develooper Front page | perl.perl5.porters | Postings from May 2016

[perl #128204] Segfault in Perl_grok_number_flags under use feature'bitwise'

Thread Previous
From:
Dan Collins
Date:
May 21, 2016 02:42
Subject:
[perl #128204] Segfault in Perl_grok_number_flags under use feature'bitwise'
Message ID:
rt-4.0.18-3913-1463798500-1912.128204-75-0@perl.org
# New Ticket Created by  Dan Collins 
# Please include the string:  [perl #128204]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/Ticket/Display.html?id=128204 >


I have compiled bleadperl with the afl-gcc compiler using:

./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache afl-gcc' -Uuselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -Dusequadmath -DDEBUGGING -des
AFL_HARDEN=1 make && make test

And then fuzzed the resulting binary using:

AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl -t -W @@

After reducing testcases using `afl-tmin` and performing additional minimization by hand, I have located the following testcase that triggers a segmentation fault in the perl interpreter. The testcase is the file below. On debug builds, this returns an assert fail.

use feature':all';@0&=0

dcollins@nightshade64:~$ od -c f3i000134
0000000   u   s   e       f   e   a   t   u   r   e   '   :   a   l   l
0000020   '   ;   @   0   &   =   0
0000027
dcollins@nightshade64:~$ cd perl/
dcollins@nightshade64:~/perl$ ./perl -Ilib ../f3i000134
The bitwise feature is experimental at ../f3i000134 line 1.
Segmentation fault
dcollins@nightshade64:~/perl$ cd ../perldebug/
dcollins@nightshade64:~/perldebug$ ./perl -Ilib ../f3i000134
The bitwise feature is experimental at ../f3i000134 line 1.
perl: sv.c:2531: Perl_sv_2uv_flags: Assertion `(((svtype)((sv)->sv_flags & 0xff)) == SVt_REGEXP || ((sv)->sv_flags & (0xff|0x00004000|0x00008000|0x01000000)) == (SVt_PVLV|0x01000000)) || ((sv)->sv_flags & 0x00004000)' failed.
Aborted


Debugging tool output is below. A git bisect was attempted, but this persists as far back as 5.22, which is when the bitwise feature was first introduced.


**GDB**

(gdb) run
Starting program: /home/dcollins/perl/perl -Ilib ../f3i000134
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
The bitwise feature is experimental at ../f3i000134 line 1.

Program received signal SIGSEGV, Segmentation fault.
0x00000000005c41f2 in Perl_grok_number_flags (pv=0x0,
    len=18446744073709551615, valuep=0x7fffffffe300, flags=0) at numeric.c:857
857       while (s < send && isSPACE(*s))
(gdb) bt
#0  0x00000000005c41f2 in Perl_grok_number_flags (pv=0x0,
    len=18446744073709551615, valuep=0x7fffffffe300, flags=0) at numeric.c:857
#1  0x00000000005c4190 in Perl_grok_number (pv=0x0, len=18446744073709551615,
    valuep=0x7fffffffe300) at numeric.c:841
#2  0x000000000051b25f in Perl_sv_2uv_flags (sv=0x86d650, flags=0)
    at sv.c:2536
#3  0x0000000000542238 in Perl_pp_nbit_and () at pp.c:2444
#4  0x0000000000508326 in Perl_runops_standard () at run.c:41
#5  0x0000000000448e80 in S_run_body (oldscope=1) at perl.c:2517
#6  0x0000000000448a2f in perl_run (my_perl=0x857010) at perl.c:2440
#7  0x000000000041e730 in main (argc=3, argv=0x7fffffffe628,
    env=0x7fffffffe648) at perlmain.c:116
(gdb) info locals
s = 0x0
send = 0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>
d = 0x490000000041e550 <error: Cannot access memory at address 0x490000000041e550>
numtype = 0
(gdb) l
852       const char *d;
853       int numtype = 0;
854
855       PERL_ARGS_ASSERT_GROK_NUMBER_FLAGS;
856
857       while (s < send && isSPACE(*s))
858         s++;
859       if (s == send) {
860         return 0;
861       } else if (*s == '-') {
(gdb) q


