Skip to content

/ perl5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

stack-overflow (can't grow stack) in Perl_sv_vcatpvfn_flags #17083

Closed
p5pRT opened this issue Jul 6, 2019 · 17 comments
Closed

stack-overflow (can't grow stack) in Perl_sv_vcatpvfn_flags #17083

p5pRT opened this issue Jul 6, 2019 · 17 comments

Comments

@p5pRT
Copy link
Collaborator

@p5pRT p5pRT commented Jul 6, 2019

Migrated from rt.perl.org#134266 (status was 'pending release')

Searchable as RT134266$
@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Jun 22, 2019

From imdb95@gmail.com

Hi,
I found this bug when fuzzing perlembed with afl-fuzz.

**********Compilation**********
Version of perl​: the dev version (https://perl5.git.perl.org/perl.git)

root@​instance-2​:~/fuzz_perl# ./perl/perl -v

This is perl 5, version 31, subversion 2 (v5.31.2
(v5.31.1-6-g9649a81)) built for x86_64-linux

OS​: Ubuntu 16.04 LTS 64bit
Compilation of perl, with pre-built clang+llvm (
http​://releases.llvm.org/4.0.0/clang+llvm-4.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz)
and afl-2.52b​:
AFL_USE_ASAN=1 ./Configure -des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast
-Doptimize=-g
Compilation of file perl_crash.cpp​:

AFL_USE_ASAN=1 afl-clang-fast++ perl_crash.cpp -o perl_crash `./perl/perl
-MExtUtils​::Embed -e ccopts -e ldopts` -std=c++11

**********Reproduce**********

root@​instance-2​:~/fuzz_perl# ./perl_crash a '${*@​=\_})'
'a' =~ /${*@​=\_})/
ASAN​:DEADLYSIGNAL

==5786==ERROR​: AddressSanitizer​: stack-overflow on address
0x7ffc91cf0f10 (pc 0x0000004de581 bp 0x7ffc91cf1760 sp 0x7ffc91cf0f00
T0)
  #0 0x4de580 in BufferedStackTrace
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_stacktrace.h​:94​:37
  #1 0x4de580 in realloc
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc​:79
  #2 0x7cb292 in Perl_safesysrealloc /root/fuzz_perl/perl/util.c​:279​:18
  #3 0x8e8ab6 in Perl_sv_grow /root/fuzz_perl/perl/sv.c​:1596​:17
  #4 0x9374b9 in Perl_sv_catpvn_flags /root/fuzz_perl/perl/sv.c​:5492​:12
  #5 0x98c85e in Perl_sv_catpv_flags /root/fuzz_perl/perl/sv.c​:5609​:5
  #6 0x98c85e in Perl_sv_vcatpvfn_flags /root/fuzz_perl/perl/sv.c​:11931
  #7 0x96f28c in Perl_sv_vsetpvfn /root/fuzz_perl/perl/sv.c​:10987​:5
  #8 0x7d40a2 in Perl_vmess /root/fuzz_perl/perl/util.c​:1498​:5
  #9 0x7d40a2 in Perl_vcroak /root/fuzz_perl/perl/util.c​:1709
  #10 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #11 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #12 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #13 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #14 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #15 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #16 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #17 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #18 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #19 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #20 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #21 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #22 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #23 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #24 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #25 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #26 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #27 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #28 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #29 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #30 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #31 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #32 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #33 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #34 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5

  #35 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #36 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #37 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #38 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #39 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #40 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #41 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #42 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #43 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #44 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #45 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #46 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #47 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #48 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #49 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #50 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #51 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #52 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #53 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #54 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #55 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #56 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #57 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #58 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #59 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #60 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #61 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #62 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #63 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #64 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #65 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #66 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #67 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #68 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #69 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #70 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #71 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #72 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #73 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #74 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #75 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5

