stack-overflow (can't grow stack) in Perl_sv_vcatpvfn_flags

[p5pRT]

Migrated from rt.perl.org#134266 (status was 'pending release')

Searchable as RT134266$

[p5pRT]

From imdb95@gmail.com

Hi,
I found this bug when fuzzing perlembed with afl-fuzz.

**********Compilation**********
Version of perl​: the dev version (https://perl5.git.perl.org/perl.git)

root@​instance-2​:~/fuzz_perl# ./perl/perl -v

This is perl 5, version 31, subversion 2 (v5.31.2
(v5.31.1-6-g9649a81)) built for x86_64-linux

OS​: Ubuntu 16.04 LTS 64bit
Compilation of perl, with pre-built clang+llvm (
http​://releases.llvm.org/4.0.0/clang+llvm-4.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz)
and afl-2.52b​:
AFL_USE_ASAN=1 ./Configure -des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast
-Doptimize=-g
Compilation of file perl_crash.cpp​:

AFL_USE_ASAN=1 afl-clang-fast++ perl_crash.cpp -o perl_crash `./perl/perl
-MExtUtils​::Embed -e ccopts -e ldopts` -std=c++11

**********Reproduce**********

root@​instance-2​:~/fuzz_perl# ./perl_crash a '${*@​=\_})'
'a' =~ /${*@​=\_})/
ASAN​:DEADLYSIGNAL

==5786==ERROR​: AddressSanitizer​: stack-overflow on address
0x7ffc91cf0f10 (pc 0x0000004de581 bp 0x7ffc91cf1760 sp 0x7ffc91cf0f00
T0)
  #0 0x4de580 in BufferedStackTrace
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_stacktrace.h​:94​:37
  #1 0x4de580 in realloc
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc​:79
  #2 0x7cb292 in Perl_safesysrealloc /root/fuzz_perl/perl/util.c​:279​:18
  #3 0x8e8ab6 in Perl_sv_grow /root/fuzz_perl/perl/sv.c​:1596​:17
  #4 0x9374b9 in Perl_sv_catpvn_flags /root/fuzz_perl/perl/sv.c​:5492​:12
  #5 0x98c85e in Perl_sv_catpv_flags /root/fuzz_perl/perl/sv.c​:5609​:5
  #6 0x98c85e in Perl_sv_vcatpvfn_flags /root/fuzz_perl/perl/sv.c​:11931
  #7 0x96f28c in Perl_sv_vsetpvfn /root/fuzz_perl/perl/sv.c​:10987​:5
  #8 0x7d40a2 in Perl_vmess /root/fuzz_perl/perl/util.c​:1498​:5
  #9 0x7d40a2 in Perl_vcroak /root/fuzz_perl/perl/util.c​:1709
  #10 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #11 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #12 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #13 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #14 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #15 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #16 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #17 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #18 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #19 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #20 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #21 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #22 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #23 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #24 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #25 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #26 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #27 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #28 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #29 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #30 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #31 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #32 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #33 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #34 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5

  #35 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #36 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #37 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #38 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #39 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #40 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #41 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #42 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #43 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #44 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #45 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #46 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #47 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #48 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #49 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #50 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #51 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #52 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #53 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #54 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #55 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #56 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #57 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #58 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #59 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #60 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #61 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #62 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #63 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #64 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #65 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #66 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #67 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #68 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #69 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #70 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #71 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #72 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #73 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #74 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #75 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5

  #76 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #77 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #78 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #79 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #80 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #81 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #82 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #83 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #84 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #85 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #86 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #87 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #88 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #89 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #90 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #91 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #92 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #93 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #94 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #95 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #96 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #97 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #98 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #99 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #100 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #101 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #102 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #103 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #104 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #105 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #106 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #107 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #108 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #109 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #110 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #111 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #112 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #113 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #114 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #115 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #116 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6

