develooper Front page | perl.perl5.porters | Postings from February 2018

[perl #132828] Tricky code can bypass Carp overload protections andtrigger exceptions

Thread Next
From:
yves orton
Date:
February 7, 2018 20:56
Subject:
[perl #132828] Tricky code can bypass Carp overload protections andtrigger exceptions
Message ID:
rt-4.0.24-2993-1518037002-998.132828-75-0@perl.org
# New Ticket Created by  yves orton 
# Please include the string:  [perl #132828]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/Ticket/Display.html?id=132828 >


This produces interesting results:

perl -MCarp -E 'package OverloadedInXS { my $n = \&overload::nil; my
$p = __PACKAGE__; *{$p."::(("} = $n; *{$p.q!::(""!} = sub { return
"<My Stringify>" };  } for (1, 2) { sub { Carp::cluck("") }->(bless
{}, "OverloadedInXS"); require overload }'

 at -e line 1.
main::__ANON__(<My Stringify>) called at -e line 1
 at -e line 1.
main::__ANON__(OverloadedInXS=HASH(0xfe6ed8)) called at -e line 1

So one can get around Carp's defenses against overloading. Which means...

perl -MCarp -E 'package OverloadedInXS { my $n = \&overload::nil; my
$p = __PACKAGE__; *{$p."::(("} = $n; *{$p.q!::(""!} = sub {
Carp::cluck "<My Stringify>" };  } for (1, 2) { sub { Carp::cluck("")
}->(bless {}, "OverloadedInXS"); require overload }'
Deep recursion on subroutine "Carp::longmess" at
/home/yorton/perl5/perlbrew/perls/perl-5.18.4/lib/site_perl/5.18.4/Carp.pm
line 170.
Deep recursion on subroutine "Carp::longmess_heavy" at
/home/yorton/perl5/perlbrew/perls/perl-5.18.4/lib/site_perl/5.18.4/Carp.pm
line 148.
Deep recursion on subroutine "Carp::ret_backtrace" at
/home/yorton/perl5/perlbrew/perls/perl-5.18.4/lib/site_perl/5.18.4/Carp.pm
line 450.
Deep recursion on subroutine "Carp::caller_info" at
/home/yorton/perl5/perlbrew/perls/perl-5.18.4/lib/site_perl/5.18.4/Carp.pm
line 467.
Deep recursion on subroutine "Carp::format_arg" at
/home/yorton/perl5/perlbrew/perls/perl-5.18.4/lib/site_perl/5.18.4/Carp.pm
line 237.
Deep recursion on subroutine "Carp::caller_info" at
/home/yorton/perl5/perlbrew/perls/perl-5.18.4/lib/site_perl/5.18.4/Carp.pm
line 481.
Deep recursion on subroutine "Carp::format_arg" at
/home/yorton/perl5/perlbrew/perls/perl-5.18.4/lib/site_perl/5.18.4/Carp.pm
line 237.
Deep recursion on anonymous subroutine at
/home/yorton/perl5/perlbrew/perls/perl-5.18.4/lib/site_perl/5.18.4/Carp.pm
line 282.
Segmentation fault

This applies to the most recent perl as well. The following patch,
against smoke-me/rt52610 version of Carp:

diff --git a/dist/Carp/lib/Carp.pm b/dist/Carp/lib/Carp.pm
index f4ae975..6d4df6e 100644
--- a/dist/Carp/lib/Carp.pm
+++ b/dist/Carp/lib/Carp.pm
@@ -322,6 +322,11 @@ sub format_arg {
         }
         else
         {
+            {
+                no strict 'refs';
+                my $pack= ref $arg;
+                if (*{$pack."::(("}{CODE}) { require overload; }
+            }
            my $sub = _fetch_sub(overload => 'StrVal');
            return $sub ? &$sub($arg) : "$arg";
         }

fixes the segault by checking to see if overloading is enabled, and if
it is requiring overload. Even if they had a good reason to avoid
loading overload in the first place, surely doing so to avoid a
possible segault in an exception is reasonable.

Yves
ps: Brian Fraser found this neat trick. Which I am unfortunately
having to wet-blanket. :-)


-- 
perl -Mre=debug -e "/just|another|perl|hacker/"


Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About