C​: perl_parse (perl.c​:1689)
==19611== by 0x4218FF​: main (perlmain.c​:121)
==19611== Address 0x5f7f6f0 is 0 bytes after a block of size 32 alloc'd
==19611== at 0x4C2AF2E​: realloc (vg_replace_malloc.c​:692)
==19611== by 0x4D9DDF​: Perl_safesysrealloc (util.c​:274)
==19611== by 0x5258B2​: Perl_sv_grow (sv.c​:1602)
==19611== by 0x53D9DF​: Perl_sv_gets (sv.c​:8641)
==19611== by 0x467662​: S_filter_gets (toke.c​:4347)
==19611== by 0x467662​: Perl_lex_next_chunk (toke.c​:1309)
==19611== by 0x47275C​: Perl_yylex (toke.c​:5020)
==19611== by 0x48AA3A​: Perl_yyparse (perly.c​:334)
==19611== by 0x450F87​: S_parse_body (perl.c​:2374)
==19611== by 0x452B1C​: perl_parse (perl.c​:1689)
==19611== by 0x4218FF​: main (perlmain.c​:121)
==19611==
==19611== Invalid read of size 1
==19611== at 0x4C2D6A0​: memcpy@​GLIBC_2.2.5 (vg_replace_strmem.c​:914)
==19611== by 0x52F80C​: memmove (string3.h​:57)
==19611== by 0x52F80C​: Perl_sv_setpvn (sv.c​:4910)
==19611== by 0x5300E4​: Perl_newSVpvn_flags (sv.c​:9165)
==19611== by 0x476A72​: Perl_yylex (toke.c​:4899)
==19611== by 0x48AA3A​: Perl_yyparse (perly.c​:334)
==19611== by 0x450F87​: S_parse_body (perl.c​:2374)
==19611== by 0x452B1C​: perl_parse (perl.c​:1689)
==19611== by 0x4218FF​: main (perlmain.c​:121)
==19611== Address 0x5f7f6f4 is 4 bytes after a block of size 32 alloc'd
==19611== at 0x4C2AF2E​: realloc (vg_replace_malloc.c​:692)
==19611== by 0x4D9DDF​: Perl_safesysrealloc (util.c​:274)
==19611== by 0x5258B2​: Perl_sv_grow (sv.c​:1602)
==19611== by 0x53D9DF​: Perl_sv_gets (sv.c​:8641)
==19611== by 0x467662​: S_filter_gets (toke.c​:4347)
==19611== by 0x467662​: Perl_lex_next_chunk (toke.c​:1309)
==19611== by 0x47275C​: Perl_yylex (toke.c​:5020)
==19611== by 0x48AA3A​: Perl_yyparse (perly.c​:334)
==19611== by 0x450F87​: S_parse_body (perl.c​:2374)
==19611== by 0x452B1C​: perl_parse (perl.c​:1689)
==19611== by 0x4218FF​: main (perlmain.c​:121)
==19611==
==19611== Conditional jump or move depends on uninitialised value(s)
==19611== at 0x5CA28D​: S__byte_dump_string (utf8.c​:715)
==19611== by 0x5CB052​: S_unexpected_non_continuation_text (utf8.c​:760)
==19611== by 0x5CB052​: Perl_utf8n_to_uvchr_error (utf8.c​:1344)
==19611== by 0x5D3B44​: Perl_pv_uni_display (utf8.c​:4707)
==19611== by 0x476A87​: Perl_yylex (toke.c​:4899)
==19611== by 0x48AA3A​: Perl_yyparse (perly.c​:334)
==19611== by 0x450F87​: S_parse_body (perl.c​:2374)
==19611== by 0x452B1C​: perl_parse (perl.c​:1689)
==19611== by 0x4218FF​: main (perlmain.c​:121)
==19611==
==19611== Conditional jump or move depends on uninitialised value(s)
==19611== at 0x5CA25B​: S__byte_dump_string (utf8.c​:722)
==19611== by 0x5CB052​: S_unexpected_non_continuation_text (utf8.c​:760)
==19611== by 0x5CB052​: Perl_utf8n_to_uvchr_error (utf8.c​:1344)
==19611== by 0x5D3B44​: Perl_pv_uni_display (utf8.c​:4707)
==19611== by 0x476A87​: Perl_yylex (toke.c​:4899)
==19611== by 0x48AA3A​: Perl_yyparse (perly.c​:334)
==19611== by 0x450F87​: S_parse_body (perl.c​:2374)
==19611== by 0x452B1C​: perl_parse (perl.c​:1689)
==19611== by 0x4218FF​: main (perlmain.c​:121)
==19611==
==19611== Conditional jump or move depends on uninitialised value(s)
==19611== at 0x4C2C1B8​: strlen (vg_replace_strmem.c​:412)
==19611== by 0x51BA54​: Perl_sv_vcatpvfn_flags (sv.c​:11916)
==19611== by 0x51EDD5​: Perl_sv_vsetpvfn (sv.c​:10826)