  #117 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #118 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #119 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #120 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #121 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #122 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #123 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #124 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #125 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #126 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #127 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #128 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #129 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #130 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #131 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #132 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #133 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #134 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #135 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #136 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #137 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #138 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #139 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #140 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #141 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #142 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #143 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #144 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #145 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #146 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #147 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #148 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #149 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #150 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #151 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #152 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #153 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #154 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #155 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #156 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #157 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5

  #158 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #159 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #160 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #161 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #162 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #163 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #164 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #165 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #166 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #167 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #168 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #169 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #170 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #171 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #172 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #173 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #174 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #175 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #176 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #177 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #178 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #179 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #180 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #181 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #182 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #183 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #184 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #185 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #186 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #187 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #188 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #189 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #190 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #191 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #192 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #193 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #194 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #195 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #196 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #197 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #198 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2

  #199 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #200 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #201 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #202 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #203 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #204 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #205 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #206 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #207 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #208 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #209 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #210 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #211 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #212 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #213 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #214 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #215 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #216 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #217 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #218 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #219 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #220 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #221 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #222 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #223 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #224 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #225 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #226 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #227 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #228 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #229 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #230 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #231 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5

  #232 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #233 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #234 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #235 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #236 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #237 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #238 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #239 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #240 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #241 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #242 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #243 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #244 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #245 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #246 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
  #247 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
  #248 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
  #249 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
  #250 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
  #251 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
  #252 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2

SUMMARY​: AddressSanitizer​: stack-overflow
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_stacktrace.h​:94​:37
in BufferedStackTrace
==5786==ABORTING

**************************

Please confirm this.

Thanks,

Manh Nguyen

[p5pRT]

From imdb95@gmail.com

Sorry for not attaching source code of perl_crash.cpp.

On Sun, Jun 23, 2019 at 12​:05 AM Peter Nguyen <imdb95@​gmail.com> wrote​:

Hi,
I found this bug when fuzzing perlembed with afl-fuzz.

**********Compilation**********
Version of perl​: the dev version (https://perl5.git.perl.org/perl.git)

root@​instance-2​:~/fuzz_perl# ./perl/perl -v

This is perl 5, version 31, subversion 2 (v5.31.2 (v5.31.1-6-g9649a81)) built for x86_64-linux

OS​: Ubuntu 16.04 LTS 64bit
Compilation of perl, with pre-built clang+llvm (
http​://releases.llvm.org/4.0.0/clang+llvm-4.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz)
and afl-2.52b​:
AFL_USE_ASAN=1 ./Configure -des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast
-Doptimize=-g
Compilation of file perl_crash.cpp​:

AFL_USE_ASAN=1 afl-clang-fast++ perl_crash.cpp -o perl_crash `./perl/perl
-MExtUtils​::Embed -e ccopts -e ldopts` -std=c++11

**********Reproduce**********

root@​instance-2​:~/fuzz_perl# ./perl_crash a '${*@​=\_})'
'a' =~ /${*@​=\_})/
ASAN​:DEADLYSIGNAL

