Fwd: [rt.cpan.org #124722] NULL pointer dereference in Perl_runops_standard

[p5pRT]

Migrated from rt.perl.org#132953 (status was 'open')

Searchable as RT132953$

[p5pRT]

From bug-Perl-Core@rt.cpan.org

This is forward of transaction #1775448 of a ticket #124722

[p5pRT]

From bug-Perl-Core@rt.cpan.org

Message RFC822:
X-Mailer: MIME-tools 5.504 (Entity 5.504)
Content-Disposition: inline
Message-ID: rt-4.0.18-25284-1520499031-1810.0-0-0@rt.cpan.org
X-RT-Interface: Web
X-RT-Encrypt: 0
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-RT-Sign: 0
From: hackyzh002@gmail.com
Subject: NULL pointer dereference in Perl_runops_standard
Content-Length: 907
Content-Type: text/plain; charset="utf-8"
X-RT-Original-Encoding: utf-8

/perl-5.27.9/perl -le 'BEGIN{$SIG{DIE} =sub{exit(0)}}unshift'

==95151==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000abccbd bp 0x00000119cb28 sp 0x7ffdbda5a550 T0)
#0 0xabccbc in Perl_pp_unshift /home/hackyzh/Desktop/perl-5.27.9/pp.c:5524
#1 0x92c74a in Perl_runops_standard /home/hackyzh/Desktop/perl-5.27.9/run.c:41
#2 0x555b39 in S_run_body /home/hackyzh/Desktop/perl-5.27.9/perl.c:2750
#3 0x555b39 in perl_run /home/hackyzh/Desktop/perl-5.27.9/perl.c:2671
#4 0x42b6e5 in main /home/hackyzh/Desktop/perl-5.27.9/perlmain.c:122
#5 0x7f29c157682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#6 0x42c6c8 in _start (/home/hackyzh/Desktop/perl-5.27.9/perl+0x42c6c8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/hackyzh/Desktop/perl-5.27.9/pp.c:5524 Perl_pp_unshift
==95151==ABORTING

[p5pRT]

From bug-Perl-Core@rt.cpan.org

/perl-5.27.9/perl -le 'BEGIN{$SIG{__DIE__} =sub{exit(0)}}unshift'

==95151==ERROR​: AddressSanitizer​: SEGV on unknown address 0x000000000000 (pc 0x000000abccbd bp 0x00000119cb28 sp 0x7ffdbda5a550 T0)
  #0 0xabccbc in Perl_pp_unshift /home/hackyzh/Desktop/perl-5.27.9/pp.c​:5524
  #1 0x92c74a in Perl_runops_standard /home/hackyzh/Desktop/perl-5.27.9/run.c​:41
  #2 0x555b39 in S_run_body /home/hackyzh/Desktop/perl-5.27.9/perl.c​:2750
  #3 0x555b39 in perl_run /home/hackyzh/Desktop/perl-5.27.9/perl.c​:2671
  #4 0x42b6e5 in main /home/hackyzh/Desktop/perl-5.27.9/perlmain.c​:122
  #5 0x7f29c157682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
  #6 0x42c6c8 in _start (/home/hackyzh/Desktop/perl-5.27.9/perl+0x42c6c8)

AddressSanitizer can not provide additional info.
SUMMARY​: AddressSanitizer​: SEGV /home/hackyzh/Desktop/perl-5.27.9/pp.c​:5524 Perl_pp_unshift
==95151==ABORTING

[p5pRT]

From @iabyn

On Thu, Mar 08, 2018 at 12​:51​:53AM -0800, via RT wrote​:

# New Ticket Created by
# Please include the string​: [perl #132953]
# in the subject line of all future correspondence about this issue.
# <URL​: https://rt-archive.perl.org/perl5/Ticket/Display.html?id=132953 >

This is forward of transaction #1775448 of a ticket #124722

/perl-5.27.9/perl -le 'BEGIN{$SIG{__DIE__} =sub{exit(0)}}unshift'

The unshift is a syntax error, so compilation triggers the __DIE__
handler, which does an exit(0). This causes a longjmp back to
perl_parse(), which sees a zero STATUS_EXIT and returns 0 (success).
main() sees a successful return from perl_parse() and so continues
with perl_run(), which then crashes on the badly-formed optree.

I don't think its a security issue, as it involves feeding code with
syntax errors into the parser.

I'm not very confident about how to fix it though​: the whole exit
semantics is beyond my ken.

In particular, in perl_parse() there is this​:

  case 2​:
  /* my_exit() was called */
  ... pop stacks ...
  ret = STATUS_EXIT;
  if (ret == 0) {
  /*
  * At this point we should do
  * ret = 0x100;
  * to avoid [perl #2754], but that bugfix has been postponed
  * because of the Module​::Install breakage it causes
  * [perl #132577].
  */
  }

#2754 is​: From a CHECK{}, you cannot exit(0)

which had a fix from Zefram in Dec 2017, which was reverted because
it broke Module​::Install (and you can't get people to upgrade
Module​::Install)

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From @tonycoz

On Thu, 08 Mar 2018 03​:39​:36 -0800, davem wrote​:

On Thu, Mar 08, 2018 at 12​:51​:53AM -0800, via RT wrote​:

# New Ticket Created by
# Please include the string​: [perl #132953]
# in the subject line of all future correspondence about this issue.
# <URL​: https://rt-archive.perl.org/perl5/Ticket/Display.html?id=132953 >

This is forward of transaction #1775448 of a ticket #124722

/perl-5.27.9/perl -le 'BEGIN{$SIG{__DIE__} =sub{exit(0)}}unshift'

The unshift is a syntax error, so compilation triggers the __DIE__
handler, which does an exit(0). This causes a longjmp back to
perl_parse(), which sees a zero STATUS_EXIT and returns 0 (success).
main() sees a successful return from perl_parse() and so continues
with perl_run(), which then crashes on the badly-formed optree.

I don't think its a security issue, as it involves feeding code with
syntax errors into the parser.

I agree, now public.

Tony

[p5pRT]

From zefram@fysh.org

Dave Mitchell wrote​:

I'm not very confident about how to fix it though​:

It *was* fixed in 5.27.7, as part of [perl #2754]. 5.27.7 doesn't crash
on the test case for this ticket, but cleanly exits as requested. It was
de-fixed in 5.27.8 due to CPAN breakage [perl #132577]. The current
intent is to re-fix all of that in 5.29.

-zefram

[demerphq]

I believe this is fixed as of Perl 5.37.4. Likely by 375d68c

[demerphq]

Bisect said it was 197bb3f