search

Perl / perl5

🐪 The Perl programming language
https://dev.perl.org/perl5/
Other
1.98k stars 559 forks source link

Multiple suspicious Valgrind errors #15585

Closed p5pRT closed 7 years ago

p5pRT commented 8 years ago

Migrated from rt.perl.org#129190 (status was 'resolved')

Searchable as RT129190$

p5pRT commented 8 years ago

From @dcollinsn

The following "script" causes a host of Valgrind warnings\, starting with a use-after-free and followed by a number of uninitialized reads and out-of-bounds reads. I am unable to find any related tickets at this time.

$ perl -e 'print "exec a00\$"' | valgrind ../bin/perl ==37759== Memcheck\, a memory error detector ==37759== Copyright (C) 2002-2015\, and GNU GPL'd\, by Julian Seward et al. ==37759== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==37759== Command​: ../bin/perl ==37759== ==37759== Invalid read of size 1 ==37759== at 0x49B97C​: Perl_yylex (toke.c​:4880) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f77888 is 8 bytes inside a block of size 10 free'd ==37759== at 0x4C2CB5C​: realloc (vg_replace_malloc.c​:785) ==37759== by 0x569571​: Perl_safesysrealloc (util.c​:274) ==37759== by 0x5D4FA4​: Perl_sv_grow (sv.c​:1602) ==37759== by 0x5F59CE​: Perl_sv_gets (sv.c​:8522) ==37759== by 0x496574​: S_filter_gets (toke.c​:4347) ==37759== by 0x496574​: Perl_lex_next_chunk (toke.c​:1309) ==37759== by 0x497853​: Perl_lex_read_space (toke.c​:1529) ==37759== by 0x4E5954​: S_skipspace_flags (toke.c​:1831) ==37759== by 0x4E5954​: S_intuit_method (toke.c​:4085) ==37759== by 0x4BE331​: Perl_yylex (toke.c​:7044) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Block was alloc'd at ==37759== at 0x4C2AC0F​: malloc (vg_replace_malloc.c​:299) ==37759== by 0x5692FC​: Perl_safesysmalloc (util.c​:153) ==37759== by 0x5D50AF​: Perl_sv_grow (sv.c​:1605) ==37759== by 0x5DD0C9​: Perl_sv_setpvn (sv.c​:4892) ==37759== by 0x5F8336​: Perl_newSVpvn (sv.c​:9234) ==37759== by 0x49406B​: Perl_lex_start (toke.c​:741) ==37759== by 0x4777D4​: S_parse_body (perl.c​:2362) ==37759== by 0x4777D4​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== ==37759== Invalid read of size 1 ==37759== at 0x4ACE11​: Perl_yylex (toke.c​:6316) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f77889 is 9 bytes inside a block of size 10 free'd ==37759== at 0x4C2CB5C​: realloc (vg_replace_malloc.c​:785) ==37759== by 0x569571​: Perl_safesysrealloc (util.c​:274) ==37759== by 0x5D4FA4​: Perl_sv_grow (sv.c​:1602) ==37759== by 0x5F59CE​: Perl_sv_gets (sv.c​:8522) ==37759== by 0x496574​: S_filter_gets (toke.c​:4347) ==37759== by 0x496574​: Perl_lex_next_chunk (toke.c​:1309) ==37759== by 0x497853​: Perl_lex_read_space (toke.c​:1529) ==37759== by 0x4E5954​: S_skipspace_flags (toke.c​:1831) ==37759== by 0x4E5954​: S_intuit_method (toke.c​:4085) ==37759== by 0x4BE331​: Perl_yylex (toke.c​:7044) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Block was alloc'd at ==37759== at 0x4C2AC0F​: malloc (vg_replace_malloc.c​:299) ==37759== by 0x5692FC​: Perl_safesysmalloc (util.c​:153) ==37759== by 0x5D50AF​: Perl_sv_grow (sv.c​:1605) ==37759== by 0x5DD0C9​: Perl_sv_setpvn (sv.c​:4892) ==37759== by 0x5F8336​: Perl_newSVpvn (sv.c​:9234) ==37759== by 0x49406B​: Perl_lex_start (toke.c​:741) ==37759== by 0x4777D4​: S_parse_body (perl.c​:2362) ==37759== by 0x4777D4​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== ==37759== Invalid read of size 1 ==37759== at 0x4DD873​: S_scan_ident (toke.c​:9110) ==37759== by 0x4C8016​: Perl_yylex (toke.c​:6336) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f77888 is 8 bytes inside a block of size 10 free'd ==37759== at 0x4C2CB5C​: realloc (vg_replace_malloc.c​:785) ==37759== by 0x569571​: Perl_safesysrealloc (util.c​:274) ==37759== by 0x5D4FA4​: Perl_sv_grow (sv.c​:1602) ==37759== by 0x5F59CE​: Perl_sv_gets (sv.c​:8522) ==37759== by 0x496574​: S_filter_gets (toke.c​:4347) ==37759== by 0x496574​: Perl_lex_next_chunk (toke.c​:1309) ==37759== by 0x497853​: Perl_lex_read_space (toke.c​:1529) ==37759== by 0x4E5954​: S_skipspace_flags (toke.c​:1831) ==37759== by 0x4E5954​: S_intuit_method (toke.c​:4085) ==37759== by 0x4BE331​: Perl_yylex (toke.c​:7044) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Block was alloc'd at ==37759== at 0x4C2AC0F​: malloc (vg_replace_malloc.c​:299) ==37759== by 0x5692FC​: Perl_safesysmalloc (util.c​:153) ==37759== by 0x5D50AF​: Perl_sv_grow (sv.c​:1605) ==37759== by 0x5DD0C9​: Perl_sv_setpvn (sv.c​:4892) ==37759== by 0x5F8336​: Perl_newSVpvn (sv.c​:9234) ==37759== by 0x49406B​: Perl_lex_start (toke.c​:741) ==37759== by 0x4777D4​: S_parse_body (perl.c​:2362) ==37759== by 0x4777D4​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== ==37759== Invalid read of size 1 ==37759== at 0x4DD94E​: S_scan_ident (toke.c​:9012) ==37759== by 0x4C8016​: Perl_yylex (toke.c​:6336) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f77889 is 9 bytes inside a block of size 