heap-use-after-free in S_unshare_hek_or_pvn (hv.c:2857)

[p5pRT]

Migrated from rt.perl.org#129975 (status was 'open')

Searchable as RT129975$

[p5pRT]

From @geeknik

Triggered in Perl v5.25.7 (v5.25.6-71-gac15b3d) with AFL+ASAN. Does not fail under valgrind.

==28151==ERROR​: AddressSanitizer​: heap-use-after-free on address 0x60200000dfb8 at pc 0x00000088df26 bp 0x7fffc94d7470 sp 0x7fffc94d7468 READ of size 8 at 0x60200000dfb8 thread T0 (0)   #0 0x88df25 in S_unshare_hek_or_pvn /root/perl/hv.c​:2857​:2   #1 0x94da7b in Perl_sv_clear /root/perl/sv.c​:6689​:4   #2 0x9521c2 in Perl_sv_free2 /root/perl/sv.c​:6996​:9   #3 0x4e3976 in S_SvREFCNT_dec /root/perl/./inline.h​:189​:6   #4 0x4e3976 in Perl_op_clear /root/perl/op.c​:971   #5 0x4e2115 in Perl_op_free /root/perl/op.c​:854​:9   #6 0x4e1d65 in Perl_op_free /root/perl/op.c​:837​:21   #7 0x586809 in perl_destruct /root/perl/perl.c​:831​:2   #8 0x4de7ca in main /root/perl/perlmain.c​:134​:18   #9 0x7f7e5e900b44 in __libc_start_main /build/glibc-daoqzt/glibc-2.19/csu/libc-start.c​:287   #10 0x4de2ac in _start (/root/perl/perl+0x4de2ac)

0x60200000dfba is located 0 bytes to the right of 10-byte region [0x60200000dfb0\,0x60200000dfba) freed by thread T0 (0) here​:   #0 0x4c09ab in __interceptor_free (/root/perl/perl+0x4c09ab)   #1 0x7f8f84 in Perl_safesysfree /root/perl/util.c​:388​:2   #2 0x9521c2 in Perl_sv_free2 /root/perl/sv.c​:6996​:9

previously allocated by thread T0 (0) here​:   #0 0x4c0c2b in malloc (/root/perl/perl+0x4c0c2b)   #1 0x7f80b7 in Perl_safesysmalloc /root/perl/util.c​:153​:21

SUMMARY​: AddressSanitizer​: heap-use-after-free /root/perl/hv.c​:2857 S_unshare_hek_or_pvn Shadow bytes around the buggy address​:   0x0c047fff9ba0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa   0x0c047fff9bb0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa   0x0c047fff9bc0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa   0x0c047fff9bd0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa   0x0c047fff9be0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fd fd =>0x0c047fff9bf0​: fa fa fd fd fa fa fd[fd]fa fa 00 02 fa fa fd fd   0x0c047fff9c00​: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd   0x0c047fff9c10​: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd   0x0c047fff9c20​: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd   0x0c047fff9c30​: fa fa fd fd fa fa 02 fa fa fa fd fd fa fa fd fd   0x0c047fff9c40​: fa fa fd fd fa fa 00 02 fa fa fd fd fa fa fd fd Shadow byte legend (one shadow byte represents 8 application bytes)​:   Addressable​: 00   Partially addressable​: 01 02 03 04 05 06 07   Heap left redzone​: fa   Heap right redzone​: fb   Freed heap region​: fd   Stack left redzone​: f1   Stack mid redzone​: f2   Stack right redzone​: f3   Stack partial redzone​: f4   Stack after return​: f5   Stack use after scope​: f8   Global redzone​: f9   Global init order​: f6   Poisoned by user​: f7   Container overflow​: fc   ASan internal​: fe ==28151==ABORTING

[p5pRT]

From @geeknik

test165.gz

[p5pRT]

From @tonycoz

On Wed\, 26 Oct 2016 20​:45​:10 -0700\, brian.carpenter@​gmail.com wrote​:

Triggered in Perl v5.25.7 (v5.25.6-71-gac15b3d) with AFL+ASAN. Does not fail under valgrind.

Here's a minimized version​:

*p= *$p= $| = *$p = $p |= *$p = *p = $p = \p

Changing the \p to some other reference\, like \w\, fails differently​:

  Can't coerce GLOB to string in bitwise or (|) at ../129975b.pl line 1.

I suspect another stack refcounting bug.

Tony

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From @tonycoz

On Mon\, 07 Nov 2016 16​:13​:18 -0800\, tonyc wrote​:

I suspect another stack refcounting bug.

I'm surer of it now\, so making it public\, since we haven't been treating such issues as security issues.

Tony