develooper Front page | perl.perl5.porters | Postings from September 2016

[perl #129158] null ptr deref, segfault in Perl_pp_split () atpp.c:5738

From:
Brian Carpenter
Date:
September 1, 2016 08:49
Subject:
[perl #129158] null ptr deref, segfault in Perl_pp_split () atpp.c:5738
Message ID:
rt-4.0.24-19848-1472719752-219.129158-75-0@perl.org
# New Ticket Created by  Brian Carpenter 
# Please include the string:  [perl #129158]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/Ticket/Display.html?id=129158 >


Perl v5.25.5 (v5.25.4-25-g109ac34*), found with AFL + ASAN. A non-instrumented build of 
v5.25.4-5-g92d73bf returns the valgrind output at the end.

hexdump -C over727
00000000  6d 61 70 7b 73 5b 5d 5b  5d 6f 3e 73 70 6c 69 74  |map{s[][]o>split|
00000010  00 30 2c 24 30 5b 73 70  6c 69 74 2f 28 30 29 2f  |.0,$0[split/(0)/|
00000020  3e 30 5d 3e 6d 61 70 7b  30 3f 7b 7d 3a 30 7d 30  |>0]>map{0?{}:0}0|
00000030  7d 3c 44 41 54 41 3e 5f  5f 45 4e 44 5f 5f 0a 0a  |}<DATA>__END__..|
00000040  30                                                |0|
00000041

ASAN:SIGSEGV
=================================================================
==8284==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000a0c999 bp 0x7fffa83f31a0 sp 0x7fffa83f3000 T0)
    #0 0xa0c998 in Perl_pp_split /root/perl/pp.c:5738:5
    #1 0x7f26a3 in Perl_runops_debug /root/perl/dump.c:2234:23
    #2 0x5a10c6 in S_run_body /root/perl/perl.c:2525:2
    #3 0x5a10c6 in perl_run /root/perl/perl.c:2448
    #4 0x4de6cd in main /root/perl/perlmain.c:123:9
    #5 0x7f5b16991b44 in __libc_start_main /build/glibc-uPj9cH/glibc-2.19/csu/libc-start.c:287
    #6 0x4de33c in _start (/root/perl/perl+0x4de33c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/perl/pp.c:5738 Perl_pp_split
==8284==ABORTING

Program received signal SIGSEGV, Segmentation fault.
0x0000000000a0c999 in Perl_pp_split () at pp.c:5738
5738        rx = PM_GETRE(pm);
(gdb) bt
#0  0x0000000000a0c999 in Perl_pp_split () at pp.c:5738
#1  0x00000000007f26a4 in Perl_runops_debug () at dump.c:2234
#2  0x00000000005a10c7 in S_run_body (oldscope=<optimized out>) at perl.c:2525
#3  perl_run (my_perl=<optimized out>) at perl.c:2448
#4  0x00000000004de6ce in main (argc=<optimized out>, argv=<optimized out>, env=<optimized out>) at perlmain.c:123

Non-instrumented v5.25.4-5-g92d73bf Valgrind output:
==27188== Conditional jump or move depends on uninitialised value(s)
==27188==    at 0x55E88C: Perl_pp_split (pp.c:5736)
==27188==    by 0x4D6261: Perl_runops_debug (dump.c:2234)
==27188==    by 0x452E96: S_run_body (perl.c:2525)
==27188==    by 0x452E96: perl_run (perl.c:2448)
==27188==    by 0x421834: main (perlmain.c:123)
==27188==
==27188== Conditional jump or move depends on uninitialised value(s)
==27188==    at 0x4D8312: Perl_die (util.c:1719)
==27188==    by 0x5604C1: Perl_pp_split (pp.c:5737)
==27188==    by 0x4D6261: Perl_runops_debug (dump.c:2234)
==27188==    by 0x452E96: S_run_body (perl.c:2525)
==27188==    by 0x452E96: perl_run (perl.c:2448)
==27188==    by 0x421834: main (perlmain.c:123)
==27188==
panic: pp_split, pm=0, s=6def41 at over727 line 1, <DATA> line 2.


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About