==5786==ERROR​: AddressSanitizer​: stack-overflow on address 0x7ffc91cf0f10 (pc 0x0000004de581 bp 0x7ffc91cf1760 sp 0x7ffc91cf0f00 T0)
#0 0x4de580 in BufferedStackTrace /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_stacktrace.h​:94​:37
#1 0x4de580 in realloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc​:79
#2 0x7cb292 in Perl_safesysrealloc /root/fuzz_perl/perl/util.c​:279​:18
#3 0x8e8ab6 in Perl_sv_grow /root/fuzz_perl/perl/sv.c​:1596​:17
#4 0x9374b9 in Perl_sv_catpvn_flags /root/fuzz_perl/perl/sv.c​:5492​:12
#5 0x98c85e in Perl_sv_catpv_flags /root/fuzz_perl/perl/sv.c​:5609​:5
#6 0x98c85e in Perl_sv_vcatpvfn_flags /root/fuzz_perl/perl/sv.c​:11931
#7 0x96f28c in Perl_sv_vsetpvfn /root/fuzz_perl/perl/sv.c​:10987​:5
#8 0x7d40a2 in Perl_vmess /root/fuzz_perl/perl/util.c​:1498​:5
#9 0x7d40a2 in Perl_vcroak /root/fuzz_perl/perl/util.c​:1709
#10 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
#11 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
#12 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
#13 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
#14 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
#15 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
#16 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
#17 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
#18 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
#19 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
#20 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
#21 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
#22 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
#23 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
#24 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
#25 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
#26 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
#27 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
#28 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5
#29 0x7d62a9 in Perl_croak_no_modify /root/fuzz_perl/perl/util.c​:1774​:5
#30 0x8e5f8b in Perl_sv_force_normal_flags /root/fuzz_perl/perl/sv.c​:5278​:2
#31 0x91a029 in Perl_sv_setsv_flags /root/fuzz_perl/perl/sv.c​:4300​:5
#32 0xa74c2e in Perl_die_unwind /root/fuzz_perl/perl/pp_ctl.c​:1724​:6
#33 0x7d40ef in Perl_vcroak /root/fuzz_perl/perl/util.c​:1711​:5
#34 0x7caefa in Perl_croak /root/fuzz_perl/perl/util.c​:1756​:5

\#35 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#36 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#37 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#38 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#39 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5
\#40 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#41 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#42 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#43 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#44 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#45 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5
\#46 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#47 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#48 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#49 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#50 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#51 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5
\#52 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#53 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#54 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#55 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#56 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#57 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5
\#58 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#59 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#60 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#61 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#62 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#63 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5
\#64 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#65 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#66 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#67 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#68 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#69 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5
\#70 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#71 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#72 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#73 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#74 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#75 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5

\#76 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#77 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#78 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#79 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#80 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#81 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5
\#82 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#83 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#84 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#85 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#86 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#87 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5
\#88 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#89 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#90 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#91 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#92 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#93 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5
\#94 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#95 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#96 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#97 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#98 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#99 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5
\#100 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#101 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#102 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#103 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#104 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#105 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5
\#106 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#107 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#108 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#109 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#110 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#111 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5
\#112 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#113 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#114 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#115 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#116 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6

\#117 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5
\#118 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#119 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#120 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#121 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#122 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#123 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5
\#124 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#125 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#126 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#127 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#128 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#129 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5
\#130 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#131 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#132 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#133 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#134 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#135 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5
\#136 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#137 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#138 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#139 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#140 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#141 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5
\#142 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#143 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#144 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#145 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#146 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#147 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5
\#148 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#149 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#150 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#151 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#152 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#153 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5
\#154 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#155 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#156 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#157 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5

\#158 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#159 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5
\#160 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#161 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#162 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#163 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#164 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#165 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5
\#166 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#167 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#168 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#169 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#170 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#171 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5
\#172 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#173 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#174 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#175 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#176 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#177 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5
\#178 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#179 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#180 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#181 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#182 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#183 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5
\#184 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#185 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#186 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#187 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#188 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#189 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5
\#190 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#191 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#192 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#193 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#194 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#195 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5
\#196 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#197 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#198 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2

\#199 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#200 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#201 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5
\#202 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#203 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#204 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#205 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#206 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#207 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5
\#208 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#209 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#210 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#211 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#212 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#213 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5
\#214 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#215 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#216 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#217 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#218 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#219 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5
\#220 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#221 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#222 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#223 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#224 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#225 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5
\#226 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#227 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#228 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#229 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#230 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#231 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5

