develooper Front page | perl.perl5.porters | Postings from January 2017

[perl #130635] [PATCH] Stack overflow in Storable retrieve_hook

Thread Previous | Thread Next
From:
James E Keenan via RT
Date:
January 25, 2017 16:12
Subject:
[perl #130635] [PATCH] Stack overflow in Storable retrieve_hook
Message ID:
rt-4.0.24-3776-1485360747-515.130635-15-0@perl.org
On Wed, 25 Jan 2017 15:42:21 GMT, jkeenan wrote:
> On Wed, 25 Jan 2017 15:21:36 GMT, jkeenan wrote:
> > On Wed, 25 Jan 2017 04:04:15 GMT, jkeenan wrote:
> > > On Wed, 25 Jan 2017 02:05:45 GMT, jkeenan wrote:
> > > > On Tue, 24 Jan 2017 19:22:28 GMT, john@nixnuts.net wrote:
> > > > > This is a bug report for perl from john@nixnuts.net,
> > > > > generated with the help of perlbug 1.40 running under perl
> > > > > 5.25.9.
> > > > >
> > > > >
> > > > > -----------------------------------------------------------------
> > > > > AFL detected a stack overflow in Storable's retrieve_hook()
> > > > > function.
> > > > >
> > > > > The problem essentially is that a hook's classname length is
> > > > > read
> > > > > into
> > > > > a signed integer, compared to the size of a stack buffer, then
> > > > > used
> > > > > to
> > > > > read the classname. The size comparison treats the length as
> > > > > signed,
> > > > > while the read treats the length as unsigned.
> > > > >
> > > >
> > > > Available for smoke-testing in this branch:
> > > >
> > > > smoke-me/jkeenan/130635-storable
> > > >
> > > > I corrected one spelling error in a test description and
> > > > incremented
> > > > the VERSION number.
> > >
> > > This revision failed on FreeBSD-11.  See:  http://perl5.test-
> > > smoke.org/report/53470
> > >
> > > When I ran the test file individually, it hung at 'ok 24', then
> > > printed these error messages:
> > >
> > > #####
> > > swap_pager: out of swap space
> > > swap_pager_getswapspace(16): failed
> > > swap_pager_getswapspace(16): failed
> > > swap_pager_getswapspace(16): failed
> > > #####
> > >
> > > kernel: pid 18627 (perl), uid 1001, was killed: out of swap space
> > >
> > > So something is clearly amiss with this patch.
> > >
> > > Thank you very much.
> >
> > Similar results on FreeBSD-10.3:
> > http://perl5.test-smoke.org/report/53481
> 
> On (at least) FreeBSD-10.3, it appears that the test failure occurs
> when I configure with -DDEBUGGING:
> 
> #####
> [perl] $ gitcurr
> 130635-storable
> [perl] $ git show | head -1
> commit 706cfb1457f378d29e5407d18dae5a7ad3c52033
> [perl] $ ./perl -Ilib -V | grep config_args
>     config_args='-des -Dusedevel -Duseithreads -Doptimize=-O2 -pipe
> -fstack-protector -fno-strict-aliasing -DDEBUGGING'
> #####
> cd t;./perl harness -v ../dist/Storable/t/store.t; cd -
> ...
> ok 24 - RT 130098:  no segfault in Storable::fd_retrieve()
> 
> #   Failed test 'No stack smashing error when retrieving hook'
> #   at t/store.t line 109.
> # Looks like you failed 1 test of 25.
> not ok 25 - No stack smashing error when retrieving hook
> Dubious, test returned 1 (wstat 256, 0x100)
>  Failed 1/25 subtests
> ...
> #####
> 
> In the same branch, at the same commit, configuring exactly the same
> except without -DDEBUGGING, the test file completes successfully.

On FreeBSD-11, I get the same difference in results between with/without -DDEBUGGING.

On Linux, with -DDEBUGGING, the test file eventually completes ... but clearly hangs for some time after 'ok 21' and takes 30s to run.

So the patch does not play well with -DDEBUGGING regardless of OS.

Thank you very much.
-- 
James E Keenan (jkeenan@cpan.org)

---
via perlbug:  queue: perl5 status: open
https://rt.perl.org/Ticket/Display.html?id=130635

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About