develooper Front page | perl.perl5.porters | Postings from January 2015

[perl #123677] 31 byte one liner crashes Perl5.21.9

Brian Carpenter
January 26, 2015 14:01
[perl #123677] 31 byte one liner crashes Perl5.21.9
Message ID:
# New Ticket Created by  Brian Carpenter 
# Please include the string:  [perl #123677]
# in the subject line of all future correspondence about this issue. 
# <URL: >

Good morning. The fuzzing attack against Perl continues with an interesting
(at least to me) test case. I built Perl 5.21.9 from Git source this

/home/geeknik/perl5/perl -v
This is perl 5, version 21, subversion 9 (v5.21.9 (v5.21.8-57-gd28cce6))
built for x86_64-linux

Using the american fuzzy lop (http://
compiler in this fashion, I built the executable:

CC=/path/to/afl-gcc ./Configure (defaulted through all of the options)
ran make without using AFL_HARDEN=1

Test case and core dump are attached.

valgrind -q /home/geeknik/perl5/perl final-crasher4
Bareword found where operator expected at final-crasher4 line 1, near "0h"
(Missing operator before h?)
==37418== Invalid read of size 2
==37418==    at 0x464C79: Perl_newSVREF (op.c:9387)
==37418==    by 0x5BA3F7: Perl_yyparse (perly.y:1109)
==37418==    by 0x4E6494: perl_parse (perl.c:2273)
==37418==    by 0x429BBB: main (perlmain.c:114)
==37418==  Address 0x10805edc128 is not stack'd, malloc'd or (recently)
==37418== Process terminating with default action of signal 11 (SIGSEGV):
dumping core
==37418==  Access not within mapped region at address 0x10805EDC128
==37418==    at 0x464C79: Perl_newSVREF (op.c:9387)
==37418==    by 0x5BA3F7: Perl_yyparse (perly.y:1109)
==37418==    by 0x4E6494: perl_parse (perl.c:2273)
==37418==    by 0x429BBB: main (perlmain.c:114)
==37418==  If you believe this happened as a result of a stack
==37418==  overflow in your program's main thread (unlikely but
==37418==  possible), you can try to increase the size of the
==37418==  main thread stack using the --main-stacksize= flag.
==37418==  The main thread stack size used in this run was 8388608.
Segmentation fault

gdb /home/geeknik/perl5/perl core
Reading symbols from /home/geeknik/perl5/perl...done.
[New LWP 45131]

warning: Can't read pathname for load map: Input/output error.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/".
Core was generated by `/home/geeknik/perl5/perl final-crasher4'.
Program terminated with signal 11, Segmentation fault.
#0  Perl_newSVREF (o=0x10800e043b8) at op.c:9387
9387    if (o->op_type == OP_PADANY) {
(gdb) bt
#0  Perl_newSVREF (o=0x10800e043b8) at op.c:9387
#1  0x00000000005ba3f8 in Perl_yyparse (gramtype=<optimized out>) at
#2  0x00000000004e6495 in S_parse_body (xsinit=0x429fb0 <xs_init>, env=0x0)
at perl.c:2273
#3  perl_parse (my_perl=<optimized out>, xsinit=0x429fb0 <xs_init>,
argc=<optimized out>, argv=<optimized out>, env=0x0) at perl.c:1607
#4  0x0000000000429bbc in main (argc=2, argv=0x7fffffffe3c8,
env=0x7fffffffe3e0) at perlmain.c:114
#5  0x00007ffff6f97ead in __libc_start_main (main=<optimized out>,
argc=<optimized out>, ubp_av=<optimized out>, init=<optimized out>,
    fini=<optimized out>, rtld_fini=<optimized out>,
stack_end=0x7fffffffe3b8) at libc-start.c:244
#6  0x0000000000429ed5 in _start ()
(gdb) i r
rax            0xc8 200
rbx            0xe00f80 14684032
rcx            0x2 2
rdx            0xc7 199
rsi            0xffffffffffffffff -1
rdi            0x10800e043b8 1133886063544
rbp            0xaaaaaaaaaaaaaaab 0xaaaaaaaaaaaaaaab
rsp            0x7fffffffdfb0 0x7fffffffdfb0
r8             0x200002800000024 144115359874547748
r9             0xffffffffffffffff -1
r10            0xfffffffffffffffd -3
r11            0xee 238
r12            0xee 238
r13            0x1 1
r14            0xe00b10 14682896
r15            0x70 112
rip            0x464c79 0x464c79 <Perl_newSVREF+1>
eflags         0x10283 [ CF SF IF RF ]
cs             0x33 51
ss             0x2b 43
ds             0x0 0
es             0x0 0
fs             0x0 0
gs             0x0 0

Test case:

0000000 2973 3024 307b 2868 2929 713b 2878 3040
0000010 3b29 7871 4028 2930 713b 2878 3040 0029
000001f Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About