search

Perl / perl5

🐪 The Perl programming language
https://dev.perl.org/perl5/
Other
1.91k stars 542 forks source link

Perl_pad_fixup_inner_anons Null reference Memory corruption #15557

Closed p5pRT closed 7 years ago

p5pRT commented 8 years ago

Migrated from rt.perl.org#129090 (status was 'resolved')

Searchable as RT129090$

p5pRT commented 8 years ago

From riusksk@qq.com

valgrind ../../perl poc ==31369== Memcheck\, a memory error detector ==31369== Copyright (C) 2002-2013\, and GNU GPL'd\, by Julian Seward et al. ==31369== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info ==31369== Command​: ../../perl id​:000079\,sig​:11\,src​:024262\,op​:havoc\,rep​:4 ==31369== ==31369== Invalid read of size 8 ==31369== at 0x533C3E​: Perl_pad_fixup_inner_anons (pad.c​:2382) ==31369== by 0x44323C​: Perl_newATTRSUB_x (op.c​:8711) ==31369== by 0x522E8D​: Perl_yyparse (perly.y​:296) ==31369== by 0x48EDC9​: S_parse_body (perl.c​:2373) ==31369== by 0x48897F​: perl_parse (perl.c​:1689) ==31369== by 0x41F1D3​: main (perlmain.c​:121) ==31369== Address 0x5fb9020 is 16 bytes after a block of size 48 in arena "client" ==31369== ==31369== Invalid read of size 1 ==31369== at 0x533C42​: Perl_pad_fixup_inner_anons (pad.c​:2378) ==31369== by 0x44323C​: Perl_newATTRSUB_x (op.c​:8711) ==31369== by 0x522E8D​: Perl_yyparse (perly.y​:296) ==31369== by 0x48EDC9​: S_parse_body (perl.c​:2373) ==31369== by 0x48897F​: perl_parse (perl.c​:1689) ==31369== by 0x41F1D3​: main (perlmain.c​:121) ==31369== Address 0x29 is not stack'd\, malloc'd or (recently) free'd ==31369== ==31369== ==31369== Process terminating with default action of signal 11 (SIGSEGV) ==31369== Access not within mapped region at address 0x29 ==31369== at 0x533C42​: Perl_pad_fixup_inner_anons (pad.c​:2378) ==31369== by 0x44323C​: Perl_newATTRSUB_x (op.c​:8711) ==31369== by 0x522E8D​: Perl_yyparse (perly.y​:296) ==31369== by 0x48EDC9​: S_parse_body (perl.c​:2373) ==31369== by 0x48897F​: perl_parse (perl.c​:1689) ==31369== by 0x41F1D3​: main (perlmain.c​:121) ==31369== If you believe this happened as a result of a stack ==31369== overflow in your program's main thread (unlikely but ==31369== possible)\, you can try to increase the size of the ==31369== main thread stack using the --main-stacksize= flag. ==31369== The main thread stack size used in this run was 8388608. ==31369== ==31369== HEAP SUMMARY​: ==31369== in use at exit​: 173\,452 bytes in 783 blocks ==31369== total heap usage​: 991 allocs\, 208 frees\, 190\,415 bytes allocated ==31369== ==31369== LEAK SUMMARY​: ==31369== definitely lost​: 320 bytes in 1 blocks ==31369== indirectly lost​: 2\,601 bytes in 38 blocks ==31369== possibly lost​: 12\,552 bytes in 16 blocks ==31369== still reachable​: 157\,979 bytes in 728 blocks ==31369== suppressed​: 0 bytes in 0 blocks ==31369== Rerun with --leak-check=full to see details of leaked memory ==31369== ==31369== For counts of detected and suppressed errors\, rerun with​: -v ==31369== ERROR SUMMARY​: 2 errors from 2 contexts (suppressed​: 0 from 0) Segmentation fault

