Segfault (access not within mapped region at 0x8) in Perl_pp_iter

[p5pRT]

Migrated from rt.perl.org#126361 (status was 'open')

Searchable as RT126361$

[p5pRT]

From @dcollinsn

Greetings Porters\,

I have compiled bleadperl with the afl-gcc compiler using​:

./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache afl-gcc' -Duselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -des AFL_HARDEN=1 make && make test

And then fuzzed the resulting binary using​:

AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @​@​

After reducing testcases using `afl-tmin` and performing additional minimization by hand\, I have located the following testcase that triggers a segmentation fault in the perl interpreter. The testcase is the file​:

*_=a for 0..1

Interestingly the following sequence which appears similar shows different behavior​:

dcollins@​nightshade64​:\~/perldebug$ ./perl -e '*_="" for 0..1' Segmentation fault dcollins@​nightshade64​:\~/perldebug$ ./perl -e '@​x=0..1; *_="" for 0..1' Segmentation fault dcollins@​nightshade64​:\~/perldebug$ ./perl -e '@​x=0..1; *_="" for @​x' dcollins@​nightshade64​:\~/perldebug$

And the use of *_ is relevant​:

dcollins@​nightshade64​:\~/perldebug$ ./perl -e '*_=a for 0..1' Segmentation fault dcollins@​nightshade64​:\~/perldebug$ ./perl -e '*x=a for 0..1' dcollins@​nightshade64​:\~/perldebug$

So I wonder if this is a problem due to the for statement modifying *_ while it is on the stack. The crash occurs in Perl_pp_iter as shown below - I assume that either Sv_REFCNT or SvMAGICAL accesses the second element of the struct at oldsv\, and the first element of that struct is a pointer\, since the accessed address is 0x8 on 64-bit and 0x4 on 32-bit. I have no perl that does not crash here\, so a bisect was not attempted.

**GDB**

(gdb) run Starting program​: /home/dcollins/perldebug/perl -e \*_=a\ for\ 0..1 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV\, Segmentation fault. 0x00000000009004d6 in Perl_pp_iter () at pp_hot.c​:2585 2585 if (LIKELY(SvREFCNT(oldsv) == 1 && !SvMAGICAL(oldsv))) { (gdb) bt #0 0x00000000009004d6 in Perl_pp_iter () at pp_hot.c​:2585 #1 0x00000000007e0aff in Perl_runops_debug () at dump.c​:2224 #2 0x0000000000544229 in S_run_body (oldscope=1) at perl.c​:2459 #3 perl_run (my_perl=\) at perl.c​:2382 #4 0x000000000042c028 in main (argc=3\, argv=0x7fffffffe658\,   env=0x7fffffffe678) at perlmain.c​:116 (gdb) info locals cur = 1 sp = 0x11f5a20 cx = 0x11f5e88 oldsv = 0x0 itersvp = 0x1200470 __PRETTY_FUNCTION__ = "Perl_pp_iter" (gdb) f 1 #1 0x00000000007e0aff in Perl_runops_debug () at dump.c​:2224 2224 } while ((PL_op = PL_op->op_ppaddr(aTHX))); (gdb) p PL_op $1 = (OP *) 0x12107c0 (gdb) p *PL_op $2 = {op_next = 0x1210ce8\, op_sibling = 0x1210d30\,   op_ppaddr = 0x8ffc50 \<Perl_pp_iter>\, op_targ = 0\, op_type = 200\,   op_opt = 1\, op_slabbed = 1\, op_savefree = 0\, op_static = 0\, op_folded = 0\,   op_moresib = 1\, op_spare = 0\, op_flags = 2 '\002'\, op_private = 0 '\000'} (gdb)

