Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Re: Null pointer dereference in Perl_pp_multiconcat #16470

Open
p5pRT opened this issue Mar 18, 2018 · 4 comments
Open

Re: Null pointer dereference in Perl_pp_multiconcat #16470

p5pRT opened this issue Mar 18, 2018 · 4 comments
Labels

Comments

@p5pRT
Copy link

@p5pRT p5pRT commented Mar 18, 2018

Migrated from rt.perl.org#132996 (status was 'open')

Searchable as RT132996$

@p5pRT
Copy link
Author

@p5pRT p5pRT commented Mar 18, 2018

From jeremy@feusi.co

I just realized that I used the wrong perlbug. But as I can't seem to
get the correct perlbug to run I'll just have to give yout the most
important facts manually​:
Configure command​:
./Configure -des -Dusedevel -Dcc=clang -Dcxx=clang++ -Dld=clang++
-Aldflags=-fsanitize=address -Accflags=-g3\ -fsanitize=address
-Acxxflags=-g3\ -fsanitize=address

Perl version​:
perl 5, version 27, subversion 10 built for x86_64-linux

Platform​:
Linux Debian 4.9.65-3 x86_64 GNU/Linux

Tell me if you need anything else.

In-Reply-To​: <5.26.1_42062_1521280686@​debian-vm.localdomain>

On Sat, Mar 17, 2018 at 11​:32​:37AM +0100, jeremy@​feusi.co wrote​:

Reply-To​: jeremy@​feusi.co

This is a bug report for perl from jeremy@​feusi.co,
generated with the help of perlbug 1.40 running under perl 5.26.1.

-----------------------------------------------------------------
Perl segfaults when executing the attached program (perl <progname>) due to a null pointer dereference in Perl_pp_multiconcat.
This bug can also reproduced on archlinux and debian with standard installation configuration and version 5.26.1.

Detailed backtrace​:

ASAN​:DEADLYSIGNAL

==9327==ERROR​: AddressSanitizer​: SEGV on unknown address 0x00000000000c (pc 0x00000084e5f2 bp 0x7ffeed336030 sp 0x7ffeed335a40 T0)
==9327==The signal is caused by a READ memory access.
==9327==Hint​: address points to the zero page.
#0 0x84e5f1 in Perl_pp_multiconcat /home/jfe/perl52/pp_hot.c
#1 0x8488be in Perl_runops_standard /home/jfe/perl52/run.c​:41​:26
#2 0xa95bf6 in S_regmatch /home/jfe/perl52/regexec.c​:7424​:3
#3 0xa74ea0 in S_regtry /home/jfe/perl52/regexec.c​:4086​:14
#4 0xa57204 in Perl_regexec_flags /home/jfe/perl52/regexec.c​:3943​:7
#5 0x877ab1 in Perl_pp_subst /home/jfe/perl52/pp_hot.c​:4212​:10
#6 0x8488be in Perl_runops_standard /home/jfe/perl52/run.c​:41​:26
#7 0x5dbc91 in S_run_body /home/jfe/perl52/perl.c
#8 0x5dabb4 in perl_run /home/jfe/perl52/perl.c​:2646​:2
#9 0x52f0b8 in main /home/jfe/perl52/perlmain.c​:122​:9
#10 0x7fe328886f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29)
#11 0x43f999 in _start (/home/jfe/perl52/perl+0x43f999)

AddressSanitizer can not provide additional info.
SUMMARY​: AddressSanitizer​: SEGV /home/jfe/perl52/pp_hot.c in Perl_pp_multiconcat
==9327==ABORTING

This bug was found with honggfuzz and asan.

[Please do not change anything below this line]
-----------------------------------------------------------------
---
Flags​:
category=core
severity=high
---
Site configuration information for perl 5.26.1​:

Configured by Debian at Fri Jan 12 19​:31​:09 UTC 2018.

Summary of my perl5 (revision 5 version 26 subversion 1) configuration​:

