develooper Front page | perl.perl5.porters | Postings from April 2019

[perl #134028] Stack overflow when local'izing readonly arrays

Thread Previous
From:
Tony Cook via RT
Date:
April 23, 2019 01:20
Subject:
[perl #134028] Stack overflow when local'izing readonly arrays
Message ID:
rt-4.0.24-2934-1555982396-1429.134028-15-0@perl.org
On Sun, 14 Apr 2019 03:03:11 -0700, randir wrote:
> While fuzzing perl v5.29.9-63-g2496d8f3f7 built with afl and run
> under libdislocator, I found the following program
> 
> local@-[0..7000]
> 
> to cause stack overflow. GDB stack trace is following
> 
> #1  0x00005555557d0110 in Perl_sv_vsetpvfn (sv=0x555555d70a78,
> pat=0x555555aa220f "%s", patlen=2, args=0x7fffff7ff480, svargs=0x0,
> sv_count=0,
>     maybe_tainted=0x0) at sv.c:10977
> #2  0x0000555555710f4a in Perl_vmess (pat=0x555555aa220f "%s",
> args=0x7fffff7ff480) at util.c:1484
> #3  0x0000555555712025 in Perl_vcroak (pat=0x555555aa220f "%s",
> args=0x7fffff7ff480) at util.c:1697
> #4  0x000055555571231b in Perl_croak (pat=0x555555aa220f "%s") at
> util.c:1744
> #5  0x0000555555712337 in Perl_croak_no_modify () at util.c:1762
> #6  0x0000555555757d4e in Perl_av_delete (av=0x555555b74e50, key=2194,
> flags=4) at av.c:894
> #7  0x000055555581f9c7 in Perl_leave_scope (base=0) at scope.c:1275
> #8  0x000055555582de6d in Perl_dounwind (cxix=-1) at pp_ctl.c:1550
> #9  0x00005555555f9c55 in S_my_exit_jump () at perl.c:5262
> #10 0x00005555555f9ab8 in Perl_my_failure_exit () at perl.c:5249
> #11 0x000055555582f1e9 in Perl_die_unwind (msv=0x555555d70a60) at
> pp_ctl.c:1797
> #12 0x000055555571226a in Perl_vcroak (pat=0x555555aa220f "%s",
> args=0x7fffff7ffb50) at util.c:1699
> #13 0x000055555571231b in Perl_croak (pat=0x555555aa220f "%s") at
> util.c:1744
> #14 0x0000555555712337 in Perl_croak_no_modify () at util.c:1762
> #15 0x0000555555757d4e in Perl_av_delete (av=0x555555b74e50, key=2195,
> flags=4) at av.c:894
> ...
> #43261 0x000055555581f9c7 in Perl_leave_scope (base=0) at scope.c:1275
> 1275     (void)av_delete(a1.any_av, a0.any_iv, G_DISCARD);
> #43262 0x0000555555832128 in Perl_pp_leave () at pp_ctl.c:2136
> 2136     CX_LEAVE_SCOPE(cx);
> 

Similarly for

  local@-{0..7000}

This is caused by the av_delete() for SAVEt_ADELETE croaking due to @- being readonly.

So it tries to "restore" element 7000 calling av_delete(), which croaks, and then tries to unwind the scope, trying to delete element 6999, which croaks and so on until we run out of stack.

We could fail earlier for the test case by throwing errors in aslice and hslice if we're localising a readonly array/slice, but this won't help for the more general case since the array/hash might be set readonly after the local.

This would need to be done in many ops that localise for a more comprehensive fix, though most of those won't localise in bulk like aslice/hslice. ( git grep LVAL_INTRO pp*.c )

Tony

---
via perlbug:  queue: perl5 status: new
https://rt.perl.org/Ticket/Display.html?id=134028

Thread Previous


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About