develooper Front page | perl.perl5.porters | Postings from January 2018

[perl #132618] PERL-5.26.1 heap_use_after_free WRITE of size 1

From:
Tony Cook via RT
Date:
January 31, 2018 04:26
Subject:
[perl #132618] PERL-5.26.1 heap_use_after_free WRITE of size 1
Message ID:
rt-4.0.24-16754-1517372761-1803.132618-15-0@perl.org
On Sun, 07 Jan 2018 04:20:15 -0800, hv wrote:
> I get a different stack trace (same with blead or 5.26.1), which
> reduces to this and looks very like a stack refcounting issue:
> % ./miniperl -e '$$W += $W = 0'
> ASAN:SIGSEGV
> =================================================================
> ==15388==ERROR: AddressSanitizer: SEGV on unknown address
> 0x000000000000 (pc 0x000000d82176 sp 0x7fff60547580 bp 0x7fff60547830
> T0)
>     #0 0xd82175 in Perl_sv_setiv
> /src/package/lang/perl/gitperl/sv.c:1662
>     #1 0xd8413b in Perl_sv_setuv
> /src/package/lang/perl/gitperl/sv.c:1709
>     #2 0xd84522 in Perl_sv_setuv_mg
> /src/package/lang/perl/gitperl/sv.c:1730
>     #3 0xcff905 in Perl_pp_add
> /src/package/lang/perl/gitperl/pp_hot.c:1612
>     #4 0xcd10f7 in Perl_runops_standard
> /src/package/lang/perl/gitperl/run.c:41
>     #5 0x644229 in S_run_body
> /src/package/lang/perl/gitperl/perl.c:2730
>     #6 0x6421b6 in perl_run /src/package/lang/perl/gitperl/perl.c:2646
>     #7 0x14aa7c8 in main
> /src/package/lang/perl/gitperl/miniperlmain.c:128
>     #8 0x7fcd15454f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
>     #9 0x49947c in _start
> (/src/package/lang/perl/gitperl/miniperl+0x49947c)
> 
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV
> /src/package/lang/perl/gitperl/sv.c:1662 Perl_sv_setiv
> ==15388==ABORTING
>  %

Yes, it's a stack not refcounted issue.

The $$W is executed first, which since it's executed in lvalue context, auto-vivifies the value of $W into reference to an anonymous scalar, and that anonymous scalar is pushed onto the stack.

Then the $W = 0 is executed, releasing the refercence above, releasing the anonymous scalar.

Finally the assignment to that anonymous scalar is attempted and Bad Things Happen.

I've moved it to the public queue and linked it to the meta ticket.

> I'm not sure what in the original test case allowed the OP's
> invocation to get as far as pp_pack: I guess the additional
> assignments between the two uses of $W managed to reuse the freed SV
> and set it to something valid enough to let it to get further.

That seems likely.

Tony

---
via perlbug:  queue: perl5 status: open
https://rt.perl.org/Ticket/Display.html?id=132618



nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About