develooper Front page | perl.perl5.porters | Postings from September 2014

blead AddressSanitizer: heap-buffer-overflow (READ of size 1)

Thread Next
From:
George Greer
Date:
September 13, 2014 16:38
Subject:
blead AddressSanitizer: heap-buffer-overflow (READ of size 1)
Message ID:
alpine.LFD.2.11.1409131232390.11017@drei.m-l.org
On Fri, 12 Sep 2014, George Greer wrote:

> Smoke logs available at http://m-l.org/~perl/smoke/perl/linux/blead_clang_sanitize=address/logc4c61c60d2920ba19f2127f56554142d9173e4fa.log.gz
[...]
> v5.21.3-525-gc4c61c6  Configuration (common) -Accflags="-fsanitize=address" -Aldflags="-fsanitize=address" -Dcc=clang
> ----------- ---------------------------------------------------------
> X O O X O O
> X O O X O O -Accflags=-DPERL_POISON
> X O O X O O -Duse64bitall -Accflags=-DPERL_GLOBAL_STRUCT
> X O O X O O -Dusemorebits -Accflags=-DPERL_GLOBAL_STRUCT_PRIVATE
> X O O X O O -Accflags=-DPERL_NO_COW
> X O O X O O -Duseithreads
> X O O X O O -Duseithreads -Accflags=-DPERL_POISON
> X O O X O O -Duseithreads -Duse64bitall -Accflags=-DPERL_GLOBAL_STRUCT
> X O O X O O -Duseithreads -Dusemorebits -Accflags=-DPERL_GLOBAL_STRUCT_PRIVATE
> X O O X O O -Duseithreads -Accflags=-DPERL_NO_COW
> | | | | | +- LC_ALL = en_US.utf8 -DDEBUGGING
> | | | | +--- PERLIO = perlio -DDEBUGGING
> | | | +----- PERLIO = stdio  -DDEBUGGING
> | | +------- LC_ALL = en_US.utf8
> | +--------- PERLIO = perlio
> +----------- PERLIO = stdio
[...]
> [stdio] -Duseithreads
> [stdio] -DDEBUGGING -Duseithreads
> [stdio] -Duseithreads -Accflags=-DPERL_POISON
> [stdio] -DDEBUGGING -Duseithreads -Accflags=-DPERL_POISON
> [stdio] -Duseithreads -Duse64bitall -Accflags=-DPERL_GLOBAL_STRUCT
> [stdio] -DDEBUGGING -Duseithreads -Duse64bitall -Accflags=-DPERL_GLOBAL_STRUCT
> [stdio] -Duseithreads -Dusemorebits -Accflags=-DPERL_GLOBAL_STRUCT_PRIVATE
> [stdio] -DDEBUGGING -Duseithreads -Accflags=-DPERL_NO_COW
> Inconsistent test results (between TEST and harness):
>    ../t/re/pat.t........................... ..................................................... FAILED--no leader found
>    ../t/re/pat_thr.t....................... ................................................. FAILED--no leader found

AddressSanitizer output (on current blead, not the smoke's commit) is:

==17780== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6006000790e8 at pc 0x4e0c8f bp 0x7fffb78eb8c0 sp 0x7fffb78eb8b8
READ of size 1 at 0x6006000790e8 thread T0
     #0 0x4e0c8e in S_scan_heredoc /home/perl/p/perl/toke.c:9235
     #1 0x4e0c8e in Perl_yylex /home/perl/p/perl/toke.c:5801
     #2 0x51077f in Perl_yyparse /home/perl/p/perl/perly.c:322
     #3 0x47bb5c in S_parse_body /home/perl/p/perl/perl.c:2266
     #4 0x47e3e6 in perl_parse /home/perl/p/perl/perl.c:1600
     #5 0x42139f in main /home/perl/p/perl/perlmain.c:112
     #6 0x7fccf4fe8ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
     #7 0x42198d in _start (/home/perl/p/perl/perl+0x42198d)
0x6006000790e8 is located 16 bytes to the right of 24-byte region [0x6006000790c0,0x6006000790d8)
allocated by thread T0 here:
     #0 0x7fccf5ae555f (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1555f)
     #1 0x5c2fa4 in Perl_safesysrealloc /home/perl/p/perl/util.c:258
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/perl/p/perl/toke.c:9236 S_scan_heredoc
Shadow bytes around the buggy address:
   0x0c01400071c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c01400071d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c01400071e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c01400071f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c0140007200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0140007210: fa fa fa fa fa fa fa fa 00 00 00 fa fa[fa]fd fd
   0x0c0140007220: fd fa fa fa 00 00 00 fa fa fa fd fd fd fd fa fa
   0x0c0140007230: fd fd fd fd fa fa 00 00 00 04 fa fa 00 00 00 07
   0x0c0140007240: fa fa fd fd fd fd fa fa fd fd fd fd fa fa 00 00
   0x0c0140007250: 00 fa fa fa 00 00 00 01 fa fa fd fd fd fd fa fa
   0x0c0140007260: 00 00 00 02 fa fa 00 00 01 fa fa fa 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
   Addressable:           00
   Partially addressable: 01 02 03 04 05 06 07
   Heap left redzone:     fa
   Heap righ redzone:     fb
   Freed Heap region:     fd
   Stack left redzone:    f1
   Stack mid redzone:     f2
   Stack right redzone:   f3
   Stack partial redzone: f4
   Stack after return:    f5
   Stack use after scope: f8
   Global redzone:        f9
   Global init order:     f6
   Poisoned by user:      f7
   ASan internal:         fe
==17780== ABORTING

The line is:

     if (*s == term && memEQ(s,PL_tokenbuf + 1,len)) {

Last changed in 5097bf9b8 by Father Chrysostomos.  Since the commit added 
a +1 and AddressSanitizer complains about a read of size 1...

-- 
George Greer

Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About