  #76 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #77 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #78 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #79 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #80 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #81 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #82 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #83 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #84 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #85 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #86 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #87 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #88 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #89 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #90 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #91 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #92 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #93 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #94 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #95 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #96 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #97 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #98 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #99 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #100 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #101 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #102 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #103 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #104 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #105 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #106 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #107 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #108 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #109 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #110 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #111 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #112 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #113 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #114 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #115 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #116 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6

  #117 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #118 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #119 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #120 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #121 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #122 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #123 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #124 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #125 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #126 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #127 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #128 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #129 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #130 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #131 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #132 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #133 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #134 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #135 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #136 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #137 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #138 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #139 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #140 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #141 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #142 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #143 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #144 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #145 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #146 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #147 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #148 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #149 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #150 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #151 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #152 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #153 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #154 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #155 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #156 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #157 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5

  #158 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #159 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #160 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #161 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #162 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #163 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #164 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #165 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #166 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #167 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #168 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #169 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #170 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #171 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #172 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #173 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #174 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #175 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #176 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #177 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #178 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #179 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #180 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #181 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #182 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #183 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #184 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #185 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #186 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #187 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #188 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #189 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #190 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #191 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #192 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #193 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #194 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #195 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #196 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #197 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #198 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2

  #199 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #200 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #201 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #202 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #203 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #204 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #205 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #206 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #207 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #208 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #209 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #210 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #211 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #212 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #213 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #214 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #215 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #216 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #217 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #218 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #219 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #220 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #221 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #222 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #223 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #224 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #225 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #226 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #227 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #228 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #229 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #230 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #231 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5

  #232 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #233 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #234 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #235 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #236 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #237 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #238 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #239 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #240 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #241 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #242 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #243 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #244 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #245 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #246 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #247 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #248 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #249 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #250 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #251 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #252 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2

SUMMARY​: AddressSanitizer​: stack-overflow
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_stacktrace.h​:94​:37
in BufferedStackTrace
==5786==ABORTING

**************************

Please confirm this.

Thanks,

Manh Nguyen
@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Jun 22, 2019

From imdb95@gmail.com

Sorry for not attaching source code of perl_crash.cpp.

On Sun, Jun 23, 2019 at 12​:05 AM Peter Nguyen <imdb95@​gmail.com> wrote​:

Hi,
I found this bug when fuzzing perlembed with afl-fuzz.

**********Compilation**********
Version of perl​: the dev version (https://perl5.git.perl.org/perl.git)

root@​instance-2​:~/fuzz_perl# ./perl/perl -v

This is perl 5, version 31, subversion 2 (v5.31.2 (v5.31.1-6-g9649a81)) built for x86_64-linux

OS​: Ubuntu 16.04 LTS 64bit
Compilation of perl, with pre-built clang+llvm (
http​://releases.llvm.org/4.0.0/clang+llvm-4.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz)
and afl-2.52b​:
AFL_USE_ASAN=1 ./Configure -des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast
-Doptimize=-g
Compilation of file perl_crash.cpp​:

AFL_USE_ASAN=1 afl-clang-fast++ perl_crash.cpp -o perl_crash `./perl/perl
-MExtUtils​::Embed -e ccopts -e ldopts` -std=c++11

**********Reproduce**********

root@​instance-2​:~/fuzz_perl# ./perl_crash a '${*@​=\_})'
'a' =~ /${*@​=\_})/
ASAN​:DEADLYSIGNAL

