search

Perl / perl5

🐪 The Perl programming language
https://dev.perl.org/perl5/
Other
1.86k stars 528 forks source link

SEGV with eval "use ..." and method call #1336

Closed p5pRT closed 20 years ago

p5pRT commented 24 years ago

Migrated from rt.perl.org#2364 (status was 'resolved')

Searchable as RT2364$

p5pRT commented 24 years ago

From @andk

Sorry if this is a duplicate\, I sent a similar report with perlbug yesterday but didn't receive it back nor can I find it in the archive. Maybe mail on that machine was misconfigured.

It's a long standing bug\, the following code core dumps with yesterday's repository perl.

perl -le '
require "MD5.pm"; sub new { bless {}\, shift;} # OK if commented open FH\, "/etc/hosts" or die; my $md5 = new MD5; # OK if MD5->new print "md5[$md5]\n"; # prints e.g. md5[MD5=HASH(0x80ee280)] $md5->addfile(*FH); # SEGV ' md5[MD5=HASH(0x80ed200)]

zsh​: segmentation fault (core dumped)

I have reported this long time ago (no bug ID)\, you can find the old postings with this query​:

  http​://www.xray.mpe.mpg.de/cgi-bin/w3glimpse/perl5-porters?query=md5+addfile+hash&errors=0&case=on&maxfiles=100&maxlines=30

-- andreas

p5pRT commented 24 years ago

From @gsar

On 14 Mar 2000 10​:08​:54 +0100\, Andreas J. Koenig wrote​:

Sorry if this is a duplicate\, I sent a similar report with perlbug yesterday but didn't receive it back nor can I find it in the archive. Maybe mail on that machine was misconfigured.

It's a long standing bug\, the following code core dumps with yesterday's repository perl.

perl -le '
require "MD5.pm"; sub new { bless {}\, shift;} # OK if commented open FH\, "/etc/hosts" or die; my $md5 = new MD5; # OK if MD5->new print "md5[$md5]\n"; # prints e.g. md5[MD5=HASH(0x80ee280)] $md5->addfile(*FH); # SEGV ' md5[MD5=HASH(0x80ed200)]

zsh​: segmentation fault (core dumped)

The C\ there is being parsed as a subroutine call new('MD5'). So you're effectively doing​:

  bless({}\,'MD5')->addfile(*FOO);

MD5​::addfile apparently doesn't like that uninitialized fake MD5 object very much. (You might want to talk to the author of MD5 about that.)

Just never ever use the indirect object form with a bareword name. This is precisely why we support C\<new MD5​::>\, which ought to work fine.

Sarathy gsar@​ActiveState.com

p5pRT commented 24 years ago

From @gisle

Gurusamy Sarathy \gsar@&#8203;ActiveState\.com writes​:

On 14 Mar 2000 10​:08​:54 +0100\, Andreas J. Koenig wrote​:

Sorry if this is a duplicate\, I sent a similar report with perlbug yesterday but didn't receive it back nor can I find it in the archive. Maybe mail on that machine was misconfigured.

It's a long standing bug\, the following code core dumps with yesterday's repository perl.

perl -le '
require "MD5.pm"; sub new { bless {}\, shift;} # OK if commented open FH\, "/etc/hosts" or die; my $md5 = new MD5; # OK if MD5->new print "md5[$md5]\n"; # prints e.g. md5[MD5=HASH(0x80ee280)] $md5->addfile(*FH); # SEGV ' md5[MD5=HASH(0x80ed200)]

zsh​: segmentation fault (core dumped)

The C\ there is being parsed as a subroutine call new('MD5'). So you're effectively doing​:

bless({}\,'MD5')->addfile(*FOO);

MD5​::addfile apparently doesn't like that uninitialized fake MD5 object very much. (You might want to talk to the author of MD5 about that.)

This patch for Digest​::MD5 should help\, but it can still be made to core dump with code like​:

  perl -MMD5 -e '$a = 3333; $m = bless \$a\, "MD5"; $m->add(*foo); print $m'

since we will here try to access memory at address 3333 in order to verify the signature.

To be real safe I think I would have to hide the pointer in magic. I'll try to improve it a bit more before uploading a Digest-MD5-2.10.

Perhaps the recommendations in perlxs for how to hide pointers to C structures should be updated likewise and there be some standard safe typemap for this kind of thing. Is magic the best way to go?

Regards\, Gisle

Index​: MD5.xs

RCS file​: /home/cvs/aas/perl/mods/md5/MD5.xs\,v retrieving revision 1.24 diff -u -p -u -r1.24 MD5.xs --- MD5.xs 1999/07/28 10​:38​:50 1.24 +++ MD5.xs 2000/03/16 22​:24​:21 @​@​ -92\,10 +92\,12 @​@​ static void u2s(U32 u\, U8* s)   ((U32)(*(s+3)) \<\< 24)) #endif

+#define MD5_CTX_SIGNATURE 200003165

/* This stucture keeps the current state of algorithm.   */ typedef struct { + U32 signature; /* safer cast in get_md5_ctx() */   U32 A\, B\, C\, D; /* current digest */   U32 bytes_low; /* counts bytes in message */   U32 bytes_high; /* turn it into a 64-bit counter */ @​@​ -418\,8 +420\,15 @​@​ MD5Final(U8* digest\, MD5_CTX *ctx)

static MD5_CTX* get_md5_ctx(SV* sv) { - if (sv_derived_from(sv\, "Digest​::MD5")) - return (MD5_CTX*)SvIV(SvRV(sv)); + if (SvROK(sv)) { + sv = SvRV(sv); + if (SvIOK(sv)) { + MD5_CTX* ctx = (MD5_CTX*)SvIV(sv); + if (ctx && ctx->signature == MD5_CTX_SIGNATURE) { + return ctx; + } + } + }   croak("Not a reference to a Digest​::MD5 object");   return (MD5_CTX*)0; /* some compilers insist on a return value */ } @​@​ -515\,6 +524\,7 @​@​ new(xclass)   STRLEN my_na;   char *sclass = SvPV(xclass\, my_na);   New(55\, context\, 1\, MD5_CTX); + context->signature = MD5_CTX_SIGNATURE;   ST(0) = sv_newmortal();   sv_setref_pv(ST(0)\, sclass\, (void*)context);   SvREADONLY_on(SvRV(ST(0)));

p5pRT commented 24 years ago

From [Unknown Contact. See original ticket]

"Gisle" == Gisle Aas \gisle@&#8203;aas\.no writes​:   Gisle> Perhaps the recommendations in perlxs for how to hide   Gisle> pointers to C structures should be updated likewise and   Gisle> there be some standard safe typemap for this kind of thing.   Gisle> Is magic the best way to go?

You want '~' magic\, but no\, there's no standard typemap for it or any other magic that I'm aware of.

-- Stephen

"If I claimed I was emporer just cause some moistened bint lobbed a scimitar at me they'd put me away"