\#232 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#233 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#234 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#235 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#236 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#237 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5
\#238 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#239 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#240 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#241 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#242 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#243 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5
\#244 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#245 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#246 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2
\#247 0x91a029 in Perl\_sv\_setsv\_flags /root/fuzz\_perl/perl/sv\.c​:4300​:5
\#248 0xa74c2e in Perl\_die\_unwind /root/fuzz\_perl/perl/pp\_ctl\.c​:1724​:6
\#249 0x7d40ef in Perl\_vcroak /root/fuzz\_perl/perl/util\.c​:1711​:5
\#250 0x7caefa in Perl\_croak /root/fuzz\_perl/perl/util\.c​:1756​:5
\#251 0x7d62a9 in Perl\_croak\_no\_modify /root/fuzz\_perl/perl/util\.c​:1774​:5
\#252 0x8e5f8b in Perl\_sv\_force\_normal\_flags /root/fuzz\_perl/perl/sv\.c​:5278​:2

SUMMARY​: AddressSanitizer​: stack-overflow /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_stacktrace.h​:94​:37 in BufferedStackTrace
==5786==ABORTING

**************************

Please confirm this.

Thanks,

Manh Nguyen

[p5pRT]

From imdb95@gmail.com

#include <fstream>
#include <string>
#include <iostream>
#include <ctime>
#include <cstdlib>
#include <EXTERN.h>
#include <perl.h>

typedef const char* CONSTCSTR;

int main(int argc, char** argv)
{
  CONSTCSTR* embedding = new CONSTCSTR [4];
  embedding[0] = "";
  embedding[1] = "-e";
  embedding[2] = "0";
  embedding[3] = 0;

  PerlInterpreter *my_perl = perl_alloc();
  perl_construct(my_perl);

  perl_parse(my_perl, NULL, 3, (char**)embedding, NULL);
  PL_exit_flags |= PERL_EXIT_DESTRUCT_END;
  perl_run(my_perl);
  std​::string cmd = "\'";
  cmd += argv[1];
  cmd += "\' =~ /";
  cmd += argv[2];
  cmd += "/";
  std​::cout << cmd << std​::endl;
  std​::cout.flush();
  eval_pv(cmd.c_str(), false);
  perl_destruct(my_perl);
  perl_free(my_perl);

  return 0;
}

[p5pRT]

From imdb95@gmail.com

Hi,
I found this bug when fuzzing perl.

**********Compilation**********
Version of perl​: the dev version (https://perl5.git.perl.org/perl.git)

root@​instance-2​:~# ./perl/perl -v

This is perl 5, version 31, subversion 2 (v5.31.2) built for x86_64-linux
(with 1 registered patch, see perl -V for more detail)

OS​: Ubuntu 16.04 LTS 64bit
Compilation of perl​:
./Configure -des -Dusedevel && make && make install

**********Reproduce**********

root@​instance-2​:~# cat test.pl
eval '"a" =~ /${*@​=\_})/';
root@​instance-2​:~# ./perl/perl test.pl
Segmentation fault
root@​instance-2​:~# valgrind ./perl/perl test.pl
==31123== Memcheck, a memory error detector
==31123== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==31123== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==31123== Command​: ./perl/perl test.pl
==31123==
==31123== Stack overflow in thread #1​: can't grow stack to 0xffe801000
==31123==
==31123== Process terminating with default action of signal 11 (SIGSEGV)
==31123== Access not within mapped region at address 0xFFE801FC8
==31123== Stack overflow in thread #1​: can't grow stack to 0xffe801000
==31123== at 0x4D3EE0​: Perl_sv_vcatpvfn_flags (in /root/perl/perl)
==31123== If you believe this happened as a result of a stack
==31123== overflow in your program's main thread (unlikely but
==31123== possible), you can try to increase the size of the
==31123== main thread stack using the --main-stacksize= flag.
==31123== The main thread stack size used in this run was 8388608.
==31123== Stack overflow in thread #1​: can't grow stack to 0xffe801000
==31123==
==31123== Process terminating with default action of signal 11 (SIGSEGV)
==31123== Access not within mapped region at address 0xFFE801FC0
==31123== Stack overflow in thread #1​: can't grow stack to 0xffe801000
==31123== at 0x4A28680​: _vgnU_freeres (in
/usr/lib/valgrind/vgpreload_core-amd64-linux.so)
==31123== If you believe this happened as a result of a stack
==31123== overflow in your program's main thread (unlikely but
==31123== possible), you can try to increase the size of the
==31123== main thread stack using the --main-stacksize= flag.
==31123== The main thread stack size used in this run was 8388608.