Platform​:
osname=linux
osvers=4.9.0
archname=x86_64-linux-gnu-thread-multi
uname='linux localhost 4.9.0 #1 smp debian 4.9.0 x86_64 gnulinux '
config_args='-Dusethreads -Duselargefiles -Dcc=x86_64-linux-gnu-gcc -Dcpp=x86_64-linux-gnu-cpp -Dld=x86_64-linux-gnu-gcc -Dccflags=-DDEBIAN -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -fdebug-prefix-map=/build/perl-awpeXx/perl-5.26.1=. -fstack-protector-strong -Wformat -Werror=format-security -Dldflags= -Wl,-z,relro -Dlddlflags=-shared -Wl,-z,relro -Dcccdlflags=-fPIC -Darchname=x86_64-linux-gnu -Dprefix=/usr -Dprivlib=/usr/share/perl/5.26 -Darchlib=/usr/lib/x86_64-linux-gnu/perl/5.26 -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/x86_64-linux-gnu/perl5/5.26 -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.26.1 -Dsitearch=/usr/local/lib/x86_64-linux-gnu/perl/5.26.1 -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3 -Duse64bitint -Dman1ext=1 -Dman3ext=3perl
-Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Ud_ualarm -Uusesfio -Uusenm -Ui_libutil -Ui_xlocale -Uversiononly -DDEBUGGING=-g -Doptimize=-O2 -dEs -Duseshrplib -Dlibperl=libperl.so.5.26.1'
hint=recommended
useposix=true
d_sigaction=define
useithreads=define
usemultiplicity=define
use64bitint=define
use64bitall=define
uselongdouble=undef
usemymalloc=n
default_inc_excludes_dot=define
bincompat5005=undef
Compiler​:
cc='x86_64-linux-gnu-gcc'
ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64'
optimize='-O2 -g'
cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include'
ccversion=''
gccversion='7.2.0'
gccosandvers=''
intsize=4
longsize=8
ptrsize=8
doublesize=8
byteorder=12345678
doublekind=3
d_longlong=define
longlongsize=8
d_longdbl=define
longdblsize=16
longdblkind=3
ivtype='long'
ivsize=8
nvtype='double'
nvsize=8
Off_t='off_t'
lseeksize=8
alignbytes=8
prototype=define
Linker and Libraries​:
ld='x86_64-linux-gnu-gcc'
ldflags =' -fstack-protector-strong -L/usr/local/lib'
libpth=/usr/local/lib /usr/lib/gcc/x86_64-linux-gnu/7/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt
perllibs=-ldl -lm -lpthread -lc -lcrypt
libc=libc-2.26.so
so=so
useshrplib=true
libperl=libperl.so.5.26
gnulibc_version='2.26'
Dynamic Linking​:
dlsrc=dl_dlopen.xs
dlext=so
d_dlsymun=undef
ccdlflags='-Wl,-E'
cccdlflags='-fPIC'
lddlflags='-shared -L/usr/local/lib -fstack-protector-strong'