**VALGRIND**

==24813== Memcheck\, a memory error detector ==24813== Copyright (C) 2002-2015\, and GNU GPL'd\, by Julian Seward et al. ==24813== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==24813== Command​: ./perl -e *_=a\ for\ 0..1 ==24813== ==24813== Invalid read of size 8 ==24813== at 0x9004D6​: Perl_pp_iter (pp_hot.c​:2585) ==24813== by 0x7E0AFE​: Perl_runops_debug (dump.c​:2224) ==24813== by 0x544228​: S_run_body (perl.c​:2459) ==24813== by 0x544228​: perl_run (perl.c​:2382) ==24813== by 0x42C027​: main (perlmain.c​:116) ==24813== Address 0x8 is not stack'd\, malloc'd or (recently) free'd ==24813== ==24813== ==24813== Process terminating with default action of signal 11 (SIGSEGV) ==24813== Access not within mapped region at address 0x8 ==24813== at 0x9004D6​: Perl_pp_iter (pp_hot.c​:2585) ==24813== by 0x7E0AFE​: Perl_runops_debug (dump.c​:2224) ==24813== by 0x544228​: S_run_body (perl.c​:2459) ==24813== by 0x544228​: perl_run (perl.c​:2382) ==24813== by 0x42C027​: main (perlmain.c​:116) ==24813== If you believe this happened as a result of a stack ==24813== overflow in your program's main thread (unlikely but ==24813== possible)\, you can try to increase the size of the ==24813== main thread stack using the --main-stacksize= flag. ==24813== The main thread stack size used in this run was 8388608. ==24813== ==24813== HEAP SUMMARY​: ==24813== in use at exit​: 110\,107 bytes in 541 blocks ==24813== total heap usage​: 642 allocs\, 101 frees\, 127\,693 bytes allocated ==24813== ==24813== LEAK SUMMARY​: ==24813== definitely lost​: 176 bytes in 1 blocks ==24813== indirectly lost​: 1\,974 bytes in 20 blocks ==24813== possibly lost​: 0 bytes in 0 blocks ==24813== still reachable​: 107\,957 bytes in 520 blocks ==24813== suppressed​: 0 bytes in 0 blocks ==24813== Rerun with --leak-check=full to see details of leaked memory ==24813== ==24813== For counts of detected and suppressed errors\, rerun with​: -v ==24813== ERROR SUMMARY​: 1 errors from 1 contexts (suppressed​: 0 from 0) Segmentation fault

**PERL -V**

Summary of my perl5 (revision 5 version 23 subversion 4) configuration​:   Commit id​: 94757bf7ac8451b3588578f287f9c511a04011bf   Platform​:   osname=linux\, osvers=3.16.0-4-amd64\, archname=x86_64-linux-ld   uname='linux nightshade64 3.16.0-4-amd64 #1 smp debian 3.16.7-ckt11-1+deb8u4 (2015-09-19) x86_64 gnulinux '   config_args='-Dusedevel -Dprefix=/usr/local/perl-afl -Dcc=ccache afl-gcc -Duselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -DDEBUGGING -DPERL_POISON -des'   hint=recommended\, useposix=true\, d_sigaction=define   useithreads=undef\, usemultiplicity=undef   use64bitint=define\, use64bitall=define\, uselongdouble=define   usemymalloc=n\, bincompat5005=undef   Compiler​:   cc='ccache afl-gcc'\, ccflags ='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64'\,   optimize='-g'\,   cppflags='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'   ccversion=''\, gccversion='4.9.2'\, gccosandvers=''   intsize=4\, longsize=8\, ptrsize=8\, doublesize=8\, byteorder=12345678\, doublekind=3   d_longlong=define\, longlongsize=8\, d_longdbl=define\, longdblsize=16\, longdblkind=3   ivtype='long'\, ivsize=8\, nvtype='long double'\, nvsize=16\, Off_t='off_t'\, lseeksize=8   alignbytes=16\, prototype=define   Linker and Libraries​:   ld='ccache afl-gcc'\, ldflags =' -fstack-protector-strong -L/usr/local/lib'   libpth=/usr/local/lib /usr/lib/gcc/x86_64-linux-gnu/4.9/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib   libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc   perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc   libc=libc-2.19.so\, so=so\, useshrplib=false\, libperl=libperl.a   gnulibc_version='2.19'   Dynamic Linking​:   dlsrc=dl_dlopen.xs\, dlext=so\, d_dlsymun=undef\, ccdlflags='-Wl\,-E'   cccdlflags='-fPIC'\, lddlflags='-shared -g -L/usr/local/lib -fstack-protector-strong'

Characteristics of this binary (from libperl)​:   Compile-time options​: DEBUGGING HAS_TIMES PERLIO_LAYERS PERL_COPY_ON_WRITE   PERL_DONT_CREATE_GVSV   PERL_HASH_FUNC_ONE_AT_A_TIME_HARD PERL_MALLOC_WRAP   PERL_PRESERVE_IVUV PERL_USE_DEVEL USE_64_BIT_ALL   USE_64_BIT_INT USE_LARGE_FILES USE_LOCALE   USE_LOCALE_COLLATE USE_LOCALE_CTYPE   USE_LOCALE_NUMERIC USE_LOCALE_TIME USE_LONG_DOUBLE   USE_PERLIO USE_PERL_ATOF   Built under linux   Compiled at Oct 11 2015 21​:47​:48   @​INC​:   /usr/local/perl-afl/lib/site_perl/5.23.4/x86_64-linux-ld   /usr/local/perl-afl/lib/site_perl/5.23.4   /usr/local/perl-afl/lib/5.23.4/x86_64-linux-ld   /usr/local/perl-afl/lib/5.23.4   .

[p5pRT]

From @geeknik

Most likely a dupe of https://rt-archive.perl.org/perl5/Ticket/Display.html?id=123994.

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'