[perl #129888] null ptr deref, segfault in Perl_do_aexec5(doio.c:1595)

# New Ticket Created by  Brian Carpenter 
# Please include the string:  [perl #129888]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/Ticket/Display.html?id=129888 >


Triggered with AFL+ASAN in Perl v5.25.6 (v5.25.5-104-gaff2be5).

od -tx1 test274
0000000 7b 24 30 3d 24 53 49 47 7b 5f 5f 57 41 52 4e 5f
0000020 5f 7d 3d 73 75 62 7b 65 78 65 63 7d 3b 24 5e 57
0000040 3d 32 2c 65 78 65 63 24 70 00 30 7d
0000054

Number found where operator expected at test274 line 1, near "$p0"
        (Missing operator before 0?)
ASAN:SIGSEGV
=================================================================
==6592==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x000000b30ea7 bp 0x7fffff249420 sp 0x7fffff249280 T0)
    #0 0xb30ea6 in Perl_do_aexec5 /root/perl/doio.c:1595:13
    #1 0xaf9bbc in Perl_pp_exec /root/perl/pp_sys.c:4515:15
    #2 0x7f44b3 in Perl_runops_debug /root/perl/dump.c:2246:23
    #3 0x5a12b6 in S_run_body /root/perl/perl.c:2526:2
    #4 0x5a12b6 in perl_run /root/perl/perl.c:2449
    #5 0x4de60d in main /root/perl/perlmain.c:123:9
    #6 0x7f7211793b44 in __libc_start_main
/build/glibc-daoqzt/glibc-2.19/csu/libc-start.c:287
    #7 0x4de27c in _start (/root/perl/perl+0x4de27c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/perl/doio.c:1595 Perl_do_aexec5
==6592==ABORTING

Number found where operator expected at test274 line 1, near "$p0"
        (Missing operator before 0?)
==6567== Invalid read of size 8
==6567==    at 0x5A7B17: Perl_do_aexec5 (doio.c:1595)
==6567==    by 0x598CD4: Perl_pp_exec (pp_sys.c:4515)
==6567==    by 0x4D71A1: Perl_runops_debug (dump.c:2246)
==6567==    by 0x453156: S_run_body (perl.c:2526)
==6567==    by 0x453156: perl_run (perl.c:2449)
==6567==    by 0x421984: main (perlmain.c:123)
==6567==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==6567==
==6567==
==6567== Process terminating with default action of signal 11 (SIGSEGV)
==6567==  Access not within mapped region at address 0x0
==6567==    at 0x5A7B17: Perl_do_aexec5 (doio.c:1595)
==6567==    by 0x598CD4: Perl_pp_exec (pp_sys.c:4515)
==6567==    by 0x4D71A1: Perl_runops_debug (dump.c:2246)
==6567==    by 0x453156: S_run_body (perl.c:2526)
==6567==    by 0x453156: perl_run (perl.c:2449)
==6567==    by 0x421984: main (perlmain.c:123)
==6567==  If you believe this happened as a result of a stack
==6567==  overflow in your program's main thread (unlikely but
==6567==  possible), you can try to increase the size of the
==6567==  main thread stack using the --main-stacksize= flag.
==6567==  The main thread stack size used in this run was 8388608.
Segmentation fault

Number found where operator expected at test274 line 1, near "$p0"
        (Missing operator before 0?)

Program received signal SIGSEGV, Segmentation fault.
0x00000000005a7b17 in Perl_do_aexec5 (really=0x939998, mark=0x919b70,
mark@entry=0x919b60, sp=sp@entry=0x919b68, fd=fd@entry=0,
do_report=do_report@entry=0) at doio.c:1595
1595                PerlProc_execvp(PL_Argv[0],EXEC_ARGV_CAST(PL_Argv));
(gdb) bt
#0  0x00000000005a7b17 in Perl_do_aexec5 (really=0x939998, mark=0x919b70,
mark@entry=0x919b60, sp=sp@entry=0x919b68, fd=fd@entry=0,
do_report=do_report@entry=0) at doio.c:1595
#1  0x0000000000598cd5 in Perl_pp_exec () at pp_sys.c:4515
#2  0x00000000004d71a2 in Perl_runops_debug () at dump.c:2246
#3  0x0000000000453157 in S_run_body (oldscope=1) at perl.c:2526
#4  perl_run (my_perl=<optimized out>) at perl.c:2449
#5  0x0000000000421985 in main (argc=2, argv=0x7fffffffe6b8,
env=0x7fffffffe6d0) at perlmain.c:123
(gdb) list
1590                TAINT_ENV();                /* testing IFS here is
overkill, probably */
1591            PERL_FPU_PRE_EXEC
1592            if (really && *tmps) {
1593                PerlProc_execvp(tmps,EXEC_ARGV_CAST(PL_Argv));
1594            } else {
1595                PerlProc_execvp(PL_Argv[0],EXEC_ARGV_CAST(PL_Argv));
1596            }
1597            PERL_FPU_POST_EXEC
1598            S_exec_failed(aTHX_ (really ? tmps : PL_Argv[0]), fd,
do_report);
1599        }
(gdb) i r
rax            0x0      0
rbx            0x6193c4 6394820
rcx            0x0      0
rdx            0x7ffff6cf20e0   140737334157536
rsi            0x7fffffffe140   140737488347456
rdi            0x8      8
rbp            0x7fffffffe360   0x7fffffffe360
rsp            0x7fffffffe350   0x7fffffffe350
r8             0x7fffffffe360   140737488348000
r9             0x7fffffffe1e0   140737488347616
r10            0x8      8
r11            0x206    518
r12            0x932d10 9645328
r13            0x939998 9673112
r14            0x932d20 9645344
r15            0x919b70 9542512
rip            0x5a7b17 0x5a7b17 <Perl_do_aexec5+359>
eflags         0x10246  [ PF ZF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0

• [perl #129888] null ptr deref, segfault in Perl_do_aexec5(doio.c:1595) by Brian Carpenter