==19611== by 0x4DA11F​: Perl_vform (util.c​:1376)
==19611== by 0x4DA27D​: Perl_form (util.c​:1366)
==19611== by 0x5CB082​: S_unexpected_non_continuation_text (utf8.c​:760)
==19611== by 0x5CB082​: Perl_utf8n_to_uvchr_error (utf8.c​:1344)
==19611== by 0x5D3B44​: Perl_pv_uni_display (utf8.c​:4707)
==19611== by 0x476A87​: Perl_yylex (toke.c​:4899)
==19611== by 0x48AA3A​: Perl_yyparse (perly.c​:334)
==19611== by 0x450F87​: S_parse_body (perl.c​:2374)
==19611== by 0x452B1C​: perl_parse (perl.c​:1689)
==19611== by 0x4218FF​: main (perlmain.c​:121)
==19611==
==19611== Conditional jump or move depends on uninitialised value(s)
==19611== at 0x4C2C1B8​: strlen (vg_replace_strmem.c​:412)
==19611== by 0x53A2BE​: Perl_sv_catpv_flags (sv.c​:5544)
==19611== by 0x51C0AB​: Perl_sv_vcatpvfn_flags (sv.c​:11356)
==19611== by 0x51EDD5​: Perl_sv_vsetpvfn (sv.c​:10826)
==19611== by 0x4DA11F​: Perl_vform (util.c​:1376)
==19611== by 0x4DA27D​: Perl_form (util.c​:1366)
==19611== by 0x5CB091​: Perl_utf8n_to_uvchr_error (utf8.c​:1344)
==19611== by 0x5D3B44​: Perl_pv_uni_display (utf8.c​:4707)
==19611== by 0x476A87​: Perl_yylex (toke.c​:4899)
==19611== by 0x48AA3A​: Perl_yyparse (perly.c​:334)
==19611== by 0x450F87​: S_parse_body (perl.c​:2374)
==19611== by 0x452B1C​: perl_parse (perl.c​:1689)
==19611==
==19611== Syscall param write(buf) points to uninitialised byte(s)
==19611== at 0x4E43A60​: __write_nocancel (syscall-template.S​:81)
==19611== by 0x5E2663​: PerlIOUnix_write (perlio.c​:2791)
==19611== by 0x5E2706​: PerlIOBuf_flush (perlio.c​:3966)
==19611== by 0x5DE9AD​: Perl_PerlIO_flush (perlio.c​:1618)
==19611== by 0x5DF6DF​: PerlIOBuf_write (perlio.c​:4193)
==19611== by 0x5A66AE​: Perl_do_print (doio.c​:1415)
==19611== by 0x4D89D4​: Perl_write_to_stderr (util.c​:1606)
==19611== by 0x4DAE58​: Perl_warner (util.c​:2052)
==19611== by 0x5CB1DE​: Perl_utf8n_to_uvchr_error (utf8.c​:1573)
==19611== by 0x5D3B44​: Perl_pv_uni_display (utf8.c​:4707)
==19611== by 0x476A87​: Perl_yylex (toke.c​:4899)
==19611== by 0x48AA3A​: Perl_yyparse (perly.c​:334)
==19611== Address 0x5f82095 is 37 bytes inside a block of size 8,192
alloc'd
==19611== at 0x4C2AD10​: calloc (vg_replace_malloc.c​:623)
==19611== by 0x4D9F9C​: Perl_safesyscalloc (util.c​:440)
==19611== by 0x5DCCFE​: PerlIOBuf_get_base (perlio.c​:4304)
==19611== by 0x5DF6ED​: PerlIOBuf_write (perlio.c​:4166)
==19611== by 0x5A66AE​: Perl_do_print (doio.c​:1415)
==19611== by 0x4D89D4​: Perl_write_to_stderr (util.c​:1606)
==19611== by 0x4DAE58​: Perl_warner (util.c​:2052)
==19611== by 0x5D2BAD​: S_is_utf8_common (utf8.c​:2338)
==19611== by 0x5D2BAD​: Perl__is_utf8_perl_idstart (utf8.c​:2384)
==19611== by 0x477B98​: Perl_yylex (toke.c​:4890)
==19611== by 0x48AA3A​: Perl_yyparse (perly.c​:334)
==19611== by 0x450F87​: S_parse_body (perl.c​:2374)
==19611== by 0x452B1C​: perl_parse (perl.c​:1689)
==19611==
Malformed UTF-8 character​:
\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 (unexpected
non-continuation byte 0x00, immediately after start byte 0xff; need 13
bytes, got 1) at test009 line 1.
Constant(0)​: $^H{integer} is not defined at test009 line 1, at end of line
Malformed UTF-8 character​: \xff (too short; got 1 byte, need 13) at test009
line 1.
Unrecognized character \x{0}; marked by <-- HERE after H=2**400}0<-- HERE
near column 25 at test009 line 1.