==5786==ERROR​: AddressSanitizer​: stack-overflow on address 0x7ffc91cf0f10 (pc 0x0000004de581 bp 0x7ffc91cf1760 sp 0x7ffc91cf0f00 T0)
#0 0x4de580 in BufferedStackTrace /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_stacktrace.h​:94​:37
#1 0x4de580 in realloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc​:79
#2 0x7cb292 in Perl_safesysrealloc /root/fuzz_perl/perl/util.c​:279​:18
#3 0x8e8ab6 in Perl_sv_grow /root/fuzz_perl/perl/sv.c​:1596​:17
#4 0x9374b9 in Perl_sv_catpvn_flags /root/fuzz_perl/perl/sv.c​:5492​:12
#5 0x98c85e in Perl_sv_catpv_flags /root/fuzz_perl/perl/sv.c​:5609​:5
#6 0x98c85e in Perl_sv_vcatpvfn_flags /root/fuzz_perl/perl/sv.c​:11931
#7 0x96f28c in Perl_sv_vsetpvfn /root/fuzz_perl/perl/sv.c​:10987​:5
#8 0x7d40a2 in Perl_vmess /root/fuzz_perl/perl/util.c​:1498​:5
#9 0x7d40a2 in Perl_vcroak /root/fuzz_perl/perl/util.c​:1709
#10 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
#11 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
#12 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
#13 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
#14 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
#15 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
#16 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
#17 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
#18 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
#19 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
#20 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
#21 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
#22 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
#23 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
#24 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
#25 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
#26 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
#27 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
#28 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
#29 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
#30 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
#31 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
#32 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
#33 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
#34 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5

\#35 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#36 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#37 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#38 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#39 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5
\#40 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#41 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#42 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#43 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#44 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#45 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5
\#46 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#47 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#48 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#49 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#50 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#51 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5
\#52 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#53 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#54 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#55 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#56 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#57 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5
\#58 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#59 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#60 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#61 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#62 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#63 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5
\#64 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#65 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#66 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#67 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#68 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#69 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5
\#70 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#71 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#72 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#73 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#74 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#75 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5

\#76 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#77 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#78 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#79 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#80 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#81 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5
\#82 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#83 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#84 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#85 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#86 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#87 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5
\#88 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#89 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#90 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#91 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#92 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#93 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5
\#94 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#95 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#96 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#97 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#98 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#99 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5
\#100 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#101 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#102 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#103 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#104 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#105 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5
\#106 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#107 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#108 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#109 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#110 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#111 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5
\#112 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#113 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#114 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#115 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#116 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6

\#117 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5
\#118 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#119 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#120 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#121 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#122 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#123 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5
\#124 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#125 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#126 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#127 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#128 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#129 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5
\#130 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#131 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#132 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#133 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#134 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#135 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5
\#136 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#137 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#138 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#139 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#140 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#141 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5
\#142 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#143 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#144 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#145 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#146 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#147 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5
\#148 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#149 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#150 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#151 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#152 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#153 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5
\#154 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#155 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#156 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#157 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5

\#158 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#159 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5
\#160 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#161 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#162 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#163 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#164 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#165 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5
\#166 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#167 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#168 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#169 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#170 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#171 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5
\#172 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#173 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#174 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#175 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#176 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#177 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5
\#178 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#179 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#180 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#181 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#182 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#183 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5
\#184 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#185 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#186 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#187 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#188 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#189 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5
\#190 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#191 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#192 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#193 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#194 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#195 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5
\#196 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#197 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#198 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2

\#199 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#200 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#201 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5
\#202 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#203 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#204 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#205 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#206 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#207 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5
\#208 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#209 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#210 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#211 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#212 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#213 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5
\#214 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#215 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#216 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#217 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#218 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#219 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5
\#220 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#221 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#222 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#223 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#224 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#225 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5
\#226 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#227 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#228 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#229 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#230 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#231 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5

\#232 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#233 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#234 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#235 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#236 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#237 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5
\#238 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#239 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#240 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#241 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#242 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#243 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5
\#244 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#245 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#246 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2
\#247 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:4300&#8203;:5
\#248 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c&#8203;:1724&#8203;:6
\#249 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c&#8203;:1711&#8203;:5
\#250 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c&#8203;:1756&#8203;:5
\#251 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c&#8203;:1774&#8203;:5
\#252 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c&#8203;:5278&#8203;:2

SUMMARY​: AddressSanitizer​: stack-overflow /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_stacktrace.h​:94​:37 in BufferedStackTrace
==5786==ABORTING

**************************

Please confirm this.