==31123==

==31123== HEAP SUMMARY​:
==31123== in use at exit​: 2,464,711 bytes in 18,860 blocks
==31123== total heap usage​: 55,154 allocs, 36,294 frees, 13,751,059 bytes
allocated
==31123==
==31123== LEAK SUMMARY​:
==31123== definitely lost​: 0 bytes in 0 blocks
==31123== indirectly lost​: 0 bytes in 0 blocks
==31123== possibly lost​: 0 bytes in 0 blocks
==31123== still reachable​: 2,464,711 bytes in 18,860 blocks
==31123== suppressed​: 0 bytes in 0 blocks
==31123== Rerun with --leak-check=full to see details of leaked memory
==31123==
==31123== For counts of detected and suppressed errors, rerun with​: -v
==31123== ERROR SUMMARY​: 0 errors from 0 contexts (suppressed​: 0 from 0)
Segmentation fault

**************************

Also crashes happen with perl v5.22.1 (default on Ubuntu) or perlembed
eval_pv("'a' =~ /${*@​=\_})/", false)

Please confirm this.

Thanks,

Manh Nguyen

[p5pRT]

From imdb95@gmail.com

I have another payload producing the same output​:
eval '"" =~ /${*@​=\_}_[/';

[p5pRT]

From @iabyn

On Fri, Jul 05, 2019 at 09​:45​:28PM -0700, Nguyen Duc Manh wrote​:

root@​instance-2​:~# cat test.pl
eval '"a" =~ /${*@​=\_})/';
root@​instance-2​:~# ./perl/perl test.pl
Segmentation fault

This code is making $@​ an alias of the read-only constant string "_".
Then corak during regexp compilation. The croaking tries to update $@​,
which croaks because it is read-only, and so infinitely recurses.

I can't see that its a security issue.

--
Lear​: Dost thou call me fool, boy?
Fool​: All thy other titles thou hast given away; that thou wast born with.

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From @tonycoz

On Sat, 22 Jun 2019 10​:05​:42 -0700, imdb95@​gmail.com wrote​:

Hi,
I found this bug when fuzzing perlembed with afl-fuzz.

**********Compilation**********
Version of perl​: the dev version (https://perl5.git.perl.org/perl.git)

root@​instance-2​:~/fuzz_perl# ./perl/perl -v

This is perl 5, version 31, subversion 2 (v5.31.2
(v5.31.1-6-g9649a81)) built for x86_64-linux

OS​: Ubuntu 16.04 LTS 64bit
Compilation of perl, with pre-built clang+llvm (
http​://releases.llvm.org/4.0.0/clang+llvm-4.0.0-x86_64-linux-gnu-
ubuntu-16.04.tar.xz)
and afl-2.52b​:
AFL_USE_ASAN=1 ./Configure -des -Dusedevel -DDEBUGGING -Dcc=afl-clang-
fast
-Doptimize=-g
Compilation of file perl_crash.cpp​:

AFL_USE_ASAN=1 afl-clang-fast++ perl_crash.cpp -o perl_crash
`./perl/perl
-MExtUtils​::Embed -e ccopts -e ldopts` -std=c++11

What's the contents of perl_crash.cpp ?

Tony

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From @tonycoz

On Mon, 08 Jul 2019 02​:03​:17 -0700, davem wrote​:

On Fri, Jul 05, 2019 at 09​:45​:28PM -0700, Nguyen Duc Manh wrote​:

root@​instance-2​:~# cat test.pl
eval '"a" =~ /${*@​=\_})/';
root@​instance-2​:~# ./perl/perl test.pl
Segmentation fault

This code is making $@​ an alias of the read-only constant string "_".
Then corak during regexp compilation. The croaking tries to update $@​,
which croaks because it is read-only, and so infinitely recurses.