(gdb) run
Starting program: /home/dcollins/perldebug/perl -Ilib ../f3i000134
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
The bitwise feature is experimental at ../f3i000134 line 1.
perl: sv.c:2531: Perl_sv_2uv_flags: Assertion `(((svtype)((sv)->sv_flags & 0xff)) == SVt_REGEXP || ((sv)->sv_flags & (0xff|0x00004000|0x00008000|0x01000000)) == (SVt_PVLV|0x01000000)) || ((sv)->sv_flags & 0x00004000)' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff6cf9478 in raise () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0  0x00007ffff6cf9478 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007ffff6cfa8fa in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x00007ffff6cf23a7 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#3  0x00007ffff6cf2452 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#4  0x00000000005ce153 in Perl_sv_2uv_flags (sv=0xab29e0, flags=0) at sv.c:2531
#5  0x0000000000630232 in Perl_pp_nbit_and () at pp.c:2444
#6  0x0000000000559af3 in Perl_runops_debug () at dump.c:2239
#7  0x0000000000462138 in S_run_body (oldscope=1) at perl.c:2517
#8  0x0000000000461763 in perl_run (my_perl=0xa9c010) at perl.c:2440
#9  0x000000000041e8f0 in main (argc=3, argv=0x7fffffffe618, env=0x7fffffffe638) at perlmain.c:116
(gdb) f 4
#4  0x00000000005ce153 in Perl_sv_2uv_flags (sv=0xab29e0, flags=0) at sv.c:2531
2531            assert(isREGEXP(sv) || SvPOKp(sv));
(gdb) info locals
__PRETTY_FUNCTION__ = "Perl_sv_2uv_flags"
(gdb) l
2526
2527        if (SvVALID(sv) || isREGEXP(sv)) {
2528            /* FBMs use the space for SvIVX and SvNVX for other purposes, and use
2529               the same flag bit as SVf_IVisUV, so must not let them cache IVs.
2530               Regexps have no SvIVX and SvNVX fields. */
2531            assert(isREGEXP(sv) || SvPOKp(sv));
2532            {
2533                UV value;
2534                const char * const ptr =
2535                    isREGEXP(sv) ? RX_WRAPPED((REGEXP*)sv) : SvPVX_const(sv);
(gdb)


**VALGRIND**

dcollins@nightshade64:~/perl$ valgrind ./perl -Ilib ../f3i000134
==60697== Memcheck, a memory error detector
==60697== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==60697== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==60697== Command: ./perl -Ilib ../f3i000134
==60697==
The bitwise feature is experimental at ../f3i000134 line 1.
==60697== Invalid read of size 1
==60697==    at 0x5C41F2: Perl_grok_number_flags (numeric.c:857)
==60697==    by 0x5C418F: Perl_grok_number (numeric.c:841)
==60697==    by 0x51B25E: Perl_sv_2uv_flags (sv.c:2536)
==60697==    by 0x542237: Perl_pp_nbit_and (pp.c:2444)
==60697==    by 0x508325: Perl_runops_standard (run.c:41)
==60697==    by 0x448E7F: S_run_body (perl.c:2517)
==60697==    by 0x448A2E: perl_run (perl.c:2440)
==60697==    by 0x41E72F: main (perlmain.c:116)
==60697==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==60697==
==60697==
==60697== Process terminating with default action of signal 11 (SIGSEGV)
==60697==  Access not within mapped region at address 0x0
==60697==    at 0x5C41F2: Perl_grok_number_flags (numeric.c:857)
==60697==    by 0x5C418F: Perl_grok_number (numeric.c:841)
==60697==    by 0x51B25E: Perl_sv_2uv_flags (sv.c:2536)
==60697==    by 0x542237: Perl_pp_nbit_and (pp.c:2444)
==60697==    by 0x508325: Perl_runops_standard (run.c:41)
==60697==    by 0x448E7F: S_run_body (perl.c:2517)
==60697==    by 0x448A2E: perl_run (perl.c:2440)
==60697==    by 0x41E72F: main (perlmain.c:116)
==60697==  If you believe this happened as a result of a stack
==60697==  overflow in your program's main thread (unlikely but
==60697==  possible), you can try to increase the size of the
==60697==  main thread stack using the --main-stacksize= flag.
==60697==  The main thread stack size used in this run was 8388608.
==60697==
==60697== HEAP SUMMARY:
==60697==     in use at exit: 204,449 bytes in 900 blocks
==60697==   total heap usage: 1,617 allocs, 717 frees, 325,916 bytes allocated
==60697==
==60697== LEAK SUMMARY:
==60697==    definitely lost: 192 bytes in 1 blocks
==60697==    indirectly lost: 2,024 bytes in 22 blocks
==60697==      possibly lost: 44,648 bytes in 32 blocks
==60697==    still reachable: 157,585 bytes in 845 blocks
==60697==                       of which reachable via heuristic:
==60697==                         newarray           : 224 bytes in 7 blocks
==60697==         suppressed: 0 bytes in 0 blocks
==60697== Rerun with --leak-check=full to see details of leaked memory
==60697==
==60697== For counts of detected and suppressed errors, rerun with: -v
==60697== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault


**PERL -V**

dcollins@nightshade64:~/perl$ ./perl -Ilib -V
Summary of my perl5 (revision 5 version 25 subversion 1) configuration:
  Commit id: 9e17953912c0ab4f21dd642345727a44c388a0af
  Platform:
    osname=linux, osvers=4.5.0-2-amd64, archname=x86_64-linux-ld
    uname='linux nightshade64 4.5.0-2-amd64 #1 smp debian 4.5.3-2 (2016-05-08) x86_64 gnulinux '
    config_args='-Dusedevel -Dprefix=/usr/local/perl-afl -Dcc=ccache gcc-6.1 -Duselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -des'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=undef, usemultiplicity=undef
    use64bitint=define, use64bitall=define, uselongdouble=define
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='ccache gcc-6.1', ccflags ='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-g',
    cppflags='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
    ccversion='', gccversion='6.1.0', gccosandvers=''
    intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678, doublekind=3
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16, longdblkind=3
    ivtype='long', ivsize=8, nvtype='long double', nvsize=16, Off_t='off_t', lseeksize=8
    alignbytes=16, prototype=define
  Linker and Libraries:
    ld='ccache gcc-6.1', ldflags =' -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/local/lib/gcc/x86_64-pc-linux-gnu/6.1.0/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
    libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    libc=libc-2.22.so, so=so, useshrplib=false, libperl=libperl.a
    gnulibc_version='2.22'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
    cccdlflags='-fPIC', lddlflags='-shared -g -L/usr/local/lib -fstack-protector-strong'


Characteristics of this binary (from libperl):
  Compile-time options: HAS_TIMES PERLIO_LAYERS PERL_COPY_ON_WRITE
                        PERL_DONT_CREATE_GVSV
                        PERL_HASH_FUNC_ONE_AT_A_TIME_HARD PERL_MALLOC_WRAP
                        PERL_OP_PARENT PERL_PRESERVE_IVUV PERL_USE_DEVEL
                        USE_64_BIT_ALL USE_64_BIT_INT USE_LARGE_FILES
                        USE_LOCALE USE_LOCALE_COLLATE USE_LOCALE_CTYPE
                        USE_LOCALE_NUMERIC USE_LOCALE_TIME USE_LONG_DOUBLE
                        USE_PERLIO USE_PERL_ATOF
  Built under linux
  Compiled at May 17 2016 20:01:23
  @INC:
    lib
    /usr/local/perl-afl/lib/site_perl/5.25.1/x86_64-linux-ld
    /usr/local/perl-afl/lib/site_perl/5.25.1
    /usr/local/perl-afl/lib/5.25.1/x86_64-linux-ld
    /usr/local/perl-afl/lib/5.25.1
    /usr/local/perl-afl/lib/site_perl/5.24.0
    /usr/local/perl-afl/lib/site_perl
    .


Thread Previous


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About