Thanks,

Manh Nguyen
@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Jun 22, 2019

From imdb95@gmail.com

#include <fstream>
#include <string>
#include <iostream>
#include <ctime>
#include <cstdlib>
#include <EXTERN.h>
#include <perl.h>

typedef const char* CONSTCSTR;

int main(int argc, char** argv)
{
  CONSTCSTR* embedding = new CONSTCSTR [4];
  embedding[0] = "";
  embedding[1] = "-e";
  embedding[2] = "0";
  embedding[3] = 0;

  PerlInterpreter *my_perl = perl_alloc();
  perl_construct(my_perl);

  perl_parse(my_perl, NULL, 3, (char**)embedding, NULL);
  PL_exit_flags |= PERL_EXIT_DESTRUCT_END;
  perl_run(my_perl);
  std​::string cmd = "\'";
  cmd += argv[1];
  cmd += "\' =~ /";
  cmd += argv[2];
  cmd += "/";
  std​::cout << cmd << std​::endl;
  std​::cout.flush();
  eval_pv(cmd.c_str(), false);
  perl_destruct(my_perl);
  perl_free(my_perl);

  return 0;
}
@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Jul 6, 2019

From imdb95@gmail.com

Hi,
I found this bug when fuzzing perl.

**********Compilation**********
Version of perl​: the dev version (https://perl5.git.perl.org/perl.git)

root@​instance-2​:~# ./perl/perl -v

This is perl 5, version 31, subversion 2 (v5.31.2) built for x86_64-linux
(with 1 registered patch, see perl -V for more detail)

OS​: Ubuntu 16.04 LTS 64bit
Compilation of perl​:
./Configure -des -Dusedevel && make && make install

**********Reproduce**********

root@​instance-2​:~# cat test.pl
eval '"a" =~ /${*@​=\_})/';
root@​instance-2​:~# ./perl/perl test.pl
Segmentation fault
root@​instance-2​:~# valgrind ./perl/perl test.pl
==31123== Memcheck, a memory error detector
==31123== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==31123== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==31123== Command​: ./perl/perl test.pl
==31123==
==31123== Stack overflow in thread #1​: can't grow stack to 0xffe801000
==31123==
==31123== Process terminating with default action of signal 11 (SIGSEGV)
==31123== Access not within mapped region at address 0xFFE801FC8
==31123== Stack overflow in thread #1​: can't grow stack to 0xffe801000
==31123== at 0x4D3EE0​: Perl_sv_vcatpvfn_flags (in /root/perl/perl)
==31123== If you believe this happened as a result of a stack
==31123== overflow in your program's main thread (unlikely but
==31123== possible), you can try to increase the size of the
==31123== main thread stack using the --main-stacksize= flag.
==31123== The main thread stack size used in this run was 8388608.
==31123== Stack overflow in thread #1​: can't grow stack to 0xffe801000
==31123==
==31123== Process terminating with default action of signal 11 (SIGSEGV)
==31123== Access not within mapped region at address 0xFFE801FC0
==31123== Stack overflow in thread #1​: can't grow stack to 0xffe801000
==31123== at 0x4A28680​: _vgnU_freeres (in
/usr/lib/valgrind/vgpreload_core-amd64-linux.so)
==31123== If you believe this happened as a result of a stack
==31123== overflow in your program's main thread (unlikely but
==31123== possible), you can try to increase the size of the
==31123== main thread stack using the --main-stacksize= flag.
==31123== The main thread stack size used in this run was 8388608.