10 free'd ==37759== at 0x4C2CB5C​: realloc (vg_replace_malloc.c​:785) ==37759== by 0x569571​: Perl_safesysrealloc (util.c​:274) ==37759== by 0x5D4FA4​: Perl_sv_grow (sv.c​:1602) ==37759== by 0x5F59CE​: Perl_sv_gets (sv.c​:8522) ==37759== by 0x496574​: S_filter_gets (toke.c​:4347) ==37759== by 0x496574​: Perl_lex_next_chunk (toke.c​:1309) ==37759== by 0x497853​: Perl_lex_read_space (toke.c​:1529) ==37759== by 0x4E5954​: S_skipspace_flags (toke.c​:1831) ==37759== by 0x4E5954​: S_intuit_method (toke.c​:4085) ==37759== by 0x4BE331​: Perl_yylex (toke.c​:7044) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Block was alloc'd at ==37759== at 0x4C2AC0F​: malloc (vg_replace_malloc.c​:299) ==37759== by 0x5692FC​: Perl_safesysmalloc (util.c​:153) ==37759== by 0x5D50AF​: Perl_sv_grow (sv.c​:1605) ==37759== by 0x5DD0C9​: Perl_sv_setpvn (sv.c​:4892) ==37759== by 0x5F8336​: Perl_newSVpvn (sv.c​:9234) ==37759== by 0x49406B​: Perl_lex_start (toke.c​:741) ==37759== by 0x4777D4​: S_parse_body (perl.c​:2362) ==37759== by 0x4777D4​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== ==37759== Invalid read of size 1 ==37759== at 0x49762A​: Perl_lex_read_space (toke.c​:1519) ==37759== by 0x4DDA49​: S_skipspace_flags (toke.c​:1831) ==37759== by 0x4DDA49​: S_scan_ident (toke.c​:9013) ==37759== by 0x4C8016​: Perl_yylex (toke.c​:6336) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f77889 is 9 bytes inside a block of size 10 free'd ==37759== at 0x4C2CB5C​: realloc (vg_replace_malloc.c​:785) ==37759== by 0x569571​: Perl_safesysrealloc (util.c​:274) ==37759== by 0x5D4FA4​: Perl_sv_grow (sv.c​:1602) ==37759== by 0x5F59CE​: Perl_sv_gets (sv.c​:8522) ==37759== by 0x496574​: S_filter_gets (toke.c​:4347) ==37759== by 0x496574​: Perl_lex_next_chunk (toke.c​:1309) ==37759== by 0x497853​: Perl_lex_read_space (toke.c​:1529) ==37759== by 0x4E5954​: S_skipspace_flags (toke.c​:1831) ==37759== by 0x4E5954​: S_intuit_method (toke.c​:4085) ==37759== by 0x4BE331​: Perl_yylex (toke.c​:7044) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Block was alloc'd at ==37759== at 0x4C2AC0F​: malloc (vg_replace_malloc.c​:299) ==37759== by 0x5692FC​: Perl_safesysmalloc (util.c​:153) ==37759== by 0x5D50AF​: Perl_sv_grow (sv.c​:1605) ==37759== by 0x5DD0C9​: Perl_sv_setpvn (sv.c​:4892) ==37759== by 0x5F8336​: Perl_newSVpvn (sv.c​:9234) ==37759== by 0x49406B​: Perl_lex_start (toke.c​:741) ==37759== by 0x4777D4​: S_parse_body (perl.c​:2362) ==37759== by 0x4777D4​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== ==37759== Invalid read of size 1 ==37759== at 0x4DDA9D​: S_scan_ident (toke.c​:9014) ==37759== by 0x4C8016​: Perl_yylex (toke.c​:6336) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f778a8 is 24 bytes after a block of size 16 in arena "client" ==37759== ==37759== Invalid read of size 1 ==37759== at 0x4DC13F​: S_parse_ident (toke.c​:8937) ==37759== by 0x4DDB0A​: S_scan_ident (toke.c​:9022) ==37759== by 0x4C8016​: Perl_yylex (toke.c​:6336) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f778a8 is 24 bytes after a block of size 16 in arena "client" ==37759== ==37759== Invalid read of size 1 ==37759== at 0x4DC1A3​: S_parse_ident (toke.c​:8939) ==37759== by 0x4DDB0A​: S_scan_ident (toke.c​:9022) ==37759== by 0x4C8016​: Perl_yylex (toke.c​:6336) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f778a8 is 24 bytes after a block of size 16 in arena "client" ==37759== ==37759== Invalid read of size 1 ==37759== at 0x4DC1B7​: S_parse_ident (toke.c​:8940) ==37759== by 0x4DDB0A​: S_scan_ident (toke.c​:9022) ==37759== by 0x4C8016​: Perl_yylex (toke.c​:6336) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f778a9 is 25 bytes after a block of size 16 in arena "client" ==37759== ==37759== Invalid read of size 1 ==37759== at 0x4DC486​: S_parse_ident (toke.c​:8947) ==37759== by 0x4DDB0A​: S_scan_ident (toke.c​:9022) ==37759== by 0x4C8016​: Perl_yylex (toke.c​:6336) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f778a9 is 25 bytes after a block of size 16 in arena "client" ==37759== ==37759== Invalid read of size 1 ==37759== at 0x4C8111​: Perl_yylex (toke.c​:6404) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f778a9 is 25 bytes after a block of size 16 in arena "client" ==37759== ==37759== Invalid read of size 1 ==37759== at 0x49762A​: Perl_lex_read_space (toke.c​:1519) ==37759== by 0x4C81EE​: S_skipspace_flags (toke.c​:1831) ==37759== by 0x4C81EE​: Perl_yylex (toke.c​:6356) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f778a9 is 25 bytes after a block of size 16 in arena "client" ==37759== ==37759== Invalid read of size 1 ==37759== at 0x4DC13F​: S_parse_ident (toke.c​:8937) ==37759== by 0x49E10E​: S_scan_word (toke.c​:8974) ==37759== by 0x49E10E​: Perl_yylex (toke.c​:6741) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f778b0 is 32 bytes before a block of size 16 in arena "client" ==37759== ==37759== Invalid read of size 1 ==37759== at 0x4DC1A3​: S_parse_ident (toke.c​:8939) ==37759== by 0x49E10E​: S_scan_word (toke.c​:8974) ==37759== by 0x49E10E​: Perl_yylex (toke.c​:6741) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f778b0 is 32 bytes before a block of size 16 in arena "client" ==37759== ==37759== Invalid read of size 1 ==37759== at 0x4DC1B7​: S_parse_ident (toke.c​:8940) ==37759== by 0x49E10E​: S_scan_word (toke.c​:8974) ==37759== by 0x49E10E​: Perl_yylex (toke.c​:6741) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f778b1 is 31 bytes before a block of size 16 in arena "client" ==37759== ==37759== Invalid read of size 1 ==37759== at 0x49E27F​: Perl_yylex (toke.c​:6747) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f778b1 is 31 bytes before a block of size 16 in arena "client" ==37759== ==37759== Invalid read of size 1 ==37759== at 0x49E47F​: Perl_yylex (toke.c​:6753) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f778b1 is 31 bytes before a block of size 16 in arena "client" ==37759== ==37759== Invalid read of size 1 ==37759== at 0x49E4F7​: Perl_yylex (toke.c​:6757) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f778b1 is 31 bytes before a block of size 16 in arena "client" ==37759== ==37759== Invalid read of size 1 ==37759== at 0x4BD0E3​: Perl_yylex (toke.c​:6933) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f778af is 31 bytes after a block of size 16 in arena "client" ==37759== ==37759== Invalid read of size 1 ==37759== at 0x4BD112​: Perl_yylex (toke.c​:6939) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f778b1 is 31 bytes before a block of size 16 in arena "client" ==37759== ==37759== Invalid read of size 1 ==37759== at 0x4EA4BC​: Perl_yyerror_pvn (toke.c​:11032) ==37759== by 0x4E1C61​: Perl_yyerror_pv (toke.c​:11002) ==37759== by 0x4E1C61​: S_yywarn (toke.c​:10987) ==37759== by 0x4E1C61​: S_no_op (toke.c​:520) ==37759== by 0x4BD3A2​: Perl_yylex (toke.c​:6958) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f77888 is 8 bytes inside a block of size 10 free'd ==37759== at 0x4C2CB5C​: realloc (vg_replace_malloc.c​:785) ==37759== by 0x569571​: Perl_safesysrealloc (util.c​:274) ==37759== by 0x5D4FA4​: Perl_sv_grow (sv.c​:1602) ==37759== by 0x5F59CE​: Perl_sv_gets (sv.c​:8522) ==37759== by 0x496574​: S_filter_gets (toke.c​:4347) ==37759== by 0x496574​: Perl_lex_next_chunk (toke.c​:1309) ==37759== by 0x497853​: Perl_lex_read_space (toke.c​:1529) ==37759== by 0x4E5954​: S_skipspace_flags (toke.c​:1831) ==37759== by 0x4E5954​: S_intuit_method (toke.c​:4085) ==37759== by 0x4BE331​: Perl_yylex (toke.c​:7044) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Block was alloc'd at ==37759== at 0x4C2AC0F​: malloc (vg_replace_malloc.c​:299) ==37759== by 0x5692FC​: Perl_safesysmalloc (util.c​:153) ==37759== by 0x5D50AF​: Perl_sv_grow (sv.c​:1605) ==37759== by 0x5DD0C9​: Perl_sv_setpvn (sv.c​:4892) ==37759== by 0x5F8336​: Perl_newSVpvn (sv.c​:9234) ==37759== by 0x49406B​: Perl_lex_start (toke.c​:741) ==37759== by 0x4777D4​: S_parse_body (perl.c​:2362) ==37759== by 0x4777D4​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== ==37759== Invalid read of size 2 ==37759== at 0x4C2F3A8​: memcpy@​@​GLIBC_2.14 (vg_replace_strmem.c​:1018) ==37759== by 0x608364​: Perl_sv_vcatpvfn_flags (sv.c​:12912) ==37759== by 0x5FD57E​: Perl_sv_catpvf (sv.c​:10727) ==37759== by 0x4EA9DF​: Perl_yyerror_pvn (toke.c​:11084) ==37759== by 0x4E1C61​: Perl_yyerror_pv (toke.c​:11002) ==37759== by 0x4E1C61​: S_yywarn (toke.c​:10987) ==37759== by 0x4E1C61​: S_no_op (toke.c​:520) ==37759== by 0x4BD3A2​: Perl_yylex (toke.c​:6958) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f77888 is 8 bytes inside a block of size 10 free'd ==37759== at 0x4C2CB5C​: realloc (vg_replace_malloc.c​:785) ==37759== by 0x569571​: Perl_safesysrealloc (util.c​:274) ==37759== by 0x5D4FA4​: Perl_sv_grow (sv.c​:1602) ==37759== by 0x5F59CE​: Perl_sv_gets (sv.c​:8522) ==37759== by 0x496574​: S_filter_gets (toke.c​:4347) ==37759== by 0x496574​: Perl_lex_next_chunk (toke.c​:1309) ==37759== by 0x497853​: Perl_lex_read_space (toke.c​:1529) ==37759== by 0x4E5954​: S_skipspace_flags (toke.c​:1831) ==37759== by 0x4E5954​: S_intuit_method (toke.c​:4085) ==37759== by 0x4BE331​: Perl_yylex (toke.c​:7044) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Block was alloc'd at ==37759== at 0x4C2AC0F​: malloc (vg_replace_malloc.c​:299) ==37759== by 0x5692FC​: Perl_safesysmalloc (util.c​:153) ==37759== by 0x5D50AF​: Perl_sv_grow (sv.c​:1605) ==37759== by 0x5DD0C9​: Perl_sv_setpvn (sv.c​:4892) ==37759== by 0x5F8336​: Perl_newSVpvn (sv.c​:9234) ==37759== by 0x49406B​: Perl_lex_start (toke.c​:741) ==37759== by 0x4777D4​: S_parse_body (perl.c​:2362) ==37759== by 0x4777D4​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== ==37759== Invalid read of size 2 ==37759== at 0x4C2F3B6​: memcpy@​@​GLIBC_2.14 (vg_replace_strmem.c​:1018) ==37759== by 0x608364​: Perl_sv_vcatpvfn_flags (sv.c​:12912) ==37759== by 0x5FD57E​: Perl_sv_catpvf (sv.c​:10727) ==37759== by 0x4EA9DF​: Perl_yyerror_pvn (toke.c​:11084) ==37759== by 0x4E1C61​: Perl_yyerror_pv (toke.c​:11002) ==37759== by 0x4E1C61​: S_yywarn (toke.c​:10987) ==37759== by 0x4E1C61​: S_no_op (toke.c​:520) ==37759== by 0x4BD3A2​: Perl_yylex (toke.c​:6958) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f7788c is 2 bytes after a block of size 10 free'd ==37759== at 0x4C2CB5C​: realloc (vg_replace_malloc.c​:785) ==37759== by 0x569571​: Perl_safesysrealloc (util.c​:274) ==37759== by 0x5D4FA4​: Perl_sv_grow (sv.c​:1602) ==37759== by 0x5F59CE​: Perl_sv_gets (sv.c​:8522) ==37759== by 0x496574​: S_filter_gets (toke.c​:4347) ==37759== by 0x496574​: Perl_lex_next_chunk (toke.c​:1309) ==37759== by 0x497853​: Perl_lex_read_space (toke.c​:1529) ==37759== by 0x4E5954​: S_skipspace_flags (toke.c​:1831) ==37759== by 0x4E5954​: S_intuit_method (toke.c​:4085) ==37759== by 0x4BE331​: Perl_yylex (toke.c​:7044) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Block was alloc'd at ==37759== at 0x4C2AC0F​: malloc (vg_replace_malloc.c​:299) ==37759== by 0x5692FC​: Perl_safesysmalloc (util.c​:153) ==37759== by 0x5D50AF​: Perl_sv_grow (sv.c​:1605) ==37759== by 0x5DD0C9​: Perl_sv_setpvn (sv.c​:4892) ==37759== by 0x5F8336​: Perl_newSVpvn (sv.c​:9234) ==37759== by 0x49406B​: Perl_lex_start (toke.c​:741) ==37759== by 0x4777D4​: S_parse_body (perl.c​:2362) ==37759== by 0x4777D4​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== ==37759== Invalid read of size 1 ==37759== at 0x4C2F3E0​: memcpy@​@​GLIBC_2.14 (vg_replace_strmem.c​:1018) ==37759== by 0x608364​: Perl_sv_vcatpvfn_flags (sv.c​:12912) ==37759== by 0x5FD57E​: Perl_sv_catpvf (sv.c​:10727) ==37759== by 0x4EA9DF​: Perl_yyerror_pvn (toke.c​:11084) ==37759== by 0x4E1C61​: Perl_yyerror_pv (toke.c​:11002) ==37759== by 0x4E1C61​: S_yywarn (toke.c​:10987) ==37759== by 0x4E1C61​: S_no_op (toke.c​:520) ==37759== by 0x4BD3A2​: Perl_yylex (toke.c​:6958) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f778b0 is 32 bytes before a block of size 16 in arena "client" ==37759== Bareword found where operator expected at - line 1\, near "$PP" ==37759== Invalid read of size 1 ==37759== at 0x4E1DB8​: S_no_op (toke.c​:525) ==37759== by 0x4BD3A2​: Perl_yylex (toke.c​:6958) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f77888 is 8 bytes inside a block of size 10 free'd ==37759== at 0x4C2CB5C​: realloc (vg_replace_malloc.c​:785) ==37759== by 0x569571​: Perl_safesysrealloc (util.c​:274) ==37759== by 0x5D4FA4​: Perl_sv_grow (sv.c​:1602) ==37759== by 0x5F59CE​: Perl_sv_gets (sv.c​:8522) ==37759== by 0x496574​: S_filter_gets (toke.c​:4347) ==37759== by 0x496574​: Perl_lex_next_chunk (toke.c​:1309) ==37759== by 0x497853​: Perl_lex_read_space (toke.c​:1529) ==37759== by 0x4E5954​: S_skipspace_flags (toke.c​:1831) ==37759== by 0x4E5954​: S_intuit_method (toke.c​:4085) ==37759== by 0x4BE331​: Perl_yylex (toke.c​:7044) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Block was alloc'd at ==37759== at 0x4C2AC0F​: malloc (vg_replace_malloc.c​:299) ==37759== by 0x5692FC​: Perl_safesysmalloc (util.c​:153) ==37759== by 0x5D50AF​: Perl_sv_grow (sv.c​:1605) ==37759== by 0x5DD0C9​: Perl_sv_setpvn (sv.c​:4892) ==37759== by 0x5F8336​: Perl_newSVpvn (sv.c​:9234) ==37759== by 0x49406B​: Perl_lex_start (toke.c​:741) ==37759== by 0x4777D4​: S_parse_body (perl.c​:2362) ==37759== by 0x4777D4​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== ==37759== Invalid read of size 1 ==37759== at 0x4C2F3E0​: memcpy@​@​GLIBC_2.14 (vg_replace_strmem.c​:1018) ==37759== by 0x608364​: Perl_sv_vcatpvfn_flags (sv.c​:12912) ==37759== by 0x5F941B​: Perl_sv_vsetpvfn (sv.c​:10809) ==37759== by 0x56C4A2​: Perl_vmess (util.c​:1560) ==37759== by 0x56EA2B​: Perl_vwarn (util.c​:1934) ==37759== by 0x56EA2B​: Perl_vwarner (util.c​:2050) ==37759== by 0x56EFA2​: Perl_warner (util.c​:2026) ==37759== by 0x4E2505​: S_no_op (toke.c​:537) ==37759== by 0x4BD3A2​: Perl_yylex (toke.c​:6958) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f778b0 is 32 bytes before a block of size 16 in arena "client" ==37759==   (Missing operator before P?) ==37759== Invalid read of size 1 ==37759== at 0x49762A​: Perl_lex_read_space (toke.c​:1519) ==37759== by 0x4BE592​: S_skipspace_flags (toke.c​:1831) ==37759== by 0x4BE592​: Perl_yylex (toke.c​:7069) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f778b1 is 31 bytes before a block of size 16 in arena "client" ==37759== ==37759== Conditional jump or move depends on uninitialised value(s) ==37759== at 0x497631​: Perl_lex_read_space (toke.c​:1506) ==37759== by 0x4E5FE3​: S_skipspace_flags (toke.c​:1831) ==37759== by 0x4E5FE3​: S_intuit_method (toke.c​:4111) ==37759== by 0x4C3E5A​: Perl_yylex (toke.c​:7130) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== ==37759== Conditional jump or move depends on uninitialised value(s) ==37759== at 0x497639​: Perl_lex_read_space (toke.c​:1506) ==37759== by 