Front page | perl.perl5.porters |
Postings from April 2015
[perl #124385] null ptr deref -> Perl_cv_forget_slab (pad.c:500)
Thread Previous
From:
Brian Carpenter
Date:
April 25, 2015 01:11
Subject:
[perl #124385] null ptr deref -> Perl_cv_forget_slab (pad.c:500)
Message ID:
rt-4.0.18-12224-1429924287-1985.124385-75-0@perl.org
# New Ticket Created by Brian Carpenter
# Please include the string: [perl #124385]
# in the subject line of all future correspondence about this issue.
# <URL: https://rt.perl.org/Ticket/Display.html?id=124385 >
Built v5.21.12 (v5.21.11-10-ga8f582b) using the following command line:
./Configure -des -Dusedevel -DDEBUGGING -Dcc=afl-gcc -Doptimize=-O2\ -g && AFL_HARDEN=1 make -j6 test-prep
Bug found with AFL (http://lcamtuf.coredump.cx/afl)
Valgrind: ==7327== Invalid read of size 8
==7327== at 0x66546C: Perl_cv_forget_slab (pad.c:500)
==7327== by 0x48EFC3: Perl_newPROG (op.c:4093)
==7327== by 0x6612F1: Perl_yyparse (perly.y:120)
==7327== by 0x534740: perl_parse (perl.c:2296)
==7327== by 0x42AC97: main (perlmain.c:114)
==7327== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==7327==
==7327==
==7327== Process terminating with default action of signal 11 (SIGSEGV)
==7327== Access not within mapped region at address 0x0
==7327== at 0x66546C: Perl_cv_forget_slab (pad.c:500)
==7327== by 0x48EFC3: Perl_newPROG (op.c:4093)
==7327== by 0x6612F1: Perl_yyparse (perly.y:120)
==7327== by 0x534740: perl_parse (perl.c:2296)
==7327== by 0x42AC97: main (perlmain.c:114)
==7327== If you believe this happened as a result of a stack
==7327== overflow in your program's main thread (unlikely but
==7327== possible), you can try to increase the size of the
==7327== main thread stack using the --main-stacksize= flag.
==7327== The main thread stack size used in this run was 8388608.
Segmentation fault
GDB:
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x11f2d50 --> 0x0
RCX: 0xc4
RDX: 0x0
RSI: 0x11f2f00 (" at end of line\n")
RDI: 0x0
RBP: 0x11f2d50 --> 0x0
RSP: 0x7fffffffdee0 --> 0x11ef390 --> 0x11f2d50 --> 0x0
RIP: 0x66546c (<Perl_cv_forget_slab+60>: mov rdx,QWORD PTR [rdi])
R8 : 0x0
R9 : 0x11f2f40 --> 0x11f2d98 --> 0x11f2df8 --> 0x11f2d50 --> 0x0
R10: 0x0
R11: 0x2d ('-')
R12: 0xffffffff00000000
R13: 0x11ef390 --> 0x11f2d50 --> 0x0
R14: 0x67 ('g')
R15: 0x14
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x66545c <Perl_cv_forget_slab+44>: mov rdx,QWORD PTR [rsp]
0x665460 <Perl_cv_forget_slab+48>: lea rsp,[rsp+0x98]
0x665468 <Perl_cv_forget_slab+56>: sub rsp,0x18
=> 0x66546c <Perl_cv_forget_slab+60>: mov rdx,QWORD PTR [rdi]
0x66546f <Perl_cv_forget_slab+63>: mov rax,QWORD PTR fs:0x28
0x665478 <Perl_cv_forget_slab+72>: mov QWORD PTR [rsp+0x8],rax
0x66547d <Perl_cv_forget_slab+77>: xor eax,eax
0x66547f <Perl_cv_forget_slab+79>: mov eax,DWORD PTR [rdx+0x5c]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdee0 --> 0x11ef390 --> 0x11f2d50 --> 0x0
0008| 0x7fffffffdee8 --> 0x67 ('g')
0016| 0x7fffffffdef0 --> 0x14
0024| 0x7fffffffdef8 --> 0x48efc4 (<Perl_newPROG+1604>: test BYTE PTR [rip+0xd401dd],0x8 # 0x11cf1a8 <PL_perldb>)
0032| 0x7fffffffdf00 --> 0x304
0040| 0x7fffffffdf08 --> 0x1b60f849122f2000
0048| 0x7fffffffdf10 --> 0x0
0056| 0x7fffffffdf18 --> 0x11ef0a0 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
Perl_cv_forget_slab () at pad.c:500
500 const bool slabbed = !!CvSLABBED(cv);
gdb-peda$ list
495 */
496
497 void
498 Perl_cv_forget_slab(pTHX_ CV *cv)
499 {
500 const bool slabbed = !!CvSLABBED(cv);
501 OPSLAB *slab = NULL;
502
503 PERL_ARGS_ASSERT_CV_FORGET_SLAB;
504
System Info: Debian 7, Kernel 3.2.65-1+deb7u2 x86_64, GCC 4.9.2, libc 2.13-38+deb7u8
Thread Previous