develooper Front page | perl.perl5.porters | Postings from October 2018

[perl #132625] PERL-5.26.1 heap_buffer_overflow READ of size 8

From:
Tony Cook via RT
Date:
October 31, 2018 21:37
Subject:
[perl #132625] PERL-5.26.1 heap_buffer_overflow READ of size 8
Message ID:
rt-4.0.24-23837-1541021849-885.132625-15-0@perl.org
On Mon, 09 Apr 2018 09:04:48 -0700, davem wrote:
> On Mon, Jan 22, 2018 at 09:35:32PM -0800, Tony Cook via RT wrote:
> > On Mon, 08 Jan 2018 13:30:49 -0800, hv wrote:
> > > I can't reproduce this, I get:
> > > $* is no longer supported. Its use will be fatal in Perl 5.30 at
> > > /home/hv/rt132625 line 1.
> > > Use of code point 0xFFFF9DEFFFFEE27F is not allowed; the
> > > permissible
> > > max is 0x7FFFFFFFFFFFFFFF at /home/hv/rt132625 line 1.
> > >
> > > The code and reported stack trace appear to be a minor variation on
> > > rt132622.
> >
> > If you remove the first statement (the pack of ~qr/./) a debugging
> > build produces:
> >
> > tony@mars:.../git/perl$ ./miniperl  ../132625.pl
> > $* is no longer supported. Its use will be fatal in Perl 5.30 at
> > ../132625.pl line 1.
> > miniperl: sv.c:4856: Perl_sv_setpv_bufsize: Assertion
> > `PL_valid_types_PVX[SvTYPE(_svpvx) & SVt_MASK]' failed.
> > Aborted
> >
> > Backtrace:
> >
> > Program received signal SIGABRT, Aborted.
> > __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
> > 51      ../sysdeps/unix/sysv/linux/raise.c: No such file or
> > directory.
> > (gdb) bt
> > #0  __GI_raise (sig=sig@entry=6) at
> > ../sysdeps/unix/sysv/linux/raise.c:51
> > #1  0x00007ffff5d5b3fa in __GI_abort () at abort.c:89
> >  #2  0x00007ffff5d52e37 in __assert_fail_base (fmt=<optimized out>,
> >      assertion=assertion@entry=0x555555bfa6e0
> > "PL_valid_types_PVX[SvTYPE(_svpvx) & SVt_MASK]",
> > file=file@entry=0x555555bf7ae0 "sv.c", line=line@entry=4856,
> >     function=function@entry=0x555555c11180
> > <__PRETTY_FUNCTION__.18843> "Perl_sv_setpv_bufsize") at assert.c:92
> > #3  0x00007ffff5d52ee2 in __GI___assert_fail (
> >      assertion=assertion@entry=0x555555bfa6e0
> > "PL_valid_types_PVX[SvTYPE(_svpvx) & SVt_MASK]",
> > file=file@entry=0x555555bf7ae0 "sv.c", line=line@entry=4856,
> >     function=function@entry=0x555555c11180
> > <__PRETTY_FUNCTION__.18843> "Perl_sv_setpv_bufsize") at assert.c:101
> >  #4  0x000055555592813a in Perl_sv_setpv_bufsize
> > (sv=sv@entry=0x621000012758,
> >     cur=cur@entry=0, len=len@entry=0) at sv.c:4856
> > #5  0x00005555558aaea9 in Perl_pp_concat () at pp_hot.c:292
> > #6  0x000055555582b13f in Perl_runops_debug () at dump.c:2527
> > #7  0x00005555556ca9bf in S_run_body (oldscope=1) at perl.c:2728
> > #8  perl_run (my_perl=<optimized out>) at perl.c:2649
> >  #9  0x00005555556433ea in main (argc=<optimized out>,
> > argv=<optimized out>,
> >     env=<optimized out>) at miniperlmain.c:128
> >
> > which looks like a stack-not-refcounted issue, as you say.
> 
> Agreed, I'll move it to the public queue.

Now done.

Tony

---
via perlbug:  queue: perl5 status: open
https://rt.perl.org/Ticket/Display.html?id=132625



nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About