I can't see that its a security issue.

Agreed, now public.

Tony

[p5pRT]

From imdb95@gmail.com

Sorry,
Here is the content of perl_crash.cpp (attachment)

[p5pRT]

From imdb95@gmail.com

#include <fstream>
#include <string>
#include <iostream>
#include <ctime>
#include <cstdlib>
#include <EXTERN.h>
#include <perl.h>

typedef const char* CONSTCSTR;

int main(int argc, char** argv)
{
  CONSTCSTR* embedding = new CONSTCSTR [4];
  embedding[0] = "";
  embedding[1] = "-e";
  embedding[2] = "0";
  embedding[3] = 0;

  PerlInterpreter *my_perl = perl_alloc();
  perl_construct(my_perl);

  perl_parse(my_perl, NULL, 3, (char**)embedding, NULL);
  PL_exit_flags |= PERL_EXIT_DESTRUCT_END;
  perl_run(my_perl);
  std​::string cmd = "\'";
  cmd += argv[1];
  cmd += "\' =~ /";
  cmd += argv[2];
  cmd += "/";
  std​::cout << cmd << std​::endl;
  std​::cout.flush();
  eval_pv(cmd.c_str(), false);
  perl_destruct(my_perl);
  perl_free(my_perl);

  return 0;
}

[p5pRT]

From @tonycoz

On Mon, 08 Jul 2019 02​:03​:17 -0700, davem wrote​:

On Fri, Jul 05, 2019 at 09​:45​:28PM -0700, Nguyen Duc Manh wrote​:

root@​instance-2​:~# cat test.pl
eval '"a" =~ /${*@​=\_})/';
root@​instance-2​:~# ./perl/perl test.pl
Segmentation fault

This code is making $@​ an alias of the read-only constant string "_".
Then corak during regexp compilation. The croaking tries to update $@​,
which croaks because it is read-only, and so infinitely recurses.

Something like this should fix at least this case.

Tony

[p5pRT]

From @tonycoz

0001-perl-134266-make-sure-is-writable-when-we-write-to-i.patch

From f8856ec9d9337c7414d9ba885bb04497c22febc3 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Mon, 5 Aug 2019 15:23:45 +1000
Subject: (perl #134266) make sure $@ is writable when we write to it

when unwinding.

Since except_sv might be ERRSV we try to preserve it's value,
if not the actual SV (which we have an extra refcount on if it is
except_sv).
---
 perl.h             | 24 ++++++++++++++++++++++++
 pp_ctl.c           | 10 ++++++++--
 t/lib/croak/pp_ctl |  8 ++++++++
 3 files changed, 40 insertions(+), 2 deletions(-)

diff --git a/perl.h b/perl.h
index b47587cf2a..443534a95a 100644
--- a/perl.h
+++ b/perl.h
@@ -1380,6 +1380,13 @@ Clear the contents of C<$@>, setting it to the empty string.
 
 This replaces any read-only SV with a fresh SV and removes any magic.
 
+=for apidoc Am|void|SANE_ERRSV
+
+Clean up ERRSV so we can safely set it.
+
+This replaces any read-only SV with a fresh writable copy and removes
+any magic.
+
 =cut
 */
 
@@ -1403,6 +1410,23 @@ This replaces any read-only SV with a fresh SV and removes any magic.
     }									\
     } STMT_END
 