─➤$ ./perl ../poc.pl 2 ↵ ASAN​:SIGSEGV

==14425==ERROR​: AddressSanitizer​: SEGV on unknown address 0x00000000000c (pc 0x000108490338 bp 0x7fff579b32f0 sp 0x7fff579b32a0 T0)   #0 0x108490337 in Perl_pad_fixup_inner_anons pad.c​:2386   #1 0x1082a1f05 in Perl_newATTRSUB_x op.c​:8711   #2 0x10845cf16 in Perl_yyparse perly.y​:296   #3 0x108355087 in perl_parse perl.c​:2373   #4 0x10824c7ee in main perlmain.c​:121   #5 0x7fff985a95ac in start (/usr/lib/system/libdyld.dylib+0x35ac)   #6 0x1 (\)

p5pRT commented 8 years ago

From riusksk@qq.com

poc.pl

p5pRT commented 8 years ago

From @dcollinsn

dcollins@​nightshade64​:\~/toolchain/perl$ afl-tmin -i poc.pl -o pocmin.pl -- ./perl -Ilib @​@​ afl-tmin 2.32b by \lcamtuf@​google\.com

[+] Read 5780 bytes from 'poc.pl'. [*] Performing dry run (mem limit = 50 MB\, timeout = 1000 ms)... [+] Program exits with a signal\, minimizing in crash mode. [*] Stage #0​: One-time block normalization... [+] Block normalization complete\, 4564 bytes replaced. [*] --- Pass #1 --- [*] Stage #1​: Removing blocks of data...   Block length = 512\, remaining size = 5780   Block length = 256\, remaining size = 1536   Block length = 128\, remaining size = 1280   Block length = 64\, remaining size = 1024   Block length = 32\, remaining size = 832   Block length = 16\, remaining size = 576   Block length = 8\, remaining size = 384   Block length = 4\, remaining size = 232   Block length = 2\, remaining size = 164   Block length = 1\, remaining size = 104 [+] Block removal complete\, 5702 bytes deleted. [*] Stage #2​: Minimizing symbols (24 code points)... [+] Symbol minimization finished\, 5 symbols (15 bytes) replaced. [*] Stage #3​: Character minimization... [+] Character minimization done\, 3 bytes replaced. [*] --- Pass #2 --- [*] Stage #1​: Removing blocks of data...   Block length = 4\, remaining size = 78   Block length = 2\, remaining size = 74   Block length = 1\, remaining size = 70 [+] Block removal complete\, 9 bytes deleted. [*] Stage #2​: Minimizing symbols (19 code points)... [+] Symbol minimization finished\, 0 symbols (0 bytes) replaced. [*] Stage #3​: Character minimization... [+] Character minimization done\, 0 bytes replaced. [*] --- Pass #3 --- [*] Stage #1​: Removing blocks of data...   Block length = 4\, remaining size = 69   Block length = 2\, remaining size = 69   Block length = 1\, remaining size = 69 [+] Block removal complete\, 0 bytes deleted.

  File size reduced by : 98.81% (to 69 bytes)   Characters simplified : 6640.58%   Number of execs done : 893   Fruitless execs : path=666 crash=0 hang=15

[*] Writing output to 'pocmin.pl'... [+] We're done here. Have a nice day!

dcollins@​nightshade64​:\~/toolchain/perl$ cat pocmin.pl $0=s()0\<$>;0;my sub i0i0;()=((%fi0s0));sub fi0s0{sub i0i0{}sub fi0s0}

Further minimized by hand to​:

$ ./perl -Ilib -wle '$a="a$a";my sub b;%c;sub c{sub b;sub c}' Segmentation fault

-- Respectfully\, Dan Collins

p5pRT commented 8 years ago

From [Unknown Contact. See original ticket]

dcollins@​nightshade64​:\~/toolchain/perl$ afl-tmin -i poc.pl -o pocmin.pl -- ./perl -Ilib @​@​ afl-tmin 2.32b by \lcamtuf@&#8203;google\.com

