Null pointer dereference in Perl_pp_multiconcat

[p5pRT]

Migrated from rt.perl.org#132991 (status was 'new')

Searchable as RT132991$

[p5pRT]

From jeremy@feusi.co

Created by jeremy@feusi.co

Reply-To​: jeremy@​feusi.co

This is a bug report for perl from jeremy@​feusi.co,
generated with the help of perlbug 1.40 running under perl 5.26.1.

-----------------------------------------------------------------
Perl segfaults when executing the attached program (perl <progname>) due to a null pointer dereference in Perl_pp_multiconcat.
This bug can also reproduced on archlinux and debian with standard installation configuration and version 5.26.1.

Detailed backtrace​:

ASAN​:DEADLYSIGNAL

==9327==ERROR​: AddressSanitizer​: SEGV on unknown address 0x00000000000c (pc 0x00000084e5f2 bp 0x7ffeed336030 sp 0x7ffeed335a40 T0)
==9327==The signal is caused by a READ memory access.
==9327==Hint​: address points to the zero page.
  #0 0x84e5f1 in Perl_pp_multiconcat /home/jfe/perl52/pp_hot.c
  #1 0x8488be in Perl_runops_standard /home/jfe/perl52/run.c​:41​:26
  #2 0xa95bf6 in S_regmatch /home/jfe/perl52/regexec.c​:7424​:3
  #3 0xa74ea0 in S_regtry /home/jfe/perl52/regexec.c​:4086​:14
  #4 0xa57204 in Perl_regexec_flags /home/jfe/perl52/regexec.c​:3943​:7
  #5 0x877ab1 in Perl_pp_subst /home/jfe/perl52/pp_hot.c​:4212​:10
  #6 0x8488be in Perl_runops_standard /home/jfe/perl52/run.c​:41​:26
  #7 0x5dbc91 in S_run_body /home/jfe/perl52/perl.c
  #8 0x5dabb4 in perl_run /home/jfe/perl52/perl.c​:2646​:2
  #9 0x52f0b8 in main /home/jfe/perl52/perlmain.c​:122​:9
  #10 0x7fe328886f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29)
  #11 0x43f999 in _start (/home/jfe/perl52/perl+0x43f999)

AddressSanitizer can not provide additional info.
SUMMARY​: AddressSanitizer​: SEGV /home/jfe/perl52/pp_hot.c in Perl_pp_multiconcat
==9327==ABORTING

This bug was found with honggfuzz and asan.

Perl Info

Flags:
    category=core
    severity=high

Site configuration information for perl 5.26.1:

Configured by Debian at Fri Jan 12 19:31:09 UTC 2018.

Summary of my perl5 (revision 5 version 26 subversion 1) configuration:
   
  Platform:
    osname=linux
    osvers=4.9.0
    archname=x86_64-linux-gnu-thread-multi
    uname='linux localhost 4.9.0 #1 smp debian 4.9.0 x86_64 gnulinux '
    config_args='-Dusethreads -Duselargefiles -Dcc=x86_64-linux-gnu-gcc -Dcpp=x86_64-linux-gnu-cpp -Dld=x86_64-linux-gnu-gcc -Dccflags=-DDEBIAN -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -fdebug-prefix-map=/build/perl-awpeXx/perl-5.26.1=. -fstack-protector-strong -Wformat -Werror=format-security -Dldflags= -Wl,-z,relro -Dlddlflags=-shared -Wl,-z,relro -Dcccdlflags=-fPIC -Darchname=x86_64-linux-gnu -Dprefix=/usr -Dprivlib=/usr/share/perl/5.26 -Darchlib=/usr/lib/x86_64-linux-gnu/perl/5.26 -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/x86_64-linux-gnu/perl5/5.26 -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.26.1 -Dsitearch=/usr/local/lib/x86_64-linux-gnu/perl/5.26.1 -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3 -Duse64bitint -Dman1ext=1 -Dman3ext=3perl
-Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Ud_ualarm -Uusesfio -Uusenm -Ui_libutil -Ui_xlocale -Uversiononly -DDEBUGGING=-g -Doptimize=-O2 -dEs -Duseshrplib -Dlibperl=libperl.so.5.26.1'
    hint=recommended
    useposix=true
    d_sigaction=define
    useithreads=define
    usemultiplicity=define
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    default_inc_excludes_dot=define
    bincompat5005=undef
  Compiler:
    cc='x86_64-linux-gnu-gcc'
    ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64'
    optimize='-O2 -g'
    cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include'
    ccversion=''
    gccversion='7.2.0'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='x86_64-linux-gnu-gcc'
    ldflags =' -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/lib/gcc/x86_64-linux-gnu/7/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
    libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt
    perllibs=-ldl -lm -lpthread -lc -lcrypt
    libc=libc-2.26.so
    so=so
    useshrplib=true
    libperl=libperl.so.5.26
    gnulibc_version='2.26'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=so
    d_dlsymun=undef
    ccdlflags='-Wl,-E'
    cccdlflags='-fPIC'
    lddlflags='-shared -L/usr/local/lib -fstack-protector-strong'

