Open p5pRT opened 8 years ago
While fuzzing Perl v5.24.0-RC1-2-gde1d2c7 with American Fuzzy Lop\, I discovered that perl -e '$0=$.^=*.=$0=0' causes a null pointer dereference and crash. This crash affects Perl v5.14.2 as well.
Program received signal SIGSEGV\, Segmentation fault.
Perl_sv_setpvn (sv=sv@entry=0x1201948\, ptr=ptr@entry=0xed4da7 ""\, len=len@entry=0) at sv.c:4896
4896 dptr[len] = '\0';
(gdb) bt
#0 Perl_sv_setpvn (sv=sv@entry=0x1201948\, ptr=ptr@entry=0xed4da7 ""\, len=len@entry=0) at sv.c:4896
#1 0x0000000000c2a6f3 in Perl_do_vop (optype=optype@entry=93\, sv=sv@entry=0x1201948\,
left=left@entry=0x1201948\, right=right@entry=0x1201930) at doop.c:1011
#2 0x0000000000a763a1 in Perl_pp_bit_or () at pp.c:2491
#3 0x00000000007ff5d4 in Perl_runops_debug () at dump.c:2239
#4 0x0000000000539034 in S_run_body (oldscope=1) at perl.c:2483
#5 perl_run (my_perl=\
Brian Carpenter writes:
While fuzzing Perl v5.24.0-RC1-2-gde1d2c7 with American Fuzzy Lop\, I discovered that perl -e '$0=$.^=*.=$0=0' causes a null pointer dereference and crash. This crash affects Perl v5.14.2 as well.
Smaller case that still yields the crash\, without special variables:
perl -e '$x ^= *x = 0'
Also:
perl -e '$x |= *x = 0'
But not:
perl -e '$x &= *x = 0' Can't coerce UNKNOWN to string in bitwise and (&) at -e line 1.
Smylers -- http://twitter.com/Smylers2
The RT System itself - Status changed from 'new' to 'open'
On Fri Apr 22 01:38:07 2016\, smylers@stripey.com wrote:
Brian Carpenter writes:
While fuzzing Perl v5.24.0-RC1-2-gde1d2c7 with American Fuzzy Lop\, I discovered that perl -e '$0=$.^=*.=$0=0' causes a null pointer dereference and crash. This crash affects Perl v5.14.2 as well.
Smaller case that still yields the crash\, without special variables:
perl -e '$x ^= *x = 0'
Also:
perl -e '$x |= *x = 0'
But not:
perl -e '$x &= *x = 0' Can't coerce UNKNOWN to string in bitwise and (&) at -e line 1.
That UNKNOWN is an internal fallback value that should never be seen. I would say this last case is just as buggy. It smells like a stack issue.
--
Father Chrysostomos
Brian Carpenter wrote:
perl -e '$0=$.^=*.=$0=0'
This reduces to
perl -e '$z ^= *z=0'
which looks almost exactly like [perl #127934]. That one used *= and asserted\, whereas this one uses ^= and segvs. They're probably the same bug underneath. |= and .= also segv: the pattern seems to be that numeric operations assert and string operations segv on handling the string buffer.
-zefram
On Fri Apr 22 08:36:02 2016\, zefram@fysh.org wrote:
Brian Carpenter wrote:
perl -e '$0=$.^=*.=$0=0'
This reduces to
perl \-e '$z ^= \*z=0'
which looks almost exactly like [perl #127934]. That one used *= and asserted\, whereas this one uses ^= and segvs. They're probably the same bug underneath. |= and .= also segv: the pattern seems to be that numeric operations assert and string operations segv on handling the string buffer.
I am pretty sure these are both stack issues. The *z=0 frees *z{SCALAR} while the latter is on the stack.
$ perl -le 'print $^V' v5.12.4 $ perl -e '$z ^= *z=0' Segmentation fault: 11 $ perl -e '*b=*z; $z ^= *z=0; print "$b\n"' *main::0
--
Father Chrysostomos
I just ran into this issue again while fuzzing v5.25.1-152-g81b22c1.
I just ran into this issue again while fuzzing v5.25.1-152-g81b22c1.
Migrated from rt.perl.org#127956 (status was 'open')
Searchable as RT127956$