0x4E5FE3​: S_skipspace_flags (toke.c​:1831) ==37759== by 0x4E5FE3​: S_intuit_method (toke.c​:4111) ==37759== by 0x4C3E5A​: Perl_yylex (toke.c​:7130) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== ==37759== Use of uninitialised value of size 8 ==37759== at 0x49777E​: Perl_lex_read_space (toke.c​:1519) ==37759== by 0x4E5FE3​: S_skipspace_flags (toke.c​:1831) ==37759== by 0x4E5FE3​: S_intuit_method (toke.c​:4111) ==37759== by 0x4C3E5A​: Perl_yylex (toke.c​:7130) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== ==37759== Conditional jump or move depends on uninitialised value(s) ==37759== at 0x497924​: Perl_lex_read_space (toke.c​:1539) ==37759== by 0x4E5FE3​: S_skipspace_flags (toke.c​:1831) ==37759== by 0x4E5FE3​: S_intuit_method (toke.c​:4111) ==37759== by 0x4C3E5A​: Perl_yylex (toke.c​:7130) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== ==37759== Invalid read of size 1 ==37759== at 0x49762A​: Perl_lex_read_space (toke.c​:1519) ==37759== by 0x4E5FE3​: S_skipspace_flags (toke.c​:1831) ==37759== by 0x4E5FE3​: S_intuit_method (toke.c​:4111) ==37759== by 0x4C3E5A​: Perl_yylex (toke.c​:7130) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f778da is 0 bytes after a block of size 10 alloc'd ==37759== at 0x4C2AC0F​: malloc (vg_replace_malloc.c​:299) ==37759== by 0x5692FC​: Perl_safesysmalloc (util.c​:153) ==37759== by 0x5D50AF​: Perl_sv_grow (sv.c​:1605) ==37759== by 0x5DD0C9​: Perl_sv_setpvn (sv.c​:4892) ==37759== by 0x5F8336​: Perl_newSVpvn (sv.c​:9234) ==37759== by 0x477853​: S_parse_body (perl.c​:2365) ==37759== by 0x477853​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== ==37759== Invalid read of size 1 ==37759== at 0x4E6060​: S_intuit_method (toke.c​:4112) ==37759== by 0x4C3E5A​: Perl_yylex (toke.c​:7130) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f778f8 is 24 bytes after a block of size 16 in arena "client" ==37759== ==37759== Invalid read of size 1 ==37759== at 0x4E64DB​: S_intuit_method (toke.c​:4121) ==37759== by 0x4C3E5A​: Perl_yylex (toke.c​:7130) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f778f8 is 24 bytes after a block of size 16 in arena "client" ==37759== ==37759== Invalid read of size 1 ==37759== at 0x4BE5E7​: Perl_yylex (toke.c​:7129) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f77901 is 31 bytes before a block of size 4\,800 in arena "client" ==37759== ==37759== Invalid read of size 1 ==37759== at 0x49C603​: Perl_yylex (toke.c​:4894) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f77901 is 31 bytes before a block of size 4\,800 in arena "client" ==37759== ==37759== Invalid read of size 1 ==37759== at 0x4AD0EC​: Perl_yylex (toke.c​:4903) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f77901 is 31 bytes before a block of size 4\,800 in arena "client" ==37759== ==37759== Invalid read of size 1 ==37759== at 0x4C2F3E0​: memcpy@​@​GLIBC_2.14 (vg_replace_strmem.c​:1018) ==37759== by 0x608364​: Perl_sv_vcatpvfn_flags (sv.c​:12912) ==37759== by 0x5F941B​: Perl_sv_vsetpvfn (sv.c​:10809) ==37759== by 0x56D945​: Perl_vmess (util.c​:1560) ==37759== by 0x56D945​: Perl_vcroak (util.c​:1789) ==37759== by 0x56DFFC​: Perl_croak (util.c​:1836) ==37759== by 0x4B0A93​: Perl_yylex (toke.c​:4910) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f778f7 is 23 bytes after a block of size 16 in arena "client" ==37759== ==37759== Invalid read of size 1 ==37759== at 0x4C2F3EE​: memcpy@​@​GLIBC_2.14 (vg_replace_strmem.c​:1018) ==37759== by 0x608364​: Perl_sv_vcatpvfn_flags (sv.c​:12912) ==37759== by 0x5F941B​: Perl_sv_vsetpvfn (sv.c​:10809) ==37759== by 0x56D945​: Perl_vmess (util.c​:1560) ==37759== by 0x56D945​: Perl_vcroak (util.c​:1789) ==37759== by 0x56DFFC​: Perl_croak (util.c​:1836) ==37759== by 0x4B0A93​: Perl_yylex (toke.c​:4910) ==37759== by 0x4EDF1C​: Perl_yyparse (perly.c​:334) ==37759== by 0x4778BC​: S_parse_body (perl.c​:2373) ==37759== by 0x4778BC​: perl_parse (perl.c​:1689) ==37759== by 0x4231E9​: main (perlmain.c​:121) ==37759== Address 0x5f778f9 is 25 bytes after a block of size 16 in arena "client" ==37759== Unrecognized character \x13; marked by \<-- HERE after P\<-- HERE near column -13806 at - line 1. ==37759== ==37759== HEAP SUMMARY​: ==37759== in use at exit​: 104\,573 bytes in 522 blocks ==37759== total heap usage​: 693 allocs\, 171 frees\, 145\,202 bytes allocated ==37759== ==37759== LEAK SUMMARY​: ==37759== definitely lost​: 0 bytes in 0 blocks ==37759== indirectly lost​: 0 bytes in 0 blocks ==37759== possibly lost​: 0 bytes in 0 blocks ==37759== still reachable​: 104\,573 bytes in 522 blocks ==37759== suppressed​: 0 bytes in 0 blocks ==37759== Rerun with --leak-check=full to see details of leaked memory ==37759== ==37759== For counts of detected and suppressed errors\, rerun with​: -v ==37759== Use --track-origins=yes to see where uninitialised values come from ==37759== ERROR SUMMARY​: 202 errors from 39 contexts (suppressed​: 0 from 0)