==31123==

==31123== HEAP SUMMARY​:
==31123== in use at exit​: 2,464,711 bytes in 18,860 blocks
==31123== total heap usage​: 55,154 allocs, 36,294 frees, 13,751,059 bytes
allocated
==31123==
==31123== LEAK SUMMARY​:
==31123== definitely lost​: 0 bytes in 0 blocks
==31123== indirectly lost​: 0 bytes in 0 blocks
==31123== possibly lost​: 0 bytes in 0 blocks
==31123== still reachable​: 2,464,711 bytes in 18,860 blocks
==31123== suppressed​: 0 bytes in 0 blocks
==31123== Rerun with --leak-check=full to see details of leaked memory
==31123==
==31123== For counts of detected and suppressed errors, rerun with​: -v
==31123== ERROR SUMMARY​: 0 errors from 0 contexts (suppressed​: 0 from 0)
Segmentation fault

**************************

Also crashes happen with perl v5.22.1 (default on Ubuntu) or perlembed
eval_pv("'a' =~ /${*@​=\_})/", false)

Please confirm this.

Thanks,

Manh Nguyen
@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Jul 7, 2019

From imdb95@gmail.com

I have another payload producing the same output​:
eval '"" =~ /${*@​=\_}_[/';
@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Jul 8, 2019

From @iabyn

On Fri, Jul 05, 2019 at 09​:45​:28PM -0700, Nguyen Duc Manh wrote​:

root@​instance-2​:~# cat test.pl
eval '"a" =~ /${*@​=\_})/';
root@​instance-2​:~# ./perl/perl test.pl
Segmentation fault

This code is making $@​ an alias of the read-only constant string "_".
Then corak during regexp compilation. The croaking tries to update $@​,
which croaks because it is read-only, and so infinitely recurses.

I can't see that its a security issue.

--
Lear​: Dost thou call me fool, boy?
Fool​: All thy other titles thou hast given away; that thou wast born with.
@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Jul 8, 2019

The RT System itself - Status changed from 'new' to 'open'
@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Aug 5, 2019

From @tonycoz

On Sat, 22 Jun 2019 10​:05​:42 -0700, imdb95@​gmail.com wrote​:

Hi,
I found this bug when fuzzing perlembed with afl-fuzz.

**********Compilation**********
Version of perl​: the dev version (https://perl5.git.perl.org/perl.git)

root@​instance-2​:~/fuzz_perl# ./perl/perl -v

This is perl 5, version 31, subversion 2 (v5.31.2
(v5.31.1-6-g9649a81)) built for x86_64-linux

OS​: Ubuntu 16.04 LTS 64bit
Compilation of perl, with pre-built clang+llvm (
http​://releases.llvm.org/4.0.0/clang+llvm-4.0.0-x86_64-linux-gnu-
ubuntu-16.04.tar.xz)
and afl-2.52b​:
AFL_USE_ASAN=1 ./Configure -des -Dusedevel -DDEBUGGING -Dcc=afl-clang-
fast
-Doptimize=-g
Compilation of file perl_crash.cpp​:

AFL_USE_ASAN=1 afl-clang-fast++ perl_crash.cpp -o perl_crash
`./perl/perl
-MExtUtils​::Embed -e ccopts -e ldopts` -std=c++11

What's the contents of perl_crash.cpp ?

Tony
@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Aug 5, 2019

The RT System itself - Status changed from 'new' to 'open'
@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Aug 5, 2019

From @tonycoz

On Mon, 08 Jul 2019 02​:03​:17 -0700, davem wrote​:

On Fri, Jul 05, 2019 at 09​:45​:28PM -0700, Nguyen Duc Manh wrote​:

root@​instance-2​:~# cat test.pl
eval '"a" =~ /${*@​=\_})/';
root@​instance-2​:~# ./perl/perl test.pl
Segmentation fault

This code is making $@​ an alias of the read-only constant string "_".
Then corak during regexp compilation. The croaking tries to update $@​,
which croaks because it is read-only, and so infinitely recurses.

I can't see that its a security issue.

Agreed, now public.

