[perl #123677] 31 byte one liner crashes Perl5.21.9

Front page | perl.perl5.porters | Postings from January 2015

[perl #123677] 31 byte one liner crashes Perl5.21.9

From:

Brian Carpenter

Date:

January 26, 2015 14:01

Subject:

[perl #123677] 31 byte one liner crashes Perl5.21.9

Message ID:

rt-4.0.18-23043-1422272433-1309.123677-75-0@perl.org

# New Ticket Created by  Brian Carpenter 
# Please include the string:  [perl #123677]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/Ticket/Display.html?id=123677 >


Good morning. The fuzzing attack against Perl continues with an interesting
(at least to me) test case. I built Perl 5.21.9 from Git source this
morning.

/home/geeknik/perl5/perl -v
This is perl 5, version 21, subversion 9 (v5.21.9 (v5.21.8-57-gd28cce6))
built for x86_64-linux


Using the american fuzzy lop (http://http://lcamtuf.coredump.cx/afl/)
compiler in this fashion, I built the executable:

CC=/path/to/afl-gcc ./Configure (defaulted through all of the options)
ran make without using AFL_HARDEN=1

Test case and core dump are attached.

valgrind -q /home/geeknik/perl5/perl final-crasher4
Bareword found where operator expected at final-crasher4 line 1, near "0h"
(Missing operator before h?)
==37418== Invalid read of size 2
==37418==    at 0x464C79: Perl_newSVREF (op.c:9387)
==37418==    by 0x5BA3F7: Perl_yyparse (perly.y:1109)
==37418==    by 0x4E6494: perl_parse (perl.c:2273)
==37418==    by 0x429BBB: main (perlmain.c:114)
==37418==  Address 0x10805edc128 is not stack'd, malloc'd or (recently)
free'd
==37418==
==37418==
==37418== Process terminating with default action of signal 11 (SIGSEGV):
dumping core
==37418==  Access not within mapped region at address 0x10805EDC128
==37418==    at 0x464C79: Perl_newSVREF (op.c:9387)
==37418==    by 0x5BA3F7: Perl_yyparse (perly.y:1109)
==37418==    by 0x4E6494: perl_parse (perl.c:2273)
==37418==    by 0x429BBB: main (perlmain.c:114)
==37418==  If you believe this happened as a result of a stack
==37418==  overflow in your program's main thread (unlikely but
==37418==  possible), you can try to increase the size of the
==37418==  main thread stack using the --main-stacksize= flag.
==37418==  The main thread stack size used in this run was 8388608.
Segmentation fault

gdb /home/geeknik/perl5/perl core
Reading symbols from /home/geeknik/perl5/perl...done.
[New LWP 45131]

warning: Can't read pathname for load map: Input/output error.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/home/geeknik/perl5/perl final-crasher4'.
Program terminated with signal 11, Segmentation fault.
#0  Perl_newSVREF (o=0x10800e043b8) at op.c:9387
9387    if (o->op_type == OP_PADANY) {
(gdb) bt
#0  Perl_newSVREF (o=0x10800e043b8) at op.c:9387
#1  0x00000000005ba3f8 in Perl_yyparse (gramtype=<optimized out>) at
perly.y:1109
#2  0x00000000004e6495 in S_parse_body (xsinit=0x429fb0 <xs_init>, env=0x0)
at perl.c:2273
#3  perl_parse (my_perl=<optimized out>, xsinit=0x429fb0 <xs_init>,
argc=<optimized out>, argv=<optimized out>, env=0x0) at perl.c:1607
#4  0x0000000000429bbc in main (argc=2, argv=0x7fffffffe3c8,
env=0x7fffffffe3e0) at perlmain.c:114
#5  0x00007ffff6f97ead in __libc_start_main (main=<optimized out>,
argc=<optimized out>, ubp_av=<optimized out>, init=<optimized out>,
    fini=<optimized out>, rtld_fini=<optimized out>,
stack_end=0x7fffffffe3b8) at libc-start.c:244
#6  0x0000000000429ed5 in _start ()
(gdb) i r
rax            0xc8 200
rbx            0xe00f80 14684032
rcx            0x2 2
rdx            0xc7 199
rsi            0xffffffffffffffff -1
rdi            0x10800e043b8 1133886063544
rbp            0xaaaaaaaaaaaaaaab 0xaaaaaaaaaaaaaaab
rsp            0x7fffffffdfb0 0x7fffffffdfb0
r8             0x200002800000024 144115359874547748
r9             0xffffffffffffffff -1
r10            0xfffffffffffffffd -3
r11            0xee 238
r12            0xee 238
r13            0x1 1
r14            0xe00b10 14682896
r15            0x70 112
rip            0x464c79 0x464c79 <Perl_newSVREF+1>
eflags         0x10283 [ CF SF IF RF ]
cs             0x33 51
ss             0x2b 43
ds             0x0 0
es             0x0 0
fs             0x0 0
gs             0x0 0
(gdb)

Test case:
s)$0{0h());qx(@0);qx(@0);qx(@0)

hexdump:
0000000 2973 3024 307b 2868 2929 713b 2878 3040
0000010 3b29 7871 4028 2930 713b 2878 3040 0029
000001f

[perl #123677] 31 byte one liner crashes Perl5.21.9 by Brian Carpenter

nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About