search

Perl / perl5

🐪 The Perl programming language
https://dev.perl.org/perl5/
Other
1.96k stars 555 forks source link

Null pointer dereference in Perl_pp_multiconcat #16468

Open p5pRT opened 6 years ago

p5pRT commented 6 years ago

Migrated from rt.perl.org#132991 (status was 'new')

Searchable as RT132991$

p5pRT commented 6 years ago

From jeremy@feusi.co

Created by jeremy@feusi.co

Reply-To​: jeremy@​feusi.co

This is a bug report for perl from jeremy@​feusi.co\, generated with the help of perlbug 1.40 running under perl 5.26.1.

----------------------------------------------------------------- Perl segfaults when executing the attached program (perl \) due to a null pointer dereference in Perl_pp_multiconcat. This bug can also reproduced on archlinux and debian with standard installation configuration and version 5.26.1.

Detailed backtrace​:

ASAN​:DEADLYSIGNAL

==9327==ERROR​: AddressSanitizer​: SEGV on unknown address 0x00000000000c (pc 0x00000084e5f2 bp 0x7ffeed336030 sp 0x7ffeed335a40 T0) ==9327==The signal is caused by a READ memory access. ==9327==Hint​: address points to the zero page.   #0 0x84e5f1 in Perl_pp_multiconcat /home/jfe/perl52/pp_hot.c   #1 0x8488be in Perl_runops_standard /home/jfe/perl52/run.c​:41​:26   #2 0xa95bf6 in S_regmatch /home/jfe/perl52/regexec.c​:7424​:3   #3 0xa74ea0 in S_regtry /home/jfe/perl52/regexec.c​:4086​:14   #4 0xa57204 in Perl_regexec_flags /home/jfe/perl52/regexec.c​:3943​:7   #5 0x877ab1 in Perl_pp_subst /home/jfe/perl52/pp_hot.c​:4212​:10   #6 0x8488be in Perl_runops_standard /home/jfe/perl52/run.c​:41​:26   #7 0x5dbc91 in S_run_body /home/jfe/perl52/perl.c   #8 0x5dabb4 in perl_run /home/jfe/perl52/perl.c​:2646​:2   #9 0x52f0b8 in main /home/jfe/perl52/perlmain.c​:122​:9   #10 0x7fe328886f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29)   #11 0x43f999 in _start (/home/jfe/perl52/perl+0x43f999)

AddressSanitizer can not provide additional info. SUMMARY​: AddressSanitizer​: SEGV /home/jfe/perl52/pp_hot.c in Perl_pp_multiconcat ==9327==ABORTING

This bug was found with honggfuzz and asan.

Perl Info ``` Flags: category=core severity=high Site configuration information for perl 5.26.1: Configured by Debian at Fri Jan 12 19:31:09 UTC 2018. Summary of my perl5 (revision 5 version 26 subversion 1) configuration: Platform: osname=linux osvers=4.9.0 archname=x86_64-linux-gnu-thread-multi uname='linux localhost 4.9.0 #1 smp debian 4.9.0 x86_64 gnulinux ' config_args='-Dusethreads -Duselargefiles -Dcc=x86_64-linux-gnu-gcc -Dcpp=x86_64-linux-gnu-cpp -Dld=x86_64-linux-gnu-gcc -Dccflags=-DDEBIAN -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -fdebug-prefix-map=/build/perl-awpeXx/perl-5.26.1=. -fstack-protector-strong -Wformat -Werror=format-security -Dldflags= -Wl,-z,relro -Dlddlflags=-shared -Wl,-z,relro -Dcccdlflags=-fPIC -Darchname=x86_64-linux-gnu -Dprefix=/usr -Dprivlib=/usr/share/perl/5.26 -Darchlib=/usr/lib/x86_64-linux-gnu/perl/5.26 -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/x86_64-linux-gnu/perl5/5.26 -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.26.1 -Dsitearch=/usr/local/lib/x86_64-linux-gnu/perl/5.26.1 -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3 -Duse64bitint -Dman1ext=1 -Dman3ext=3perl -Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Ud_ualarm -Uusesfio -Uusenm -Ui_libutil -Ui_xlocale -Uversiononly -DDEBUGGING=-g -Doptimize=-O2 -dEs -Duseshrplib -Dlibperl=libperl.so.5.26.1' hint=recommended useposix=true d_sigaction=define useithreads=define usemultiplicity=define use64bitint=define use64bitall=define uselongdouble=undef usemymalloc=n default_inc_excludes_dot=define bincompat5005=undef Compiler: cc='x86_64-linux-gnu-gcc' ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64' optimize='-O2 -g' cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include' ccversion='' gccversion='7.2.0' gccosandvers='' intsize=4 longsize=8 ptrsize=8 doublesize=8 byteorder=12345678 doublekind=3 d_longlong=define longlongsize=8 d_longdbl=define longdblsize=16 longdblkind=3 ivtype='long' ivsize=8 nvtype='double' nvsize=8 Off_t='off_t' lseeksize=8 alignbytes=8 prototype=define Linker and Libraries: ld='x86_64-linux-gnu-gcc' ldflags =' -fstack-protector-strong -L/usr/local/lib' libpth=/usr/local/lib /usr/lib/gcc/x86_64-linux-gnu/7/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt perllibs=-ldl -lm -lpthread -lc -lcrypt libc=libc-2.26.so so=so useshrplib=true libperl=libperl.so.5.26 gnulibc_version='2.26' Dynamic Linking: dlsrc=dl_dlopen.xs dlext=so d_dlsymun=undef ccdlflags='-Wl,-E' cccdlflags='-fPIC' lddlflags='-shared -L/usr/local/lib -fstack-protector-strong' Locally applied patches: DEBPKG:debian/cpan_definstalldirs - Provide a sensible INSTALLDIRS default for modules installed from CPAN. DEBPKG:debian/db_file_ver - https://bugs.debian.org/340047 Remove overly restrictive DB_File version check. DEBPKG:debian/doc_info - Replace generic man(1) instructions with Debian-specific information. DEBPKG:debian/enc2xs_inc - https://bugs.debian.org/290336 Tweak enc2xs to follow symlinks and ignore missing @INC directories. DEBPKG:debian/errno_ver - https://bugs.debian.org/343351 Remove Errno version check due to upgrade problems with long-running processes. DEBPKG:debian/libperl_embed_doc - https://bugs.debian.org/186778 Note that libperl-dev package is required for embedded linking DEBPKG:fixes/respect_umask - Respect umask during installation DEBPKG:debian/writable_site_dirs - Set umask approproately for site install directories DEBPKG:debian/extutils_set_libperl_path - EU:MM: set location of libperl.a under /usr/lib DEBPKG:debian/no_packlist_perllocal - Don't install .packlist or perllocal.pod for perl or vendor DEBPKG:debian/fakeroot - Postpone LD_LIBRARY_PATH evaluation to the binary targets. DEBPKG:debian/instmodsh_doc - Debian policy doesn't install .packlist files for core or vendor. DEBPKG:debian/ld_run_path - Remove standard libs from LD_RUN_PATH as per Debian policy. DEBPKG:debian/libnet_config_path - Set location of libnet.cfg to /etc/perl/Net as /usr may not be writable. DEBPKG:debian/perlivp - https://bugs.debian.org/510895 Make perlivp skip include directories in /usr/local DEBPKG:debian/deprecate-with-apt - https://bugs.debian.org/747628 Point users to Debian packages of deprecated core modules DEBPKG:debian/squelch-locale-warnings - https://bugs.debian.org/508764 Squelch locale warnings in Debian package maintainer scripts DEBPKG:debian/patchlevel - https://bugs.debian.org/567489 List packaged patches for 5.26.1-4 in patchlevel.h DEBPKG:fixes/document_makemaker_ccflags - https://bugs.debian.org/628522 [rt.cpan.org #68613] Document that CCFLAGS should include $Config{ccflags} DEBPKG:debian/find_html2text - https://bugs.debian.org/640479 Configure CPAN::Distribution with correct name of html2text DEBPKG:debian/perl5db-x-terminal-emulator.patch - https://bugs.debian.org/668490 Invoke x-terminal-emulator rather than xterm in perl5db.pl DEBPKG:debian/cpan-missing-site-dirs - https://bugs.debian.org/688842 Fix CPAN::FirstTime defaults with nonexisting site dirs if a parent is writable DEBPKG:fixes/memoize_storable_nstore - [rt.cpan.org #77790] https://bugs.debian.org/587650 Memoize::Storable: respect 'nstore' option not respected DEBPKG:debian/makemaker-pasthru - https://bugs.debian.org/758471 Pass LD settings through to subdirectories DEBPKG:debian/makemaker-manext - https://bugs.debian.org/247370 Make EU::MakeMaker honour MANnEXT settings in generated manpage headers DEBPKG:debian/kfreebsd-softupdates - https://bugs.debian.org/796798 Work around Debian Bug#796798 DEBPKG:fixes/autodie-scope - https://bugs.debian.org/798096 Fix a scoping issue with "no autodie" and the "system" sub DEBPKG:fixes/memoize-pod - [rt.cpan.org #89441] Fix POD errors in Memoize DEBPKG:debian/hurd-softupdates - https://bugs.debian.org/822735 Fix t/op/stat.t failures on hurd DEBPKG:fixes/math_complex_doc_great_circle - https://bugs.debian.org/697567 [rt.cpan.org #114104] Math::Trig: clarify definition of great_circle_midpoint DEBPKG:fixes/math_complex_doc_see_also - https://bugs.debian.org/697568 [rt.cpan.org #114105] Math::Trig: add missing SEE ALSO DEBPKG:fixes/math_complex_doc_angle_units - https://bugs.debian.org/731505 [rt.cpan.org #114106] Math::Trig: document angle units DEBPKG:fixes/cpan_web_link - https://bugs.debian.org/367291 CPAN: Add link to main CPAN web site DEBPKG:fixes/time_piece_doc - https://bugs.debian.org/817925 Time::Piece: Improve documentation for add_months and add_years DEBPKG:fixes/extutils_makemaker_reproducible - https://bugs.debian.org/835815 https://bugs.debian.org/834190 Make perllocal.pod files reproducible DEBPKG:fixes/file_path_hurd_errno - File-Path: Fix test failure in Hurd due to hard-coded ENOENT DEBPKG:debian/hppa_op_optimize_workaround - https://bugs.debian.org/838613 Temporarily lower the optimization of op.c on hppa due to gcc-6 problems DEBPKG:debian/installman-utf8 - https://bugs.debian.org/840211 Generate man pages with UTF-8 characters DEBPKG:fixes/file_path_chmod_race - https://bugs.debian.org/863870 [rt.cpan.org #121951] Prevent directory chmod race attack. DEBPKG:fixes/extutils_file_path_compat - Correct the order of tests of chmod(). (#294) DEBPKG:fixes/getopt-long-2 - [rt.cpan.org #120300] Withdraw part of commit 5d9947fb445327c7299d8beb009d609bc70066c0, which tries to implement more GNU getopt_long campatibility. GNU DEBPKG:fixes/getopt-long-3 - provide a default value for optional arguments DEBPKG:fixes/getopt-long-4 - https://bugs.debian.org/864544 [rt.cpan.org #122068] Fix issue #122068. DEBPKG:fixes/test-builder-reset - https://bugs.debian.org/865894 Reset inside subtest maintains parent DEBPKG:debian/hppa_opmini_optimize_workaround - https://bugs.debian.org/869122 Lower the optimization level of opmini.c on hppa DEBPKG:debian/sh4_op_optimize_workaround - https://bugs.debian.org/869373 Also lower the optimization level of op.c and opmini.c on sh4 DEBPKG:fixes/json-pp-example - [rt.cpan.org #92793] https://bugs.debian.org/871837 fix RT-92793: bug in SYNOPSIS DEBPKG:debian/perldoc-pager - https://bugs.debian.org/870340 [rt.cpan.org #120229] Fix perldoc terminal escapes when sensible-pager is less DEBPKG:debian/prune_libs - https://bugs.debian.org/128355 Prune the list of libraries wanted to what we actually need. DEBPKG:debian/configure-regen - https://bugs.debian.org/762638 Regenerate Configure et al. after probe unit changes DEBPKG:fixes/rename-filexp.U-phase1 - regen-configure: rename filexp.U to filexp_path.U, phase 1 DEBPKG:fixes/rename-filexp.U-phase2 - regen-configure: rename filexp.U to filexp_path.U, phase 2 DEBPKG:fixes/packaging_test_skips - Skip various tests if PERL_BUILD_PACKAGING is set DEBPKG:debian/mod_paths - Tweak @INC ordering for Debian DEBPKG:fixes/encode-alias-regexp - https://bugs.debian.org/880085 fix https://github.com/dankogai/p5-encode/issues/127 @INC for perl 5.26.1: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.26.1 /usr/local/share/perl/5.26.1 /usr/lib/x86_64-linux-gnu/perl5/5.26 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.26 /usr/share/perl/5.26 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base Environment for perl 5.26.1: HOME=/home/jfe LANG=en_US.UTF-8 LANGUAGE=en_US.UTF-8 LC_ADDRESS=de_CH.UTF-8 LC_ALL=en_US.UTF-8 LC_COLLATE=de_CH.UTF-8 LC_IDENTIFICATION=de_CH.UTF-8 LC_MEASUREMENT=de_CH.UTF-8 LC_MESSAGES=en_US.UTF-8 LC_MONETARY=de_CH.UTF-8 LC_NAME=de_CH.UTF-8 LC_NUMERIC=de_CH.UTF-8 LC_PAPER=de_CH.UTF-8 LC_TELEPHONE=de_CH.UTF-8 LC_TIME=en_DK.UTF-8 LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/home/jfe/.cargo/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games PERL_BADLANG (unset) SHELL=/bin/bash ```
p5pRT commented 6 years ago

From jeremy@feusi.co

#!./perl m/(?{print \<\<EOF A$A EOF })/g; eval 's/${\%A}{3}//e';

richardleach commented 5 years ago

Looks like this has been fixed:

This is perl 5, version 30, subversion 0 (v5.30.0) built for MSWin32-x64-multi-thread
C:\fldr>perl fzz.pl
A
A
A
This is perl 5, version 28, subversion 1 (v5.28.1) built for x86_64-linux-gnu-thread-multi
me@disbox:~# perl fzz.pl 
A
A
A

Ran out of time to dig deeper or bisect. Can do so at the weekend, unless someone wants to beat me to it.

richardleach commented 5 years ago

Looks like it was fixed by 4e521aaf3ed717774455b3906bd5aa46bc397319

commit 4e521aaf3ed717774455b3906bd5aa46bc397319
Author: David Mitchell <davem@iabyn.com>
Date:   Tue Feb 5 13:48:21 2019 +0000

    Avoid leak in multiconcat with overloading.

    RT #133789

    In the path taken through pp_multiconcat() when one or more args have
    side-effects such tieing or overloading, multiconcat has to decide
    whether to just return the result of all the concatting as-is, or to
    first assign it to an expression or variable if the op includes an
    implicit assign (such as $lex = x.y.z or $a[0] = x.y.z).

    The code was getting this right for those two cases, and was also
    getting it right for the append cases ($lex .= x.y.z and $a[0] .= x.y.z),
    which don't need assigns. But for the bare case (x.y.z) it was assigning
    to the op's targ as well as returning the value. Hence leaking a
    reference until destruction of the sub and its pad.

    This commit stops the assign in that last case.
atoomic commented 5 years ago

the first release for 4e521aaf3ed717774455b3906bd5aa46bc397319 is v5.29.8

iabyn commented 4 years ago

On Thu, Oct 24, 2019 at 04:53:11PM -0700, Richard Leach wrote:

Looks like this has been fixed:

This is perl 5, version 30, subversion 0 (v5.30.0) built for MSWin32-x64-multi-thread
C:\fldr>perl fzz.pl
A
A
A
This is perl 5, version 28, subversion 1 (v5.28.1) built for x86_64-linux-gnu-thread-multi
me@disbox:~# perl fzz.pl 
A
A
A

Ran out of time to dig deeper or bisect. Can do so at the weekend, unless someone wants to beat me to it.

It's not fixed, but its only an issue on non-threaded builds. The bug can be exhibited without using multiconcat, e.g.

my $A= "";
"" =~ m/(?{ my $x; })/;
my $s;
sub f { $s =~ s//foo/ }
f();

It's because the empty pattern in the s/// causes the last successful pattern to be used instead, which is the earlier m//. This is called with PL_curcop still pointing to f's pad, so the lookup of $x in the current pad retrieves a random pointer value off the end of f's pad.

It's basically a problem with the empty pattern misfeature . Needs fixing at some point.

-- 31 Dec 1661: "I have newly taken a solemne oath about abstaining from plays". 1 Jan 1662: "And after ... we went by coach to the play". -- The Diary of Samuel Pepys