Open p5pRT opened 6 years ago
Dear all\,
the following crash was found by a modified version of the kAFL fuzzer (https://github.com/RUB-SysSec/kAFL).
I have attached the crashing input and an ASAN output. To reproduce the crash issue\, execute perl5 with the crashing input as script (perl \<crashing_input>).
Credits: Simon Wörner\, Sergej Schumilo\, Cornelius Aschermann (all of Ruhr-Universität Bochum)
Best regards\, Simon Wörner
==24883==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000006380e0 bp 0x000000000000 sp 0x7ffce36fccc0 T0) #0 0x6380df in Perl_sv_setpv_bufsize (/home/kafl/perl-5.28.0/perl+0x6380df) #1 0x5e9d77 in Perl_pp_concat (/home/kafl/perl-5.28.0/perl+0x5e9d77) #2 0x5e736a in Perl_runops_standard (/home/kafl/perl-5.28.0/perl+0x5e736a) #3 0x48e977 in perl_run (/home/kafl/perl-5.28.0/perl+0x48e977) #4 0x424724 in main (/home/kafl/perl-5.28.0/perl+0x424724) #5 0x7f97d420b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #6 0x424c98 in _start (/home/kafl/perl-5.28.0/perl+0x424c98)
AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ??:0 Perl_sv_setpv_bufsize ==24883==ABORTING
On Thu\, 12 Jul 2018 12:15:34 GMT\, simon.woerner@rub.de wrote:
This is a bug report for perl from simon.woerner@rub.de\, generated with the help of perlbug 1.40 running under perl 5.26.1.
----------------------------------------------------------------- [Please describe your issue here] Dear all\,
the following crash was found by a modified version of the kAFL fuzzer (https://github.com/RUB-SysSec/kAFL).
I have attached the crashing input and an ASAN output. To reproduce the crash issue\, execute perl5 with the crashing input as script (perl \<crashing_input>).
Credits: Simon Wörner\, Sergej Schumilo\, Cornelius Aschermann (all of Ruhr-Universität Bochum)
Best regards\, Simon Wörner
Running on a threaded\, debugging Perl built at blead (v5.29.2-41-ge47f50f38f) and with this input (as seen in vim):
##### A^@^@A$A.=*^@A=@^@5=*A*A #####
... I got this result:
##### Operator or semicolon missing before *A at /home/jkeenan/learn/perl/p5p/133363-crash/133363-perl_crash line 1. Ambiguous use of * resolved as operator * at /home/jkeenan/learn/perl/p5p/133363-crash/133363-perl_crash line 1. Segmentation fault (core dumped) #####
I believe that confirms the report.
Thank you very much.
-- James E Keenan (jkeenan@cpan.org)
The RT System itself - Status changed from 'new' to 'open'
This looks like a stack not refcounted issue, it deparses to:
'A'->A($A .= *A = @5 = *A * 'A');
The $A
would be pushed, then *A
is set to 0 (scalar @5
) which frees $A, which .=
(pp_concat) then tries to modify.
Migrated from rt.perl.org#133363 (status was 'open')
Searchable as RT133363$