develooper Front page | perl.perl5.porters | Postings from February 2015

[perl #123804] glob/scalar segv

From:
Hugo van der Sanden
Date:
February 12, 2015 01:44
Subject:
[perl #123804] glob/scalar segv
Message ID:
rt-4.0.18-26990-1423705453-66.123804-75-0@perl.org
# New Ticket Created by  Hugo van der Sanden 
# Please include the string:  [perl #123804]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/Ticket/Display.html?id=123804 >


Found by AFL (<http://lcamtuf.coredump.cx/afl>):

% ./miniperl -e '$x.=*x=0'
Segmentation fault (core dumped)
% 

4918        dptr[len] = '\0';
(gdb) where
#0  0x00000000005b5d76 in Perl_sv_setpvn (sv=0xad0498, ptr=0x7acea7 "", len=0)
    at sv.c:4918
#1  0x0000000000575574 in Perl_pp_concat () at pp_hot.c:292
#2  0x000000000052a15e in Perl_runops_debug () at dump.c:2231
#3  0x00000000004098c7 in S_run_body (oldscope=1) at perl.c:2423
#4  0x0000000000408f0b in perl_run (my_perl=0xaaf010) at perl.c:2346
#5  0x00000000004508b7 in main (argc=3, argv=0x7fffdb70cbb8, 
    env=0x7fffdb70cbd8) at miniperlmain.c:122

If I read it right, the $x is stacked first; the assignment to *x then frees the already-stacked $x; by the time we get to sv_setpvn the destination is a freed SV (type = 0xff), so the SvGROW returns a null pointer that we then try to write to.

I guess in a sense this is just another example of the unrefcounted stacks issue; I'm not sure that's all that's missing here, though.

Hugo




nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About