-
Notifications
You must be signed in to change notification settings - Fork 534
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NULL pointer dereference in S_pending_ident() #17397
Comments
What happens if you rewrite the test program to include:
... and then re-fuzz it? Thank you very much. |
FWIW, from at least perl-5.6.2 to perl-5.8.9, the test program fails to compile.
As of (at least) perl-5.10.1, it fails to compile and segfaults at the point where the program dies.
As yet I see no evidence that the program ever ran to completion. Thank you very much. |
The test file appears to be a fork from an older version of
... the segfault goes away (although the file still does not compile). Thank you very much. |
It's probably not profitable to critique perl code generated by fuzzing. If we can reproduce it, the next step is to attempt to reduce it to a minimal test case and concentrate on why it triggers a coredump. miniperl@blead happily reproduces it; it reduces at least to:
I hope someone with fresher knowledge of the lexer will look at this, so I don't have to. Hugo |
In 5.35.10, if I run either the fuzzed program or the reduction above, the dereference is gone. In the reduction, we get
In the unreduced version, we get lots of syntax errors. But I believe this is now closable |
Let me see if I can bisect to find what fixed it: it would be useful to know at least if it was intentional. |
Huh, with blead@f5469426bb I get:
So I don't think this is closable. @khwilliamson how did you build and test? I'm pretty sure this is yet another case of foolishly attempting to continue after errors, which @iabyn may one day save us from. |
On Sun, 17 Apr 2022, 10:36 Hugo van der Sanden, ***@***.***> wrote:
In 5.35.10, if I run either the fuzzed program or the reduction above, the
dereference is gone. In the reduction, we get
syntax error at 17397.pl line 2, near "{]"
syntax error at 17397.pl line 1, near "<<E1"
panic: pad_swipe po=3, fill=1 at 17397.pl line 1.
panic: pad_swipe po=3, fill=1 at 17397.pl line 1.
In the unreduced version, we get lots of syntax errors.
But I believe this is now closable
Huh, with ***@***.*** I get:
% ./Configure -des -Dcc=gcc -Dprefix=/opt/scratch -Doptimize='-g -O6' -Dusedevel -Uversiononly \
&& make miniperl
[...]
% ./miniperl
<<E1;
${sub{b{]]]{} @{[ <<E2 ]}
E2
E1
Segmentation fault (core dumped)
%
So I don't think this is closable. @khwilliamson
<https://github.com/khwilliamson> how did you build and test?
I'm pretty sure this is yet another case of foolishly attempting to
continue after errors, which @iabyn <https://github.com/iabyn> may one
day save us from.
That will be a good day indeed.
Yves
… |
It turns out that the crucial distinction between my Configure call and yours was -DDEBUGGING in mine I fell prey to confirmation bias. I had made some changes in toke.c some releases ago that fixed a number of segfaults from malformed input, and I thought that that could very well have fixed this. Bisecting should be done in order to close tickets like this. Is there some place to say that in the docs? |
[snip]
I don't think that's necessary. Quite a few committers have gotten fluent in the use of |
Closed by mistake; re-opened. |
This is fixed by eeaa145 (unmerged as yet). |
We try to keep parsing after many types of errors, up to a (current) maximum of 10 errors. Continuing after a semantic error (like undeclared variables) can be helpful, for instance showing a set of common errors, but continuing after a syntax error isn't helpful most of the time as the internal state of the parser can get confused and is not reliably restored in between attempts. This can produce sometimes completely bizarre errors which just obscure the true error, and has resulted in security tickets being filed in the past. This patch makes the parser stop after the first syntax error, while preserving the current behavior for other errors. An error is considered a syntax error if the error message from our internals is the literal text "syntax error". This may not be a complete list of true syntax errors, we can iterate on that in the future. This fixes the segfault in Issue #17397 and likely fixes other "segfault due to compiler continuation after syntax error" bugs that we have on record which has been a recurring issue over the years.
Currently in #20168 |
We try to keep parsing after many types of errors, up to a (current) maximum of 10 errors. Continuing after a semantic error (like undeclared variables) can be helpful, for instance showing a set of common errors, but continuing after a syntax error isn't helpful most of the time as the internal state of the parser can get confused and is not reliably restored in between attempts. This can produce sometimes completely bizarre errors which just obscure the true error, and has resulted in security tickets being filed in the past. This patch makes the parser stop after the first syntax error, while preserving the current behavior for other errors. An error is considered a syntax error if the error message from our internals is the literal text "syntax error". This may not be a complete list of true syntax errors, we can iterate on that in the future. This fixes the segfaults reported in Issue #17397, and #16944 and likely fixes other "segfault due to compiler continuation after syntax error" bugs that we have on record, which has been a recurring issue over the years.
We try to keep parsing after many types of errors, up to a (current) maximum of 10 errors. Continuing after a semantic error (like undeclared variables) can be helpful, for instance showing a set of common errors, but continuing after a syntax error isn't helpful most of the time as the internal state of the parser can get confused and is not reliably restored in between attempts. This can produce sometimes completely bizarre errors which just obscure the true error, and has resulted in security tickets being filed in the past. This patch makes the parser stop after the first syntax error, while preserving the current behavior for other errors. An error is considered a syntax error if the error message from our internals is the literal text "syntax error". This may not be a complete list of true syntax errors, we can iterate on that in the future. This fixes the segfaults reported in Issue #17397, and #16944 and likely fixes other "segfault due to compiler continuation after syntax error" bugs that we have on record, which has been a recurring issue over the years.
We try to keep parsing after many types of errors, up to a (current) maximum of 10 errors. Continuing after a semantic error (like undeclared variables) can be helpful, for instance showing a set of common errors, but continuing after a syntax error isn't helpful most of the time as the internal state of the parser can get confused and is not reliably restored in between attempts. This can produce sometimes completely bizarre errors which just obscure the true error, and has resulted in security tickets being filed in the past. This patch makes the parser stop after the first syntax error, while preserving the current behavior for other errors. An error is considered a syntax error if the error message from our internals is the literal text "syntax error". This may not be a complete list of true syntax errors, we can iterate on that in the future. This fixes the segfaults reported in Issue Perl#17397, and Perl#16944 and likely fixes other "segfault due to compiler continuation after syntax error" bugs that we have on record, which has been a recurring issue over the years.
Hi,
While fuzzing Perl 5.30.1 with Honggfuzz, I found a NULL pointer dereference in the S_pending_ident() function, in toke.c.
Attaching a reproducer (gzipped so GitHub accepts it): test01.pl.gz
Issue can be reproduced by running:
The text was updated successfully, but these errors were encountered: