develooper Front page | perl.perl5.porters | Postings from November 2003

[perl #24569] segmentation fault with Safe and /(?{...})/

From:
pajas @ localhost . localdomain
Date:
November 29, 2003 12:00
Subject:
[perl #24569] segmentation fault with Safe and /(?{...})/
Message ID:
rt-3.0.7_01-24569-67931.9.39153221311805@perl.org
# New Ticket Created by  pajas@localhost.localdomain 
# Please include the string:  [perl #24569]
# in the subject line of all future correspondence about this issue. 
# <URL: http://rt.perl.org:80/rt3/Ticket/Display.html?id=24569 >



This is a bug report for perl from pajas@localhost.localdomain,
generated with the help of perlbug 1.34 running under perl v5.8.2.


-----------------------------------------------------------------
[Please enter your report here]

I'm using Safe compartment to safely evaluate regular expressions
provided by user. If a forbidden opcode is called from within (?{ ... }) 
in a regexp construction, perl makes immediate segmentation fault
(instead of reporting the forbidden opcode).

I feel this is quite serious, because any perl program using Safe compartment
to run user-provided code, allowing match but forbidding at least one opcode,
may be attacked in this way.

The following one-liner demonstrates the problem.

perl -MSafe -e '$e=Safe->new; $e->permit_only(qw(lineseq padany leaveeval match const)); print $e->reval("m/(?{1+1})/");print $@'

[Please do not change anything below this line]
-----------------------------------------------------------------
---
Flags:
    category=core
    severity=high
---
Site configuration information for perl v5.8.2:

Configured by pajas at Wed Nov 12 19:04:10 CET 2003.

Summary of my perl5 (revision 5.0 version 8 subversion 2) configuration:
  Platform:
    osname=linux, osvers=2.4.20-20.9, archname=noarch-linux-thread-multi
    uname='linux sup.ms.mff.cuni.cz 2.4.20-20.9 #1 mon aug 18 11:45:58 edt 2003 i686 i686 i386 gnulinux '
    config_args='-des -Doptimize=-O2 -g -pipe -march=i386 -mcpu=i686 -Dversion=5.8.2 -Dmyhostname=localhost -Dperladmin=root@localhost -Dcc=gcc -Dcf_by=Red Hat, Inc. -Dinstallprefix=/usr -Dprefix=/usr -Darchname=noarch-linux -Dvendorprefix=/usr -Dsiteprefix=/usr -Dotherlibdirs=/usr/lib/perl5/5.8.2 -Duseshrplib -Dusethreads -Duseithreads -Duselargefiles -Dd_dosuid -Dd_semctl_semun -Di_db -Ui_ndbm -Di_gdbm -Di_shadow -Di_syslog -Dman3ext=3pm -Duseperlio -Dinstallusrbinperl -Ubincompat5005 -Uversiononly -Dinc_version_list=5.8.0/noarch-linux-thread-multi 5.8.0 -Dpager=/usr/bin/less -isr'
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=define use5005threads=undef useithreads=define usemultiplicity=define
    useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
    use64bitint=undef use64bitall=undef uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='gcc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DDEBUGGING -fno-strict-aliasing -I/usr/local/include -I/opt/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm',
    optimize='-O2 -g -pipe -march=i386 -mcpu=i686',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DDEBUGGING -fno-strict-aliasing -I/usr/local/include -I/opt/local/include -I/usr/include/gdbm'
    ccversion='', gccversion='3.2.2 20030222 (Red Hat Linux 3.2.2-5)', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='gcc', ldflags =' -L/usr/local/lib -L/opt/local/lib'
    libpth=/usr/local/lib /opt/local/lib /lib /usr/lib
    libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lpthread -lc
    perllibs=-lnsl -ldl -lm -lcrypt -lutil -lpthread -lc
    libc=/lib/libc-2.3.2.so, so=so, useshrplib=true, libperl=libperl.so
    gnulibc_version='2.3.2'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-rdynamic -Wl,-rpath,/usr/lib/perl5/5.8.2/noarch-linux-thread-multi/CORE'
    cccdlflags='-fPIC', lddlflags='-shared -L/usr/local/lib -L/opt/local/lib'

Locally applied patches:
    

---
@INC for perl v5.8.2:
    /home/pajas/treebank/perl
    /net/su/h/local2-rh8/lib/perl5/site_perl/5.8.0
    /net/su/h/local2-rh8/lib/perl5/site_perl/5.8.0/i386-linux
    /net/su/h/local2-rh8/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi
    /usr/lib/perl5/5.8.2/noarch-linux-thread-multi
    /usr/lib/perl5/5.8.2
    /usr/lib/perl5/site_perl/5.8.2/noarch-linux-thread-multi
    /usr/lib/perl5/site_perl/5.8.2
    /usr/lib/perl5/site_perl/5.8.0
    /usr/lib/perl5/site_perl
    /usr/lib/perl5/vendor_perl/5.8.2/noarch-linux-thread-multi
    /usr/lib/perl5/vendor_perl/5.8.2
    /usr/lib/perl5/vendor_perl/5.8.0
    /usr/lib/perl5/vendor_perl
    /usr/lib/perl5/5.8.2/noarch-linux-thread-multi
    /usr/lib/perl5/5.8.2
    .

---
Environment for perl v5.8.2:
    HOME=/home/pajas
    LANG=cs_CZ
    LANGUAGE (unset)
    LC_CTYPE=cs_CZ
    LD_LIBRARY_PATH=/lib:/usr/lib:/home/pajas/local2/lib:/home/pajas/lib:
    LOGDIR (unset)
    PATH=/home/pajas/bin:/net/su/h/local2-rh8/bin:/usr/ssh2/bin:/usr/bin:/bin:/usr/kerberos/bin:/usr/X11R6/bin:/home/pajas/bin:/usr/local/bin:/usr/local/exec:/home/pajas/treebank/perl:/home/pajas/treebank/rev:/home/pajas/jdk/bin
    PERLLIB=/home/pajas/treebank/perl:/net/su/h/local2-rh8/lib/perl5/site_perl/5.8.0:/net/su/h/local2-rh8/lib/perl5/site_perl/5.8.0/i386-linux:/net/su/h/local2-rh8/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi
    PERL_BADLANG (unset)
    PERL_RL=Perl
    SHELL=/bin/bash

nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About