Locally applied patches:
    DEBPKG:debian/cpan_definstalldirs - Provide a sensible INSTALLDIRS default for modules installed from CPAN.
    DEBPKG:debian/db_file_ver - https://bugs.debian.org/340047 Remove overly restrictive DB_File version check.
    DEBPKG:debian/doc_info - Replace generic man(1) instructions with Debian-specific information.
    DEBPKG:debian/enc2xs_inc - https://bugs.debian.org/290336 Tweak enc2xs to follow symlinks and ignore missing @INC directories.
    DEBPKG:debian/errno_ver - https://bugs.debian.org/343351 Remove Errno version check due to upgrade problems with long-running processes.
    DEBPKG:debian/libperl_embed_doc - https://bugs.debian.org/186778 Note that libperl-dev package is required for embedded linking
    DEBPKG:fixes/respect_umask - Respect umask during installation
    DEBPKG:debian/writable_site_dirs - Set umask approproately for site install directories
    DEBPKG:debian/extutils_set_libperl_path - EU:MM: set location of libperl.a under /usr/lib
    DEBPKG:debian/no_packlist_perllocal - Don't install .packlist or perllocal.pod for perl or vendor
    DEBPKG:debian/fakeroot - Postpone LD_LIBRARY_PATH evaluation to the binary targets.
    DEBPKG:debian/instmodsh_doc - Debian policy doesn't install .packlist files for core or vendor.
    DEBPKG:debian/ld_run_path - Remove standard libs from LD_RUN_PATH as per Debian policy.
    DEBPKG:debian/libnet_config_path - Set location of libnet.cfg to /etc/perl/Net as /usr may not be writable.
    DEBPKG:debian/perlivp - https://bugs.debian.org/510895 Make perlivp skip include directories in /usr/local
    DEBPKG:debian/deprecate-with-apt - https://bugs.debian.org/747628 Point users to Debian packages of deprecated core modules
    DEBPKG:debian/squelch-locale-warnings - https://bugs.debian.org/508764 Squelch locale warnings in Debian package maintainer scripts
    DEBPKG:debian/patchlevel - https://bugs.debian.org/567489 List packaged patches for 5.26.1-4 in patchlevel.h
    DEBPKG:fixes/document_makemaker_ccflags - https://bugs.debian.org/628522 [rt.cpan.org #68613] Document that CCFLAGS should include $Config{ccflags}
    DEBPKG:debian/find_html2text - https://bugs.debian.org/640479 Configure CPAN::Distribution with correct name of html2text
    DEBPKG:debian/perl5db-x-terminal-emulator.patch - https://bugs.debian.org/668490 Invoke x-terminal-emulator rather than xterm in perl5db.pl
    DEBPKG:debian/cpan-missing-site-dirs - https://bugs.debian.org/688842 Fix CPAN::FirstTime defaults with nonexisting site dirs if a parent is writable
    DEBPKG:fixes/memoize_storable_nstore - [rt.cpan.org #77790] https://bugs.debian.org/587650 Memoize::Storable: respect 'nstore' option not respected
    DEBPKG:debian/makemaker-pasthru - https://bugs.debian.org/758471 Pass LD settings through to subdirectories
    DEBPKG:debian/makemaker-manext - https://bugs.debian.org/247370 Make EU::MakeMaker honour MANnEXT settings in generated manpage headers
    DEBPKG:debian/kfreebsd-softupdates - https://bugs.debian.org/796798 Work around Debian Bug#796798
    DEBPKG:fixes/autodie-scope - https://bugs.debian.org/798096 Fix a scoping issue with "no autodie" and the "system" sub
    DEBPKG:fixes/memoize-pod - [rt.cpan.org #89441] Fix POD errors in Memoize