Tony
@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Aug 5, 2019

From imdb95@gmail.com

Sorry,
Here is the content of perl_crash.cpp (attachment)
@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Aug 5, 2019

From imdb95@gmail.com

#include <fstream>
#include <string>
#include <iostream>
#include <ctime>
#include <cstdlib>
#include <EXTERN.h>
#include <perl.h>

typedef const char* CONSTCSTR;

int main(int argc, char** argv)
{
  CONSTCSTR* embedding = new CONSTCSTR [4];
  embedding[0] = "";
  embedding[1] = "-e";
  embedding[2] = "0";
  embedding[3] = 0;

  PerlInterpreter *my_perl = perl_alloc();
  perl_construct(my_perl);

  perl_parse(my_perl, NULL, 3, (char**)embedding, NULL);
  PL_exit_flags |= PERL_EXIT_DESTRUCT_END;
  perl_run(my_perl);
  std​::string cmd = "\'";
  cmd += argv[1];
  cmd += "\' =~ /";
  cmd += argv[2];
  cmd += "/";
  std​::cout << cmd << std​::endl;
  std​::cout.flush();
  eval_pv(cmd.c_str(), false);
  perl_destruct(my_perl);
  perl_free(my_perl);

  return 0;
}
@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Aug 5, 2019

From @tonycoz

On Mon, 08 Jul 2019 02​:03​:17 -0700, davem wrote​:

On Fri, Jul 05, 2019 at 09​:45​:28PM -0700, Nguyen Duc Manh wrote​:

root@​instance-2​:~# cat test.pl
eval '"a" =~ /${*@​=\_})/';
root@​instance-2​:~# ./perl/perl test.pl
Segmentation fault

This code is making $@​ an alias of the read-only constant string "_".
Then corak during regexp compilation. The croaking tries to update $@​,
which croaks because it is read-only, and so infinitely recurses.

Something like this should fix at least this case.

Tony
@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Aug 5, 2019

From @tonycoz

0001-perl-134266-make-sure-is-writable-when-we-write-to-i.patch 
From f8856ec9d9337c7414d9ba885bb04497c22febc3 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Mon, 5 Aug 2019 15:23:45 +1000
Subject: (perl #134266) make sure $@ is writable when we write to it

when unwinding.

Since except_sv might be ERRSV we try to preserve it's value,
if not the actual SV (which we have an extra refcount on if it is
except_sv).
---
 perl.h             | 24 ++++++++++++++++++++++++
 pp_ctl.c           | 10 ++++++++--
 t/lib/croak/pp_ctl |  8 ++++++++
 3 files changed, 40 insertions(+), 2 deletions(-)

diff --git a/perl.h b/perl.h
index b47587cf2a..443534a95a 100644
--- a/perl.h
+++ b/perl.h
@@ -1380,6 +1380,13 @@ Clear the contents of C<$@>, setting it to the empty string.
 
 This replaces any read-only SV with a fresh SV and removes any magic.
 
+=for apidoc Am|void|SANE_ERRSV
+
+Clean up ERRSV so we can safely set it.
+
+This replaces any read-only SV with a fresh writable copy and removes
+any magic.
+
 =cut
 */
 
@@ -1403,6 +1410,23 @@ This replaces any read-only SV with a fresh SV and removes any magic.
     }									\
     } STMT_END
 
+/* contains inlined gv_add_by_type */
+#define SANE_ERRSV() STMT_START {					\
+    SV ** const svp = &GvSV(PL_errgv);					\
+    if (!*svp) {							\
+        *svp = newSVpvs("");                                            \
+    } else if (SvREADONLY(*svp)) {					\
+        SV *dupsv = newSVsv(*svp);					\
+	SvREFCNT_dec_NN(*svp);						\
+	*svp = dupsv;							\
+    } else {								\
+	SV *const errsv = *svp;						\
+	if (SvMAGICAL(errsv)) {						\
+	    mg_free(errsv);						\
+	}								\
+    }									\
+    } STMT_END
+
 