p5pRT commented 8 years ago

From @dcollinsn

AFL crash explorer reports that replacing "exec" with any of the following strings will also reproduce this error​:

grep pipe getc read open stat seek send tell bind recv

Several similar cases involving the following strings were also identified​:

flock write 0stat fcntl printf select socket

in general\, it appears that this is the repro case​:

perl -e 'printf "%-7s_\$"\, "flock"' | valgrind ../bin/perl

In other words\, exactly 7 characters consisting of a builtin rightpadded by spaces\, followed by a literal '_$'. It seems important that the '$' be the 9th character exactly. The characters between the string and the '$' seem irrelevant. For example\, we have 'exec(eq0$' as one of the fuzzer-generated testcases\, and 'exec(pow$' as another.

This seems to be so tight that it's unlikely to be exploitable. I'll let it keep running\, and update this thread if I find any cases that don't fit this pattern.

On Sat\, Sep 3\, 2016 at 9​:45 PM\, \perl5\-security\-report@&#8203;perl\.org wrote​:

Greetings\,

This message has been automatically generated in response to the creation of a perl security report regarding​: "Multiple suspicious Valgrind errors".

There is no need to reply to this message right now. Your ticket has been assigned an ID of [perl #129190].

Please include the string​:

[perl #129190]

in the subject line of all future correspondence about this issue. To do so\, you may reply to this message (please delete unnecessary quotes and text.)

Thank you\, perl5-security-report@​perl.org

------------------------------------------------------------------------- X-Virus-Checked​: Checked X-Virus-Checked​: Checked X-GM-Message-State​: AE9vXwPLbRwR0qJ6jUO75cN8Cl1JqP OH8PVIGaBhrB621e7mxTME+eY8bRi+EZTUWMWN+IS06a/ZsIqwENn3iw== X-Old-Spam-Check-BY​: la.mx.develooper.com MIME-Version​: 1.0 X-Received​: by 10.36.16.138 with SMTP id 132mr14576013ity.60.1472953518162; Sat\, 03 Sep 2016 18​:45​:18 -0700 (PDT) Return-Path​: \perlmail@&#8203;x6\.develooper\.com Date​: Sat\, 3 Sep 2016 21​:44​:57 -0400 To​: perl5-security-report@​perl.org Subject​: Multiple suspicious Valgrind errors Received​: (qmail 2194 invoked from network); 4 Sep 2016 01​:45​:42 -0000 Received​: from localhost (HELO la.mx.develooper.com) (127.0.0.1) by localhost with SMTP; 4 Sep 2016 01​:45​:42 -0000 Received​: (qmail 2191 invoked by alias); 4 Sep 2016 01​:45​:42 -0000 Received​: from x6.develooper.com (HELO x6.develooper.com) (207.171.7.86) by la.mx.develooper.com (qpsmtpd/0.28) with ESMTP; Sat\, 03 Sep 2016 18​:45​:35 -0700 Received​: by x6.develooper.com (Postfix\, from userid 514) id 8CA381EA4; Sat\, 3 Sep 2016 18​:45​:31 -0700 (PDT) Received​: (qmail 18725 invoked from network); 4 Sep 2016 01​:45​:31 -0000 Received​: from x1.develooper.com (207.171.7.70) by x6.develooper.com with SMTP; 4 Sep 2016 01​:45​:31 -0000 Received​: (qmail 2184 invoked by uid 225); 4 Sep 2016 01​:45​:30 -0000 Received​: (qmail 2180 invoked by alias); 4 Sep 2016 01​:45​:30 -0000 Received​: from mail-it0-f48.google.com (HELO mail-it0-f48.google.com) (209.85.214.48) by la.mx.develooper.com (qpsmtpd/0.28) with ESMTP; Sat\, 03 Sep 2016 18​:45​:22 -0700 Received​: by mail-it0-f48.google.com with SMTP id c198so99792236ith.1 for \perl5\-security\-report@&#8203;perl\.org; Sat\, 03 Sep 2016 18​:45​:22 -0700 (PDT) Received​: by 10.36.196.215 with HTTP; Sat\, 3 Sep 2016 18​:44​:57 -0700 (PDT) X-Spam-Check-BY​: la.mx.develooper.com X-Google-Dkim-Signature​: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state​:mime-version​:from​:date​:message-id​:subject​:to; bh=3rjGLiHGpWkRVqoYmrTJ0T9qeVXebCN0rIvSOel07IU=; b=axBRm89wSuCtb0AP0pqda2o7/lvg1M8Qyt6NTqhcsIjeMHumq4PlEyfouyzhHsLYq9 yPZVt3aonaI9i+kHVE/248wCKtOqYXCvlVrNDmx0JCfQSZxGR/yUaW9rkPExJb1iiMKU rVaF+UIEW2nUKA+1owPFrKuLUcoew/sGlk9rERu9vfT/4ImcsuQKvL535xuYb6YxSLp4 pVAm2lnO2b6pIxEEs8gnW09XBRs8t7o+kbPOY2zLdAtjv52AOicULp09DwPKOKRB20Uy RGFyP+FukSxJce8b3KliwyasQQp5eONUYF3L2K+gXevHbH005lpsGUDTUwI3/q3CdWM6 hhMw== Dkim-Signature​: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version​:from​:date​:message-id​:subject​:to; bh= 3rjGLiHGpWkRVqoYmrTJ0T9qeVXebCN0rIvSOel07IU=; b=zK6by3wH4+ dfjHpb5MigKK2wRTiWM0c2wXOnjjBCjIOXTzSxIH9+mvDbn71KkZI8xt muUpXZYpWMa4SSg+3vNiJP/Ooo2E8zNUwB/7L02jsDTlV2QBEg6J+ktokzJg0tcHI7+M d6NpQPgNTDpRXOc2rUdYj5Fw3KrvLV7C3W1Pt4Mt2oqf18IooQE6E1QB7tn4OewC3fn7 ECUUmAkUflNLb215sqkN80Qlc7/VCWE2HNZqssAl72+PJ6AtNK5FPLS0hkFDQeBNfKlE GVJFfAZ4QlhlNzdmgChC8xJyzPUtHMfstFyk5aeL61pKCrFidsTyzexv1W64Zug1MxTW x2mA== X-Old-Spam-Status​: No\, hits=-2.7 required=8.0 tests=BAYES_00\,DKIM_SIGNED\, DKIM_VALID\,DKIM_VALID_AU\,FREEMAIL_FROM\,HTML_MESSAGE\, RCVD_IN_DNSWL_LOW\,RCVD_IN_SORBS_SPAM\,SPF_PASS Message-ID​: \<CA+tt54KnB50wyKJ_q7YhuRrTLd7=FpWBfbZSqDy0Gg2Mz9vQSA@​mail. gmail.com> From​: Dan Collins \dcollinsn@&#8203;gmail\.com From perlmail@​x6.develooper.com Sun Sep 04 01​:45​:43 2016 Content-Type​: multipart/alternative; boundary=" 001a114382e8388b49053ba4b7bb" X-Spam-Status​: No\, hits=-8.5 required=8.0 tests=BAYES_00\,DKIM_SIGNED\, DKIM_VALID\,DKIM_VALID_AU\,FREEMAIL_FROM\,HTML_MESSAGE\, RCVD_IN_DNSWL_HI\,RCVD_IN_SORBS_SPAM\,RP_MATCHES_RCVD Delivered-To​: rt-perl5-security@​rt.perl.org Delivered-To​: perlmail-perl5-security-report@​onion.perl.org Delivered-To​: perl5-security-report@​perl.org X-RT-Interface​: Email

p5pRT commented 8 years ago

From @tonycoz

On Sat Sep 03 21​:26​:50 2016\, dcollinsn@​gmail.com wrote​:

AFL crash explorer reports that replacing "exec" with any of the following strings will also reproduce this error​:

...

Several similar cases involving the following strings were also identified​:

flock write 0stat fcntl printf select socket

in general\, it appears that this is the repro case​:

perl -e 'printf "%-7s_\$"\, "flock"' | valgrind ../bin/perl

In other words\, exactly 7 characters consisting of a builtin rightpadded by spaces\, followed by a literal '_$'. It seems important that the '$' be the 9th character exactly. The characters between the string and the '$' seem irrelevant. For example\, we have 'exec(eq0$' as one of the fuzzer- generated testcases\, and 'exec(pow$' as another.

Does the attached fix all your test cases for this?

As this involves feeding code to the perl parser\, I don't think it's a security issue.

Tony

p5pRT commented 8 years ago

From @tonycoz

0001-perl-129190-intuit_method-can-move-the-line-buffer.patch ```diff From e36eaa0b2f687d532fe3b2f0b0bbded8e8a1fa17 Mon Sep 17 00:00:00 2001 From: Tony Cook Date: Thu, 8 Sep 2016 13:21:02 +1000 Subject: (perl #129190) intuit_method() can move the line buffer and broke PL_bufptr when it did. --- t/op/lex.t | 5 ++++- toke.c | 10 +++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/t/op/lex.t b/t/op/lex.t index a667183..6eac888 100644 --- a/t/op/lex.t +++ b/t/op/lex.t @@ -7,7 +7,7 @@ use warnings; BEGIN { chdir 't' if -d 't'; require './test.pl'; } -plan(tests => 30); +plan(tests => 31); { no warnings 'deprecated'; @@ -241,3 +241,6 @@ fresh_perl_is( {}, '[perl #129069] - "Missing name" warning and valgrind clean' ); + +fresh_perl_like('flock _$', qr/Not enough arguments for flock/, {stderr => 1}, + "[perl #129190] intuit_method() invalidates PL_bufptr"); diff --git a/toke.c b/toke.c index 3ade32b..3779387 100644 --- a/toke.c +++ b/toke.c @@ -4079,11 +4079,12 @@ S_intuit_method(pTHX_ char *start, SV *ioname, CV *cv) } if (*start == '$') { + SSize_t start_off = start - SvPVX(PL_linestr); if (cv || PL_last_lop_op == OP_PRINT || PL_last_lop_op == OP_SAY || isUPPER(*PL_tokenbuf)) return 0; s = skipspace(s); - PL_bufptr = start; + PL_bufptr = SvPVX(PL_linestr) + start_off; PL_expect = XREF; return *s == '(' ? FUNCMETH : METHOD; } @@ -7034,17 +7035,24 @@ Perl_yylex(pTHX) == OA_FILEREF)) { bool immediate_paren = *s == '('; + SSize_t s_off; /* (Now we can afford to cross potential line boundary.) */ s = skipspace(s); /* Two barewords in a row may indicate method call. */ + /* intuit_method() can indirectly call lex_next_chunk(), + * invalidating s + */ + s_off = s - SvPVX(PL_linestr); if ((isIDFIRST_lazy_if(s,UTF) || *s == '$') && (tmp = intuit_method(s, lex ? NULL : sv, cv))) { + /* the code at method: doesn't use s */ goto method; } + s = SvPVX(PL_linestr) + s_off; /* If not a declared subroutine, it's an indirect object. */ /* (But it's an indir obj regardless for sort.) */ -- 2.1.4 ```
p5pRT commented 8 years ago

The RT System itself - Status changed from 'new' to 'open'

p5pRT commented 8 years ago

From @dcollinsn

Sorry for the delay in responding to this. Yes\, Tony\, the patch you attached fixes my testcases.