+/* contains inlined gv_add_by_type */
+#define SANE_ERRSV() STMT_START {					\
+    SV ** const svp = &GvSV(PL_errgv);					\
+    if (!*svp) {							\
+        *svp = newSVpvs("");                                            \
+    } else if (SvREADONLY(*svp)) {					\
+        SV *dupsv = newSVsv(*svp);					\
+	SvREFCNT_dec_NN(*svp);						\
+	*svp = dupsv;							\
+    } else {								\
+	SV *const errsv = *svp;						\
+	if (SvMAGICAL(errsv)) {						\
+	    mg_free(errsv);						\
+	}								\
+    }									\
+    } STMT_END
+
 
 #ifdef PERL_CORE
 # define DEFSV (0 + GvSVn(PL_defgv))
diff --git a/pp_ctl.c b/pp_ctl.c
index a38b9c19b2..1f2d81296c 100644
--- a/pp_ctl.c
+++ b/pp_ctl.c
@@ -1720,9 +1720,13 @@ Perl_die_unwind(pTHX_ SV *msv)
 	 * perls 5.13.{1..7} which had late setting of $@ without this
 	 * early-setting hack.
 	 */
-	if (!(in_eval & EVAL_KEEPERR))
+	if (!(in_eval & EVAL_KEEPERR)) {
+            /* remove any read-only/magic from the SV, so we don't
+               get infinite recursion when setting ERRSV */
+            SANE_ERRSV();
 	    sv_setsv_flags(ERRSV, exceptsv,
                         (SV_GMAGIC|SV_DO_COW_SVSETSV|SV_NOSTEAL));
+        }
 
 	if (in_eval & EVAL_KEEPERR) {
 	    Perl_ck_warner(aTHX_ packWARN(WARN_MISC), "\t(in cleanup) %" SVf,
@@ -1784,8 +1788,10 @@ Perl_die_unwind(pTHX_ SV *msv)
              */
             S_pop_eval_context_maybe_croak(aTHX_ cx, exceptsv, 2);
 
-	    if (!(in_eval & EVAL_KEEPERR))
+	    if (!(in_eval & EVAL_KEEPERR)) {
+                SANE_ERRSV();
 		sv_setsv(ERRSV, exceptsv);
+            }
 	    PL_restartjmpenv = restartjmpenv;
 	    PL_restartop = restartop;
 	    JMPENV_JUMP(3);
diff --git a/t/lib/croak/pp_ctl b/t/lib/croak/pp_ctl
index b1e754c356..de0221b57d 100644
--- a/t/lib/croak/pp_ctl
+++ b/t/lib/croak/pp_ctl
@@ -51,3 +51,11 @@ use 5.01;
 default{}
 EXPECT
 Can't "default" outside a topicalizer at - line 2.
+########
+# NAME croak with read only $@
+eval '"a" =~ /${*@=\_})/';
+die;
+# this would previously recurse infinitely in the eval
+EXPECT
+Unmatched ) in regex; marked by <-- HERE in m/_) <-- HERE / at (eval 1) line 1.
+	...propagated at - line 2.
-- 
2.11.0

[p5pRT]

From @tonycoz

On Sun, 04 Aug 2019 20​:55​:19 -0700, imdb95@​gmail.com wrote​:

Sorry,
Here is the content of perl_crash.cpp (attachment)

This is the same issue as #134266, merging it.

Tony

[p5pRT]

From @tonycoz

On Sun, 04 Aug 2019 22​:31​:58 -0700, tonyc wrote​:

On Mon, 08 Jul 2019 02​:03​:17 -0700, davem wrote​:

On Fri, Jul 05, 2019 at 09​:45​:28PM -0700, Nguyen Duc Manh wrote​:

root@​instance-2​:~# cat test.pl
eval '"a" =~ /${*@​=\_})/';
root@​instance-2​:~# ./perl/perl test.pl
Segmentation fault

This code is making $@​ an alias of the read-only constant string "_".
Then corak during regexp compilation. The croaking tries to update $@​,
which croaks because it is read-only, and so infinitely recurses.

Something like this should fix at least this case.

Applied as 933e3e6.

Tony

[p5pRT]

@tonycoz - Status changed from 'open' to 'pending release'