[+] Read 5780 bytes from 'poc.pl'. [*] Performing dry run (mem limit = 50 MB\, timeout = 1000 ms)... [+] Program exits with a signal\, minimizing in crash mode. [*] Stage #0​: One-time block normalization... [+] Block normalization complete\, 4564 bytes replaced. [*] --- Pass #1 --- [*] Stage #1​: Removing blocks of data...   Block length = 512\, remaining size = 5780   Block length = 256\, remaining size = 1536   Block length = 128\, remaining size = 1280   Block length = 64\, remaining size = 1024   Block length = 32\, remaining size = 832   Block length = 16\, remaining size = 576   Block length = 8\, remaining size = 384   Block length = 4\, remaining size = 232   Block length = 2\, remaining size = 164   Block length = 1\, remaining size = 104 [+] Block removal complete\, 5702 bytes deleted. [*] Stage #2​: Minimizing symbols (24 code points)... [+] Symbol minimization finished\, 5 symbols (15 bytes) replaced. [*] Stage #3​: Character minimization... [+] Character minimization done\, 3 bytes replaced. [*] --- Pass #2 --- [*] Stage #1​: Removing blocks of data...   Block length = 4\, remaining size = 78   Block length = 2\, remaining size = 74   Block length = 1\, remaining size = 70 [+] Block removal complete\, 9 bytes deleted. [*] Stage #2​: Minimizing symbols (19 code points)... [+] Symbol minimization finished\, 0 symbols (0 bytes) replaced. [*] Stage #3​: Character minimization... [+] Character minimization done\, 0 bytes replaced. [*] --- Pass #3 --- [*] Stage #1​: Removing blocks of data...   Block length = 4\, remaining size = 69   Block length = 2\, remaining size = 69   Block length = 1\, remaining size = 69 [+] Block removal complete\, 0 bytes deleted.

  File size reduced by : 98.81% (to 69 bytes)   Characters simplified : 6640.58%   Number of execs done : 893   Fruitless execs : path=666 crash=0 hang=15

[*] Writing output to 'pocmin.pl'... [+] We're done here. Have a nice day!

dcollins@​nightshade64​:\~/toolchain/perl$ cat pocmin.pl $0=s()0\<$>;0;my sub i0i0;()=((%fi0s0));sub fi0s0{sub i0i0{}sub fi0s0}

Further minimized by hand to​:

$ ./perl -Ilib -wle '$a="a$a";my sub b;%c;sub c{sub b;sub c}' Segmentation fault

-- Respectfully\, Dan Collins

p5pRT commented 8 years ago

From riusksk@qq.com

在2016-八月-26 06​:01​:53 星期五时,dcollinsn@​gmail.com写到:

dcollins@​nightshade64​:\~/toolchain/perl$ afl-tmin -i poc.pl -o pocmin.pl -- ./perl -Ilib @​@​ afl-tmin 2.32b by \lcamtuf@&#8203;google\.com

[+] Read 5780 bytes from 'poc.pl'. [*] Performing dry run (mem limit = 50 MB\, timeout = 1000 ms)... [+] Program exits with a signal\, minimizing in crash mode. [*] Stage #0​: One-time block normalization... [+] Block normalization complete\, 4564 bytes replaced. [*] --- Pass #1 --- [*] Stage #1​: Removing blocks of data... Block length = 512\, remaining size = 5780 Block length = 256\, remaining size = 1536 Block length = 128\, remaining size = 1280 Block length = 64\, remaining size = 1024 Block length = 32\, remaining size = 832 Block length = 16\, remaining size = 576 Block length = 8\, remaining size = 384 Block length = 4\, remaining size = 232 Block length = 2\, remaining size = 164 Block length = 1\, remaining size = 104 [+] Block removal complete\, 5702 bytes deleted. [*] Stage #2​: Minimizing symbols (24 code points)... [+] Symbol minimization finished\, 5 symbols (15 bytes) replaced. [*] Stage #3​: Character minimization... [+] Character minimization done\, 3 bytes replaced. [*] --- Pass #2 --- [*] Stage #1​: Removing blocks of data... Block length = 4\, remaining size = 78 Block length = 2\, remaining size = 74 Block length = 1\, remaining size = 70 [+] Block removal complete\, 9 bytes deleted. [*] Stage #2​: Minimizing symbols (19 code points)... [+] Symbol minimization finished\, 0 symbols (0 bytes) replaced. [*] Stage #3​: Character minimization... [+] Character minimization done\, 0 bytes replaced. [*] --- Pass #3 --- [*] Stage #1​: Removing blocks of data... Block length = 4\, remaining size = 69 Block length = 2\, remaining size = 69 Block length = 1\, remaining size = 69 [+] Block removal complete\, 0 bytes deleted.

