develooper Front page | perl.perl5.porters | Postings from January 2016

[perl #127349] Segfault (GPF) in Perl_newSVpv at sv.c:9161

From:
Brian Carpenter
Date:
January 22, 2016 19:22
Subject:
[perl #127349] Segfault (GPF) in Perl_newSVpv at sv.c:9161
Message ID:
rt-4.0.18-20044-1453490516-1520.127349-75-0@perl.org
# New Ticket Created by  Brian Carpenter 
# Please include the string:  [perl #127349]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/Ticket/Display.html?id=127349 >


Found while fuzzing Perl v5.23.8 (v5.23.7-12-g78e3ac8) with American Fuzzy Lop. This crash affects Perl 5.14.2 and 5.20.2 as well.

perl -e '{}for unpack q{p},*0;{}'

Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106	../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) bt
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x00000000009da67c in Perl_newSVpv (
    s=0x303a3a6e69616d2a <error: Cannot access memory at address 0x303a3a6e69616d2a>, len=len@entry=0) at sv.c:9161
#2  0x0000000000e54a28 in S_unpack_rec (symptr=symptr@entry=0x7fffffffe030, 
    s=0x12304e8 "", s@entry=0x12304e0 "*main::0", 
    strbeg=strbeg@entry=0x12304e0 "*main::0", 
    strend=strend@entry=0x12304e8 "", new_s=new_s@entry=0x0) at pp_pack.c:1564
#3  0x0000000000eda29d in Perl_unpackstring (pat=pat@entry=0x123f380 "p", 
    patend=0x123f381 "", s=0x12304e0 "*main::0", strend=0x12304e8 "", 
    flags=flags@entry=0) at pp_pack.c:835
#4  0x0000000000edb2df in Perl_pp_unpack () at pp_pack.c:1839
#5  0x00000000007e901f in Perl_runops_debug () at dump.c:2224
#6  0x0000000000545266 in S_run_body (oldscope=1) at perl.c:2466
#7  perl_run (my_perl=<optimized out>) at perl.c:2389
#8  0x000000000042bf68 in main (argc=2, argv=0x7fffffffe378, 
    env=0x7fffffffe390) at perlmain.c:116

==55317== Invalid read of size 1
==55317==    at 0x4C2ABC2: strlen (vg_replace_strmem.c:454)
==55317==    by 0x9DA67B: Perl_newSVpv (sv.c:9161)
==55317==    by 0xE54A27: S_unpack_rec (pp_pack.c:1564)
==55317==    by 0xEDA29C: Perl_unpackstring (pp_pack.c:835)
==55317==    by 0xEDB2DE: Perl_pp_unpack (pp_pack.c:1839)
==55317==    by 0x7E901E: Perl_runops_debug (dump.c:2224)
==55317==    by 0x545265: S_run_body (perl.c:2466)
==55317==    by 0x545265: perl_run (perl.c:2389)
==55317==    by 0x42BF67: main (perlmain.c:116)
==55317==  Address 0x303a3a6e69616d2a is not stack'd, malloc'd or (recently) free'd
==55317== 
==55317== 
==55317== Process terminating with default action of signal 11 (SIGSEGV)
==55317==  General Protection Fault
==55317==    at 0x4C2ABC2: strlen (vg_replace_strmem.c:454)
==55317==    by 0x9DA67B: Perl_newSVpv (sv.c:9161)
==55317==    by 0xE54A27: S_unpack_rec (pp_pack.c:1564)
==55317==    by 0xEDA29C: Perl_unpackstring (pp_pack.c:835)
==55317==    by 0xEDB2DE: Perl_pp_unpack (pp_pack.c:1839)
==55317==    by 0x7E901E: Perl_runops_debug (dump.c:2224)
==55317==    by 0x545265: S_run_body (perl.c:2466)
==55317==    by 0x545265: perl_run (perl.c:2389)
==55317==    by 0x42BF67: main (perlmain.c:116)
Segmentation fault




nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About