Locally applied patches​:
DEBPKG​:debian/cpan_definstalldirs - Provide a sensible INSTALLDIRS default for modules installed from CPAN.
DEBPKG​:debian/db_file_ver - https://bugs.debian.org/340047 Remove overly restrictive DB_File version check.
DEBPKG​:debian/doc_info - Replace generic man(1) instructions with Debian-specific information.
DEBPKG​:debian/enc2xs_inc - https://bugs.debian.org/290336 Tweak enc2xs to follow symlinks and ignore missing @​INC directories.
DEBPKG​:debian/errno_ver - https://bugs.debian.org/343351 Remove Errno version check due to upgrade problems with long-running processes.
DEBPKG​:debian/libperl_embed_doc - https://bugs.debian.org/186778 Note that libperl-dev package is required for embedded linking
DEBPKG​:fixes/respect_umask - Respect umask during installation
DEBPKG​:debian/writable_site_dirs - Set umask approproately for site install directories
DEBPKG​:debian/extutils_set_libperl_path - EU​:MM​: set location of libperl.a under /usr/lib
DEBPKG​:debian/no_packlist_perllocal - Don't install .packlist or perllocal.pod for perl or vendor
DEBPKG​:debian/fakeroot - Postpone LD_LIBRARY_PATH evaluation to the binary targets.
DEBPKG​:debian/instmodsh_doc - Debian policy doesn't install .packlist files for core or vendor.
DEBPKG​:debian/ld_run_path - Remove standard libs from LD_RUN_PATH as per Debian policy.
DEBPKG​:debian/libnet_config_path - Set location of libnet.cfg to /etc/perl/Net as /usr may not be writable.
DEBPKG​:debian/perlivp - https://bugs.debian.org/510895 Make perlivp skip include directories in /usr/local
DEBPKG​:debian/deprecate-with-apt - https://bugs.debian.org/747628 Point users to Debian packages of deprecated core modules
DEBPKG​:debian/squelch-locale-warnings - https://bugs.debian.org/508764 Squelch locale warnings in Debian package maintainer scripts
DEBPKG​:debian/patchlevel - https://bugs.debian.org/567489 List packaged patches for 5.26.1-4 in patchlevel.h
DEBPKG​:fixes/document_makemaker_ccflags - https://bugs.debian.org/628522 [rt.cpan.org #68613] Document that CCFLAGS should include $Config{ccflags}
DEBPKG​:debian/find_html2text - https://bugs.debian.org/640479 Configure CPAN​::Distribution with correct name of html2text
DEBPKG​:debian/perl5db-x-terminal-emulator.patch - https://bugs.debian.org/668490 Invoke x-terminal-emulator rather than xterm in perl5db.pl
DEBPKG​:debian/cpan-missing-site-dirs - https://bugs.debian.org/688842 Fix CPAN​::FirstTime defaults with nonexisting site dirs if a parent is writable
DEBPKG​:fixes/memoize_storable_nstore - [rt.cpan.org #77790] https://bugs.debian.org/587650 Memoize​::Storable​: respect 'nstore' option not respected
DEBPKG​:debian/makemaker-pasthru - https://bugs.debian.org/758471 Pass LD settings through to subdirectories
DEBPKG​:debian/makemaker-manext - https://bugs.debian.org/247370 Make EU​::MakeMaker honour MANnEXT settings in generated manpage headers
DEBPKG​:debian/kfreebsd-softupdates - https://bugs.debian.org/796798 Work around Debian Bug#796798
DEBPKG​:fixes/autodie-scope - https://bugs.debian.org/798096 Fix a scoping issue with "no autodie" and the "system" sub
DEBPKG​:fixes/memoize-pod - [rt.cpan.org #89441] Fix POD errors in Memoize
DEBPKG​:debian/hurd-softupdates - https://bugs.debian.org/822735 Fix t/op/stat.t failures on hurd
DEBPKG​:fixes/math_complex_doc_great_circle - https://bugs.debian.org/697567 [rt.cpan.org #114104] Math​::Trig​: clarify definition of great_circle_midpoint
DEBPKG​:fixes/math_complex_doc_see_also - https://bugs.debian.org/697568 [rt.cpan.org #114105] Math​::Trig​: add missing SEE ALSO
DEBPKG​:fixes/math_complex_doc_angle_units - https://bugs.debian.org/731505 [rt.cpan.org #114106] Math​::Trig​: document angle units
DEBPKG​:fixes/cpan_web_link - https://bugs.debian.org/367291 CPAN​: Add link to main CPAN web site
DEBPKG​:fixes/time_piece_doc - https://bugs.debian.org/817925 Time​::Piece​: Improve documentation for add_months and add_years
DEBPKG​:fixes/extutils_makemaker_reproducible - https​://bugs.debian.org/835815 https://bugs.debian.org/834190 Make perllocal.pod files reproducible
DEBPKG​:fixes/file_path_hurd_errno - File-Path​: Fix test failure in Hurd due to hard-coded ENOENT
DEBPKG​:debian/hppa_op_optimize_workaround - https://bugs.debian.org/838613 Temporarily lower the optimization of op.c on hppa due to gcc-6 problems
DEBPKG​:debian/installman-utf8 - https://bugs.debian.org/840211 Generate man pages with UTF-8 characters
DEBPKG​:fixes/file_path_chmod_race - https://bugs.debian.org/863870 [rt.cpan.org #121951] Prevent directory chmod race attack.
DEBPKG​:fixes/extutils_file_path_compat - Correct the order of tests of chmod(). (#294)
DEBPKG​:fixes/getopt-long-2 - [rt.cpan.org #120300] Withdraw part of commit 5d9947fb445327c7299d8beb009d609bc70066c0, which tries to implement more GNU getopt_long campatibility. GNU
DEBPKG​:fixes/getopt-long-3 - provide a default value for optional arguments
DEBPKG​:fixes/getopt-long-4 - https://bugs.debian.org/864544 [rt.cpan.org #122068] Fix issue #122068.
DEBPKG​:fixes/test-builder-reset - https://bugs.debian.org/865894 Reset inside subtest maintains parent
DEBPKG​:debian/hppa_opmini_optimize_workaround - https://bugs.debian.org/869122 Lower the optimization level of opmini.c on hppa
DEBPKG​:debian/sh4_op_optimize_workaround - https://bugs.debian.org/869373 Also lower the optimization level of op.c and opmini.c on sh4
DEBPKG​:fixes/json-pp-example - [rt.cpan.org #92793] https://bugs.debian.org/871837 fix RT-92793​: bug in SYNOPSIS
DEBPKG​:debian/perldoc-pager - https://bugs.debian.org/870340 [rt.cpan.org #120229] Fix perldoc terminal escapes when sensible-pager is less
DEBPKG​:debian/prune_libs - https://bugs.debian.org/128355 Prune the list of libraries wanted to what we actually need.
DEBPKG​:debian/configure-regen - https://bugs.debian.org/762638 Regenerate Configure et al. after probe unit changes
DEBPKG​:fixes/rename-filexp.U-phase1 - regen-configure​: rename filexp.U to filexp_path.U, phase 1
DEBPKG​:fixes/rename-filexp.U-phase2 - regen-configure​: rename filexp.U to filexp_path.U, phase 2
DEBPKG​:fixes/packaging_test_skips - Skip various tests if PERL_BUILD_PACKAGING is set
DEBPKG​:debian/mod_paths - Tweak @​INC ordering for Debian
DEBPKG​:fixes/encode-alias-regexp - https​://bugs.debian.org/880085 fix dankogai/p5-encode#127