File size reduced by : 98.81% (to 69 bytes) Characters simplified : 6640.58% Number of execs done : 893 Fruitless execs : path=666 crash=0 hang=15

[*] Writing output to 'pocmin.pl'... [+] We're done here. Have a nice day!

dcollins@​nightshade64​:\~/toolchain/perl$ cat pocmin.pl $0=s()0\<$>;0;my sub i0i0;()=((%fi0s0));sub fi0s0{sub i0i0{}sub fi0s0}

Further minimized by hand to​:

$ ./perl -Ilib -wle '$a="a$a";my sub b;%c;sub c{sub b;sub c}' Segmentation fault

thank dcollinsn for min poc\, I run it with asan​:

╭─riusksk@​MacBook ~/Downloads/perl ‹› ‹blead*› ╰─➤$ ./perl -Ilib -wle '$a="a$a";my sub b;%c;sub c{sub b;sub c}'

==3513==ERROR​: AddressSanitizer​: heap-buffer-overflow on address 0x60300000d378 at pc 0x0001056791e0 bp 0x7fff5a7cb250 sp 0x7fff5a7cb248 READ of size 8 at 0x60300000d378 thread T0   #0 0x1056791df in Perl_pad_fixup_inner_anons pad.c​:2382   #1 0x105489f05 in Perl_newATTRSUB_x op.c​:8711   #2 0x105644f16 in Perl_yyparse perly.y​:296   #3 0x10553d087 in perl_parse perl.c​:2373   #4 0x1054347ee in main perlmain.c​:121   #5 0x7fff965865ac in start (/usr/lib/system/libdyld.dylib+0x35ac)   #6 0x3 (\)

0x60300000d378 is located 0 bytes to the right of 24-byte region [0x60300000d360\,0x60300000d378) allocated by thread T0 here​:   #0 0x105f732f7 in wrap_realloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/7.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x432f7)   #1 0x1057d438c in Perl_safesysrealloc util.c​:274   #2 0x1058ad808 in Perl_av_extend_guts av.c​:163   #3 0x1056646bb in Perl_pad_add_weakref pad.c​:2665   #4 0x10548cadc in Perl_newATTRSUB_x op.c​:8846   #5 0x105644f16 in Perl_yyparse perly.y​:296   #6 0x10553d087 in perl_parse perl.c​:2373   #7 0x1054347ee in main perlmain.c​:121   #8 0x7fff965865ac in start (/usr/lib/system/libdyld.dylib+0x35ac)   #9 0x3 (\)

p5pRT commented 8 years ago

From @cpansprout

On Fri Aug 26 06​:01​:53 2016\, dcollinsn@​gmail.com wrote​:

$ ./perl -Ilib -wle '$a="a$a";my sub b;%c;sub c{sub b;sub c}' Segmentation fault

Thank you. Fixed in 95c0a76.

--

Father Chrysostomos

p5pRT commented 8 years ago

The RT System itself - Status changed from 'new' to 'open'

p5pRT commented 8 years ago

@cpansprout - Status changed from 'open' to 'pending release'

p5pRT commented 7 years ago

From @mauke

Created by @mauke

The following code loops forever (in the compiler)​:

$ perl -e '\&f2; sub f2 { sub f2; eval "" }'

The loop happens in Perl_pad_tidy because somehow cv == CvOUTSIDE(cv).

Instead of eval "" you can also use the -d switch​:

$ perl -d -e '\&f2; sub f2 { sub f2; }'

This means Devel​::Confess\, Devel​::Cover\, etc are also affected.

Perl Info ``` Flags: category=core severity=low Site configuration information for perl 5.24.1: Configured by mauke at Sun Feb 19 23:06:44 CET 2017. Summary of my perl5 (revision 5 version 24 subversion 1) configuration: Platform: osname=linux, osvers=4.9.6-1-arch, archname=i686-linux uname='linux simplicio 4.9.6-1-arch #1 smp preempt thu jan 26 09:41:20 cet 2017 i686 gnulinux ' config_args='' hint=recommended, useposix=true, d_sigaction=define useithreads=undef, usemultiplicity=undef use64bitint=undef, use64bitall=undef, uselongdouble=undef usemymalloc=n, bincompat5005=undef Compiler: cc='cc', ccflags ='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64', optimize='-O2 -flto', cppflags='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include' ccversion='', gccversion='6.3.1 20170109', gccosandvers='' intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234, doublekind=3 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12, longdblkind=3 ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8 alignbytes=4, prototype=define Linker and Libraries: ld='cc', ldflags ='-fstack-protector-strong -L/usr/local/lib' libpth=/usr/local/lib /usr/lib/gcc/i686-pc-linux-gnu/6.3.1/include-fixed /usr/lib /lib libs=-lpthread -lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc -lgdbm_compat perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc libc=libc-2.24.so, so=so, useshrplib=false, libperl=libperl.a gnulibc_version='2.24' Dynamic Linking: dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E' cccdlflags='-fPIC', lddlflags='-shared -O2 -flto -L/usr/local/lib -fstack-protector-strong' @INC for perl 5.24.1: /home/mauke/usr/lib/perl5/site_perl/5.24.1/i686-linux /home/mauke/usr/lib/perl5/site_perl/5.24.1 /home/mauke/usr/lib/perl5/5.24.1/i686-linux /home/mauke/usr/lib/perl5/5.24.1 Environment for perl 5.24.1: HOME=/home/mauke LANG=en_US.UTF-8 LANGUAGE=en_US LC_COLLATE=C LC_MONETARY=de_DE.UTF-8 LC_TIME=de_DE.UTF-8 LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/home/mauke/perl5/perlbrew/bin:/home/mauke/bin:/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl PERLBREW_BASHRC_VERSION=0.73 PERLBREW_HOME=/home/mauke/.perlbrew PERLBREW_ROOT=/home/mauke/perl5/perlbrew PERL_BADLANG (unset) PERL_UNICODE=SAL SHELL=/bin/bash ```
p5pRT commented 7 years ago

From @mauke

On Thu\, 13 Apr 2017 14​:19​:18 -0700\, mauke- wrote​:

The following code loops forever (in the compiler)​:

$ perl -e '\&f2; sub f2 { sub f2; eval "" }'

The loop happens in Perl_pad_tidy because somehow cv == CvOUTSIDE(cv).

This might be fixed in blead​:

\ only happened from 5.21.7 to 5.25.4

I can reproduce it on 5.22 and 5.24\, but not 5.20.

p5pRT commented 7 years ago

From @mauke

On Thu\, 13 Apr 2017 14​:28​:53 -0700\, mauke- wrote​:

On Thu\, 13 Apr 2017 14​:19​:18 -0700\, mauke- wrote​:

The following code loops forever (in the compiler)​:

$ perl -e '\&f2; sub f2 { sub f2; eval "" }'

The loop happens in Perl_pad_tidy because somehow cv == CvOUTSIDE(cv).

This might be fixed in blead​:

\ only happened from 5.21.7 to 5.25.4

I can reproduce it on 5.22 and 5.24\, but not 5.20.

I was able to bisect the fix to commit 6da13066b6bca\, which means this ticket might be a duplicate of bug #129090.

p5pRT commented 7 years ago

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release today of Perl 5.26.0\, this and 210 other issues have been resolved.

Perl 5.26.0 may be downloaded via​: https://metacpan.org/release/XSAWYERX/perl-5.26.0

If you find that the problem persists\, feel free to reopen this ticket.

p5pRT commented 7 years ago

@khwilliamson - Status changed from 'pending release' to 'resolved'