 #ifdef PERL_CORE
 # define DEFSV (0 + GvSVn(PL_defgv))
diff --git a/pp_ctl.c b/pp_ctl.c
index a38b9c19b2..1f2d81296c 100644
--- a/pp_ctl.c
+++ b/pp_ctl.c
@@ -1720,9 +1720,13 @@ Perl_die_unwind(pTHX_ SV *msv)
 	 * perls 5.13.{1..7} which had late setting of $@ without this
 	 * early-setting hack.
 	 */
-	if (!(in_eval & EVAL_KEEPERR))
+	if (!(in_eval & EVAL_KEEPERR)) {
+            /* remove any read-only/magic from the SV, so we don't
+               get infinite recursion when setting ERRSV */
+            SANE_ERRSV();
 	    sv_setsv_flags(ERRSV, exceptsv,
                         (SV_GMAGIC|SV_DO_COW_SVSETSV|SV_NOSTEAL));
+        }
 
 	if (in_eval & EVAL_KEEPERR) {
 	    Perl_ck_warner(aTHX_ packWARN(WARN_MISC), "\t(in cleanup) %" SVf,
@@ -1784,8 +1788,10 @@ Perl_die_unwind(pTHX_ SV *msv)
              */
             S_pop_eval_context_maybe_croak(aTHX_ cx, exceptsv, 2);
 
-	    if (!(in_eval & EVAL_KEEPERR))
+	    if (!(in_eval & EVAL_KEEPERR)) {
+                SANE_ERRSV();
 		sv_setsv(ERRSV, exceptsv);
+            }
 	    PL_restartjmpenv = restartjmpenv;
 	    PL_restartop = restartop;
 	    JMPENV_JUMP(3);
diff --git a/t/lib/croak/pp_ctl b/t/lib/croak/pp_ctl
index b1e754c356..de0221b57d 100644
--- a/t/lib/croak/pp_ctl
+++ b/t/lib/croak/pp_ctl
@@ -51,3 +51,11 @@ use 5.01;
 default{}
 EXPECT
 Can't "default" outside a topicalizer at - line 2.
+########
+# NAME croak with read only $@
+eval '"a" =~ /${*@=\_})/';
+die;
+# this would previously recurse infinitely in the eval
+EXPECT
+Unmatched ) in regex; marked by <-- HERE in m/_) <-- HERE / at (eval 1) line 1.
+	...propagated at - line 2.
-- 
2.11.0
@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Aug 5, 2019

From @tonycoz

On Sun, 04 Aug 2019 20​:55​:19 -0700, imdb95@​gmail.com wrote​:

Sorry,
Here is the content of perl_crash.cpp (attachment)

This is the same issue as #134266, merging it.

Tony
@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Aug 8, 2019

From @tonycoz

On Sun, 04 Aug 2019 22​:31​:58 -0700, tonyc wrote​:

On Mon, 08 Jul 2019 02​:03​:17 -0700, davem wrote​:

On Fri, Jul 05, 2019 at 09​:45​:28PM -0700, Nguyen Duc Manh wrote​:

root@​instance-2​:~# cat test.pl
eval '"a" =~ /${*@​=\_})/';
root@​instance-2​:~# ./perl/perl test.pl
Segmentation fault

This code is making $@​ an alias of the read-only constant string "_".
Then corak during regexp compilation. The croaking tries to update $@​,
which croaks because it is read-only, and so infinitely recurses.

Something like this should fix at least this case.

Applied as 933e3e6.

Tony
@p5pRT
Copy link
Collaborator Author

@p5pRT p5pRT commented Aug 8, 2019

@tonycoz - Status changed from 'open' to 'pending release'
@p5pRT p5pRT closed this Aug 8, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
@p5pRT
You can’t perform that action at this time.