    DEBPKG:debian/hurd-softupdates - https://bugs.debian.org/822735 Fix t/op/stat.t failures on hurd
    DEBPKG:fixes/math_complex_doc_great_circle - https://bugs.debian.org/697567 [rt.cpan.org #114104] Math::Trig: clarify definition of great_circle_midpoint
    DEBPKG:fixes/math_complex_doc_see_also - https://bugs.debian.org/697568 [rt.cpan.org #114105] Math::Trig: add missing SEE ALSO
    DEBPKG:fixes/math_complex_doc_angle_units - https://bugs.debian.org/731505 [rt.cpan.org #114106] Math::Trig: document angle units
    DEBPKG:fixes/cpan_web_link - https://bugs.debian.org/367291 CPAN: Add link to main CPAN web site
    DEBPKG:fixes/time_piece_doc - https://bugs.debian.org/817925 Time::Piece: Improve documentation for add_months and add_years
    DEBPKG:fixes/extutils_makemaker_reproducible - https://bugs.debian.org/835815 https://bugs.debian.org/834190 Make perllocal.pod files reproducible
    DEBPKG:fixes/file_path_hurd_errno - File-Path: Fix test failure in Hurd due to hard-coded ENOENT
    DEBPKG:debian/hppa_op_optimize_workaround - https://bugs.debian.org/838613 Temporarily lower the optimization of op.c on hppa due to gcc-6 problems
    DEBPKG:debian/installman-utf8 - https://bugs.debian.org/840211 Generate man pages with UTF-8 characters
    DEBPKG:fixes/file_path_chmod_race - https://bugs.debian.org/863870 [rt.cpan.org #121951] Prevent directory chmod race attack.
    DEBPKG:fixes/extutils_file_path_compat - Correct the order of tests of chmod(). (#294)
    DEBPKG:fixes/getopt-long-2 - [rt.cpan.org #120300] Withdraw part of commit 5d9947fb445327c7299d8beb009d609bc70066c0, which tries to implement more GNU getopt_long campatibility. GNU
    DEBPKG:fixes/getopt-long-3 - provide a default value for optional arguments
    DEBPKG:fixes/getopt-long-4 - https://bugs.debian.org/864544 [rt.cpan.org #122068] Fix issue #122068.
    DEBPKG:fixes/test-builder-reset - https://bugs.debian.org/865894 Reset inside subtest maintains parent
    DEBPKG:debian/hppa_opmini_optimize_workaround - https://bugs.debian.org/869122 Lower the optimization level of opmini.c on hppa
    DEBPKG:debian/sh4_op_optimize_workaround - https://bugs.debian.org/869373 Also lower the optimization level of op.c and opmini.c on sh4
    DEBPKG:fixes/json-pp-example - [rt.cpan.org #92793] https://bugs.debian.org/871837 fix RT-92793: bug in SYNOPSIS
    DEBPKG:debian/perldoc-pager - https://bugs.debian.org/870340 [rt.cpan.org #120229] Fix perldoc terminal escapes when sensible-pager is less
    DEBPKG:debian/prune_libs - https://bugs.debian.org/128355 Prune the list of libraries wanted to what we actually need.
    DEBPKG:debian/configure-regen - https://bugs.debian.org/762638 Regenerate Configure et al. after probe unit changes
    DEBPKG:fixes/rename-filexp.U-phase1 - regen-configure: rename filexp.U to filexp_path.U, phase 1
    DEBPKG:fixes/rename-filexp.U-phase2 - regen-configure: rename filexp.U to filexp_path.U, phase 2
    DEBPKG:fixes/packaging_test_skips - Skip various tests if PERL_BUILD_PACKAGING is set
    DEBPKG:debian/mod_paths - Tweak @INC ordering for Debian
    DEBPKG:fixes/encode-alias-regexp - https://bugs.debian.org/880085 fix https://github.com/dankogai/p5-encode/issues/127