[p5pRT]

From @geeknik

test009.gz

[p5pRT]

From @tonycoz

On Fri, 14 Oct 2016 13​:42​:55 -0700, brian.carpenter@​gmail.com wrote​:

I have a new test case that triggers this bug, plus some valgrind output
and I have to say, I've never seen `Syscall param write(buf) points to
uninitialised byte(s)` before​:

Passing malformed UTF-8 to "_Perl_IDStart" is deprecated at test009 line 1.
==19611== Invalid read of size 2
==19611== at 0x4C2D670​: memcpy@​GLIBC_2.2.5 (vg_replace_strmem.c​:914)
==19611== by 0x52F80C​: memmove (string3.h​:57)
==19611== by 0x52F80C​: Perl_sv_setpvn (sv.c​:4910)
==19611== by 0x5300E4​: Perl_newSVpvn_flags (sv.c​:9165)
==19611== by 0x476A72​: Perl_yylex (toke.c​:4899)
==19611== by 0x48AA3A​: Perl_yyparse (perly.c​:334)
==19611== by 0x450F87​: S_parse_body (perl.c​:2374)
==19611== by 0x452B1C​: perl_parse (perl.c​:1689)
==19611== by 0x4218FF​: main (perlmain.c​:121)

This bug requires feeding code to the interpreter, so it isn't a security issue.

It's now public.

Tony

[p5pRT]

From @khwilliamson

On Fri, 14 Oct 2016 13​:42​:55 -0700, brian.carpenter@​gmail.com wrote​:

I have a new test case that triggers this bug, plus some valgrind output
and I have to say, I've never seen `Syscall param write(buf) points to
uninitialised byte(s)` before​:

There have been significant changes since this ticket was filed. I just tried this case in blead with valgrind and got no problems. This is the output

Useless use of anonymous hash ({}) in void context at -e line 1.
Bareword found where operator expected at -e line 1, near "0ÿ"
  (Missing operator before ÿ?)
Constant(0)​: $^H{integer} is not defined at -e line 1, at end of line
syntax error at -e line 1, near "0ÿ

--
Karl Williamson

[p5pRT]

From @iabyn

On Sun, Jan 29, 2017 at 08​:15​:22PM -0800, Karl Williamson via RT wrote​:

On Fri, 14 Oct 2016 13​:42​:55 -0700, brian.carpenter@​gmail.com wrote​:

I have a new test case that triggers this bug, plus some valgrind output
and I have to say, I've never seen `Syscall param write(buf) points to
uninitialised byte(s)` before​:

There have been significant changes since this ticket was filed. I just tried this case in blead with valgrind and got no problems. This is the output

Useless use of anonymous hash ({}) in void context at -e line 1.
Bareword found where operator expected at -e line 1, near "0ÿ"
(Missing operator before ÿ?)
Constant(0)​: $^H{integer} is not defined at -e line 1, at end of line
syntax error at -e line 1, near "0ÿ

with the original test03 script, I can bisect it not panicing under
valgrind to

  commit 98d5e3e
  Author​: David Mitchell <davem@​iabyn.com>
  Date​: Sat Dec 10 15​:06​:30 2016 +0000

  misaligned buffer with heredoc and /(?{...})/
 
  RT #129199

but I can't bisect the test0009 script.

--
Modern art​:
  "That's easy, I could have done that!"
  "Ah, but you didn't!"

[p5pRT]

From @tonycoz

On Wed, 01 Feb 2017 03​:16​:56 -0800, davem wrote​:

On Sun, Jan 29, 2017 at 08​:15​:22PM -0800, Karl Williamson via RT
wrote​:

On Fri, 14 Oct 2016 13​:42​:55 -0700, brian.carpenter@​gmail.com wrote​:

I have a new test case that triggers this bug, plus some valgrind
output
and I have to say, I've never seen `Syscall param write(buf) points
to
uninitialised byte(s)` before​:

There have been significant changes since this ticket was filed. I
just tried this case in blead with valgrind and got no problems.
This is the output

Useless use of anonymous hash ({}) in void context at -e line 1.
Bareword found where operator expected at -e line 1, near "0ÿ"
(Missing operator before ÿ?)
Constant(0)​: $^H{integer} is not defined at -e line 1, at end of line
syntax error at -e line 1, near "0ÿ

with the original test03 script, I can bisect it not panicing under
valgrind to

commit 98d5e3e
Author​: David Mitchell <davem@​iabyn.com>
Date​: Sat Dec 10 15​:06​:30 2016 +0000

misaligned buffer with heredoc and /(?{...})/

RT #129199

but I can't bisect the test0009 script.

test009 was fixed by​:

Author​: Tony Cook <tony@​develop-help.com>
Date​: Tue Oct 18 15​:46​:48 2016 +1100

  (perl #128997) avoid reading beyond the end of the line buffer
 
  when there's a short UTF-8 character at the end.

Closing.

Tony

[p5pRT]

@tonycoz - Status changed from 'open' to 'pending release'

[p5pRT]

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release today of Perl 5.26.0, this and 210 other issues have been
resolved.

Perl 5.26.0 may be downloaded via​:
https://metacpan.org/release/XSAWYERX/perl-5.26.0

If you find that the problem persists, feel free to reopen this ticket.

[p5pRT]

@khwilliamson - Status changed from 'pending release' to 'resolved'