On Wed\, Sep 7\, 2016 at 11​:23 PM\, Tony Cook via RT \< perl5-security-report@​perl.org> wrote​:

On Sat Sep 03 21​:26​:50 2016\, dcollinsn@​gmail.com wrote​:

AFL crash explorer reports that replacing "exec" with any of the following strings will also reproduce this error​:

...

Several similar cases involving the following strings were also identified​:

flock write 0stat fcntl printf select socket

in general\, it appears that this is the repro case​:

perl -e 'printf "%-7s_\$"\, "flock"' | valgrind ../bin/perl

In other words\, exactly 7 characters consisting of a builtin rightpadded by spaces\, followed by a literal '_$'. It seems important that the '$' be the 9th character exactly. The characters between the string and the '$' seem irrelevant. For example\, we have 'exec(eq0$' as one of the fuzzer- generated testcases\, and 'exec(pow$' as another.

Does the attached fix all your test cases for this?

As this involves feeding code to the perl parser\, I don't think it's a security issue.

Tony

From e36eaa0b2f687d532fe3b2f0b0bbded8e8a1fa17 Mon Sep 17 00​:00​:00 2001 From​: Tony Cook \tony@&#8203;develop\-help\.com Date​: Thu\, 8 Sep 2016 13​:21​:02 +1000 Subject​: (perl #129190) intuit_method() can move the line buffer

and broke PL_bufptr when it did. --- t/op/lex.t | 5 ++++- toke.c | 10 +++++++++- 2 files changed\, 13 insertions(+)\, 2 deletions(-)

diff --git a/t/op/lex.t b/t/op/lex.t index a667183..6eac888 100644 --- a/t/op/lex.t +++ b/t/op/lex.t @​@​ -7\,7 +7\,7 @​@​ use warnings;

BEGIN { chdir 't' if -d 't'; require './test.pl'; }

-plan(tests => 30); +plan(tests => 31);

{ no warnings 'deprecated'; @​@​ -241\,3 +241\,6 @​@​ fresh_perl_is( {}\, '[perl #129069] - "Missing name" warning and valgrind clean' ); + +fresh_perl_like('flock _$'\, qr/Not enough arguments for flock/\, {stderr => 1}\, + "[perl #129190] intuit_method() invalidates PL_bufptr"); diff --git a/toke.c b/toke.c index 3ade32b..3779387 100644 --- a/toke.c +++ b/toke.c @​@​ -4079\,11 +4079\,12 @​@​ S_intuit_method(pTHX_ char *start\, SV *ioname\, CV *cv) }

 if \(\*start == '$'\) \{

+ SSize_t start_off = start - SvPVX(PL_linestr); if (cv || PL_last_lop_op == OP_PRINT || PL_last_lop_op == OP_SAY || isUPPER(*PL_tokenbuf)) return 0; s = skipspace(s); - PL_bufptr = start; + PL_bufptr = SvPVX(PL_linestr) + start_off; PL_expect = XREF; return *s == '(' ? FUNCMETH : METHOD; } @​@​ -7034\,17 +7035\,24 @​@​ Perl_yylex(pTHX)

OA_FILEREF)) { bool immediate_paren = *s == '('; + SSize_t s_off;

                /\* \(Now we can afford to cross potential line

boundary.) */ s = skipspace(s);

                /\* Two barewords in a row may indicate method call\. \*/

+ /* intuit_method() can indirectly call lex_next_chunk()\, + * invalidating s + */ + s_off = s - SvPVX(PL_linestr); if ((isIDFIRST_lazy_if(s\,UTF) || *s == '$') && (tmp = intuit_method(s\, lex ? NULL : sv\, cv))) { + /* the code at method​: doesn't use s */ goto method; } + s = SvPVX(PL_linestr) + s_off;

                /\* If not a declared subroutine\, it's an indirect

object. */ /* (But it's an indir obj regardless for sort.) */ -- 2.1.4

p5pRT commented 7 years ago

From @iabyn

On Sun\, Sep 11\, 2016 at 01​:02​:44AM -0400\, Dan Collins wrote​:

Sorry for the delay in responding to this. Yes\, Tony\, the patch you attached fixes my testcases.

Tony\, any particular reason you haven't applied your patch yet?

-- But Pity stayed his hand. "It's a pity I've run out of bullets"\, he thought. -- "Bored of the Rings"

p5pRT commented 7 years ago

From @tonycoz

On Mon\, 12 Dec 2016 07​:54​:39 -0800\, davem wrote​:

On Sun\, Sep 11\, 2016 at 01​:02​:44AM -0400\, Dan Collins wrote​:

Sorry for the delay in responding to this. Yes\, Tony\, the patch you attached fixes my testcases.

Tony\, any particular reason you haven't applied your patch yet?

I lost track of it.

Applied as 743e3e72117ab1d168cbf4ef15bcde67ca41e26a (with some noise.)

Since this isn't a security issue\, the ticket is now public\, and closed since it's patched.

Tony

p5pRT commented 7 years ago

@tonycoz - Status changed from 'open' to 'pending release'

p5pRT commented 7 years ago

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release today of Perl 5.26.0\, this and 210 other issues have been resolved.

Perl 5.26.0 may be downloaded via​: https://metacpan.org/release/XSAWYERX/perl-5.26.0

If you find that the problem persists\, feel free to reopen this ticket.

p5pRT commented 7 years ago

@khwilliamson - Status changed from 'pending release' to 'resolved'