---
@​INC for perl 5.26.1​:
/etc/perl
/usr/local/lib/x86_64-linux-gnu/perl/5.26.1
/usr/local/share/perl/5.26.1
/usr/lib/x86_64-linux-gnu/perl5/5.26
/usr/share/perl5
/usr/lib/x86_64-linux-gnu/perl/5.26
/usr/share/perl/5.26
/usr/local/lib/site_perl
/usr/lib/x86_64-linux-gnu/perl-base

---
Environment for perl 5.26.1​:
HOME=/home/jfe
LANG=en_US.UTF-8
LANGUAGE=en_US.UTF-8
LC_ADDRESS=de_CH.UTF-8
LC_ALL=en_US.UTF-8
LC_COLLATE=de_CH.UTF-8
LC_IDENTIFICATION=de_CH.UTF-8
LC_MEASUREMENT=de_CH.UTF-8
LC_MESSAGES=en_US.UTF-8
LC_MONETARY=de_CH.UTF-8
LC_NAME=de_CH.UTF-8
LC_NUMERIC=de_CH.UTF-8
LC_PAPER=de_CH.UTF-8
LC_TELEPHONE=de_CH.UTF-8
LC_TIME=en_DK.UTF-8
LD_LIBRARY_PATH (unset)
LOGDIR (unset)
PATH=/home/jfe/.cargo/bin​:/usr/local/bin​:/usr/bin​:/bin​:/usr/local/games​:/usr/games
PERL_BADLANG (unset)
SHELL=/bin/bash

#!./perl
m/(?{print <<EOF
A$A
EOF
})/g;
eval 's/${\%A}{3}//e';

@p5pRT
Copy link
Author

@p5pRT p5pRT commented Mar 23, 2018

From @shlomif

Hi all!

Here is the program​:

<<<<<

#!./perl
m/(?{print <<EOF
A$A
EOF
})/g;
eval 's/${\%A}{3}//e';

it segfaults both /usr/bin/perl and bleadperl on my mageia v7 x64 system.

Regards,

  Shlomi Fish

@p5pRT
Copy link
Author

@p5pRT p5pRT commented Mar 23, 2018

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

@p5pRT p5pRT commented Mar 23, 2018

From @shlomif

Begin forwarded message​:

Date​: Fri, 23 Mar 2018 09​:20​:54 +0000
From​: Dave Mitchell <davem@​iabyn.com>
To​: Shlomi Fish <shlomif@​shlomifish.org>
Subject​: Re​: [perl #132996] Re​: Null pointer dereference in Perl_pp_multiconcat

On Fri, Mar 23, 2018 at 10​:46​:52AM +0300, Shlomi Fish wrote​:

Hi all!

Here is the program​:

<<<<<

#!./perl
m/(?{print <<EOF
A$A
EOF
})/g;
eval 's/${\%A}{3}//e';

it segfaults both /usr/bin/perl and bleadperl on my mageia v7 x64 system.

It can be reduced further to

  my $a="";
  m/(?{"A$a"})/;
  eval 'm//';

It's something to do with the 'use last successful match' behaviour of
m//; when the code block in the regex is executed for a second time,
it looks like the wrong pad is in use and padsv($a) returns a null
pointer or other garbage.

The bug is present back to at least 5.8.9, so its (fortunately) not a
regression introduced by pp_multiconcat.

--
The optimist believes that he lives in the best of all possible worlds.
As does the pessimist.

--


Shlomi Fish http​://www.shlomifish.org/
Stop Using MSIE - http​://www.shlomifish.org/no-ie/

Buffy Summers does not really need stakes to slay vampires, because her kisses
are deadly for them. And that includes those that she blows in the air.
  — http​://www.shlomifish.org/humour/bits/facts/Buffy/

Please reply to list if it's a mailing list post - http​://shlom.in/reply .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants