develooper Front page | perl.perl5.porters | Postings from October 2017

Re: [perl #130256] heap-use-after-free Perl_sv_setpv_bufsize(sv.c:4956)

From:
Brian Carpenter
Date:
October 2, 2017 16:06
Subject:
Re: [perl #130256] heap-use-after-free Perl_sv_setpv_bufsize(sv.c:4956)
Message ID:
CANMVOuydw3RwVY8RWx=xGxP0NSLicr8Lu3YLP6jeafshFWUo_w@mail.gmail.com
Just triggered this bug in v5.27.4-29-gdc41635.

./perl -e '$$.=*$=*$$'

=================================================================
==30274==ERROR: AddressSanitizer: heap-use-after-free on address
0x60200000e1f0 at pc 0xbcce5c bp 0x7fff60a28b20 sp 0x7fff60a28b18
WRITE of size 1 at 0x60200000e1f0 thread T0
    #0 0xbcce5b in Perl_sv_setpv_bufsize /root/perl/sv.c:4958
    #1 0xaa2e02 in Perl_pp_concat /root/perl/pp_hot.c:292
    #2 0x92ee8e in Perl_runops_debug /root/perl/dump.c:2486
    #3 0x5a9bed in S_run_body /root/perl/perl.c:2592
    #4 0x5a9bed in perl_run /root/perl/perl.c:2520
    #5 0x4362e9 in main /root/perl/perlmain.c:123
    #6 0x7f6fce22cb44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #7 0x4372fa (/root/perl/perl+0x4372fa)

0x60200000e1f0 is located 0 bytes inside of 10-byte region
[0x60200000e1f0,0x60200000e1fa)
freed by thread T0 here:
    #0 0x7f6fcf37e527 in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
    #1 0xb254d0 in Perl_sv_clear /root/perl/sv.c:6825
    #2 0xb28547 in Perl_sv_free2 /root/perl/sv.c:7127
    #3 0x5b91cb in S_SvREFCNT_dec /root/perl/inline.h:191
    #4 0x5b91cb in Perl_gp_free /root/perl/gv.c:2638
    #5 0xbc0d7e in S_glob_assign_glob /root/perl/sv.c:3950
    #6 0xb75020 in Perl_sv_setsv_flags /root/perl/sv.c:4461
    #7 0xa9c427 in Perl_pp_sassign /root/perl/pp_hot.c:226
    #8 0x92ee8e in Perl_runops_debug /root/perl/dump.c:2486
    #9 0x5a9bed in S_run_body /root/perl/perl.c:2592
    #10 0x5a9bed in perl_run /root/perl/perl.c:2520
    #11 0x4362e9 in main /root/perl/perlmain.c:123
    #12 0x7f6fce22cb44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)

previously allocated by thread T0 here:
    #0 0x7f6fcf37e73f in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
    #1 0x96d04d in Perl_safesysmalloc /root/perl/util.c:153
    #2 0xb888b7 in Perl_sv_grow /root/perl/sv.c:1603
    #3 0xb8e1cc in Perl_sv_2pv_flags /root/perl/sv.c:3090
    #4 0x613b62 in Perl_gv_fetchsv /root/perl/gv.c:1569
    #5 0xc7c54d in S_rv2gv /root/perl/pp.c:191
    #6 0xc7c54d in Perl_pp_rv2gv /root/perl/pp.c:210
    #7 0x92ee8e in Perl_runops_debug /root/perl/dump.c:2486
    #8 0x5a9bed in S_run_body /root/perl/perl.c:2592
    #9 0x5a9bed in perl_run /root/perl/perl.c:2520
    #10 0x4362e9 in main /root/perl/perlmain.c:123
    #11 0x7f6fce22cb44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)

SUMMARY: AddressSanitizer: heap-use-after-free /root/perl/sv.c:4958
Perl_sv_setpv_bufsize

And if I change it ever so slightly, we get a null pointer dereference
instead:

./perl -e '$$.=*$=0'

ASAN:SIGSEGV
=================================================================
==21206==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
(pc 0x000000bcc503 sp 0x7ffd0cde5380 bp 0x7ffd0cde53b0 T0)
    #0 0xbcc502 in Perl_sv_setpv_bufsize /root/perl/sv.c:4959
    #1 0xaa2e02 in Perl_pp_concat /root/perl/pp_hot.c:292
    #2 0x92ee8e in Perl_runops_debug /root/perl/dump.c:2486
    #3 0x5a9bed in S_run_body /root/perl/perl.c:2592
    #4 0x5a9bed in perl_run /root/perl/perl.c:2520
    #5 0x4362e9 in main /root/perl/perlmain.c:123
    #6 0x7fe49ff72b44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #7 0x4372fa (/root/perl/perl+0x4372fa)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/perl/sv.c:4959 Perl_sv_setpv_bufsize
==21206==ABORTING



nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About