@INC for perl 5.26.1:
    /etc/perl
    /usr/local/lib/x86_64-linux-gnu/perl/5.26.1
    /usr/local/share/perl/5.26.1
    /usr/lib/x86_64-linux-gnu/perl5/5.26
    /usr/share/perl5
    /usr/lib/x86_64-linux-gnu/perl/5.26
    /usr/share/perl/5.26
    /usr/local/lib/site_perl
    /usr/lib/x86_64-linux-gnu/perl-base


Environment for perl 5.26.1:
    HOME=/home/jfe
    LANG=en_US.UTF-8
    LANGUAGE=en_US.UTF-8
    LC_ADDRESS=de_CH.UTF-8
    LC_ALL=en_US.UTF-8
    LC_COLLATE=de_CH.UTF-8
    LC_IDENTIFICATION=de_CH.UTF-8
    LC_MEASUREMENT=de_CH.UTF-8
    LC_MESSAGES=en_US.UTF-8
    LC_MONETARY=de_CH.UTF-8
    LC_NAME=de_CH.UTF-8
    LC_NUMERIC=de_CH.UTF-8
    LC_PAPER=de_CH.UTF-8
    LC_TELEPHONE=de_CH.UTF-8
    LC_TIME=en_DK.UTF-8
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/jfe/.cargo/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
    PERL_BADLANG (unset)
    SHELL=/bin/bash

[p5pRT]

From jeremy@feusi.co

#!./perl
m/(?{print <<EOF
A$A
EOF
})/g;
eval 's/${\%A}{3}//e';

[richardleach]

Looks like this has been fixed:

This is perl 5, version 30, subversion 0 (v5.30.0) built for MSWin32-x64-multi-thread
C:\fldr>perl fzz.pl
A
A
A

This is perl 5, version 28, subversion 1 (v5.28.1) built for x86_64-linux-gnu-thread-multi
me@disbox:~# perl fzz.pl 
A
A
A

Ran out of time to dig deeper or bisect. Can do so at the weekend, unless someone wants to beat me to it.

[richardleach]

Looks like it was fixed by 4e521aa

commit 4e521aaf3ed717774455b3906bd5aa46bc397319
Author: David Mitchell <davem@iabyn.com>
Date:   Tue Feb 5 13:48:21 2019 +0000

    Avoid leak in multiconcat with overloading.

    RT #133789

    In the path taken through pp_multiconcat() when one or more args have
    side-effects such tieing or overloading, multiconcat has to decide
    whether to just return the result of all the concatting as-is, or to
    first assign it to an expression or variable if the op includes an
    implicit assign (such as $lex = x.y.z or $a[0] = x.y.z).

    The code was getting this right for those two cases, and was also
    getting it right for the append cases ($lex .= x.y.z and $a[0] .= x.y.z),
    which don't need assigns. But for the bare case (x.y.z) it was assigning
    to the op's targ as well as returning the value. Hence leaking a
    reference until destruction of the sub and its pad.

    This commit stops the assign in that last case.

[atoomic]

the first release for 4e521aa is v5.29.8

[iabyn]

On Thu, Oct 24, 2019 at 04:53:11PM -0700, Richard Leach wrote: Looks like this has been fixed: ``` This is perl 5, version 30, subversion 0 (v5.30.0) built for MSWin32-x64-multi-thread C:\fldr>perl fzz.pl A A A ``` ``` This is perl 5, version 28, subversion 1 (v5.28.1) built for x86_64-linux-gnu-thread-multi ***@***.***:~# perl fzz.pl A A A ``` Ran out of time to dig deeper or bisect. Can do so at the weekend, unless someone wants to beat me to it.

It's not fixed, but its only an issue on non-threaded builds. The bug can be exhibited without using multiconcat, e.g. my $A= ""; "" =~ m/(?{ my $x; })/; my $s; sub f { $s =~ s//foo/ } f(); It's because the empty pattern in the s/// causes the last successful pattern to be used instead, which is the earlier m//. This is called with PL_curcop still pointing to f's pad, so the lookup of $x in the current pad retrieves a random pointer value off the end of f's pad. It's basically a problem with the empty pattern misfeature . Needs fixing at some point.

…

-- 31 Dec 1661: "I have newly taken a solemne oath about abstaining from plays". 1 Jan 1662: "And after ... we went by coach to the play". -- The Diary of Samuel Pepys