Skip to content

Perl intepreter exception on expression substitution #17146

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
p5pRT opened this issue Sep 5, 2019 · 16 comments
Closed

Perl intepreter exception on expression substitution #17146

p5pRT opened this issue Sep 5, 2019 · 16 comments
Labels
distro-Linux type-core

Comments

@p5pRT
Copy link

p5pRT commented Sep 5, 2019

Migrated from rt.perl.org#134409 (status was 'open')

Searchable as RT134409$
@p5pRT
Copy link
Author

p5pRT commented Sep 5, 2019

From ccrook@linz.govt.nz

Created by ccrook@linz.govt.nz

Perl raises exception on search and replace​:

panic​: sv_pos_b2u​: bad byte offset, blen=20, byte=27 at lib/GDSearchSQLite.pm line 81

  75 sub SubstituteSql
  76 {
  77 my ($sql,$lookup)=@​_;
  78 my $updated_sql={};
  79 while( my($k,$v)=each(%$sql))
  80 {
  81 $v =~ s/\{(\w+)\}/$lookup->{$1}/eg;
  82 $updated_sql->{$k}=$v;
  83 }
  84 return $updated_sql;
  85 }

Note​: this is old code buried fairly deeply in CGI web source. I was able dump the inputs
to this specific routine, below, but in isolation this did not trigger the error. So unfortunately
I am not able to provide a useful reproducible test case.

I was able to work around this by replacing line 81 with the following lines (which
are equivalent in the context in which this is called - key is defined in code always
alpha, all strings {\w+} in $k have corresponding value in $lookup).

  80 while( my($k1,$v1)=each(%$lookup) )
  81 {
  82 $v =~ s/\{$k1\}/$v1/eg;
  83 };

Below​: test code with offending input doesn't reproduces issue​:

use Data​::Dumper;

$sql = {
  'where' => 'gwdi{nword}.word {wordop} \'{word}\'',
  'table' => 'JOIN word_index gwdi{nword} ON gwdi{nword}.geodetic_code=ati.geodetic_code'
  };
$lookup = {
  'wordop' => '=',
  'word' => 'SMITH',
  'nword' => 0
  };

sub SubstituteSql
{
  my ($sql,$lookup)=@​_;
  use Data​::Dumper;
  open(my $tf, ">>/tmp/badstuff");
  print $tf Dumper($sql);
  print $tf Dumper($lookup);
  close($tf);
  my $updated_sql={};
  while( my($k,$v)=each(%$sql))
  {
  $v =~ s/\{(\w+)\}/$lookup->{$1}/eg;
  $updated_sql->{$k}=$v;
  }
  return $updated_sql;
}

print Dumper(SubstituteSql($sql,$lookup)),"\n";

Perl Info 

Flags:
    category=core
    severity=medium

Site configuration information for perl 5.22.1:

Configured by Debian Project at Mon Nov 19 18:29:35 UTC 2018.

Summary of my perl5 (revision 5 version 22 subversion 1) configuration:

  Platform:
    osname=linux, osvers=3.16.0, archname=x86_64-linux-gnu-thread-multi
    uname='linux localhost 3.16.0 #1 smp debian 3.16.0 x86_64 gnulinux '
    config_args='-Dusethreads -Duselargefiles -Dcc=x86_64-linux-gnu-gcc -Dcpp=x86_64-linux-gnu-cpp -Dld=x86_64-linux-gnu-gcc -Dccflags=-DDEBIAN -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Dldflags= -Wl,-Bsymbolic-functions -Wl,-z,relro -Dlddlflags=-shared -Wl,-Bsymbolic-functions -Wl,-z,relro -Dcccdlflags=-fPIC -Darchname=x86_64-linux-gnu -Dprefix=/usr -Dprivlib=/usr/share/perl/5.22 -Darchlib=/usr/lib/x86_64-linux-gnu/perl/5.22 -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/x86_64-linux-gnu/perl5/5.22 -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.22.1 -Dsitearch=/usr/local/lib/x86_64-linux-gnu/perl/5.22.1 -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3 -Duse64bitint -Dman1ext=1 -Dman3ext=3perl -Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Ud_ualarm -Uusesfio -Uusenm -Ui_libutil -Uversiononly -DDEBUGGING=-g -Doptimize=-O2 -dEs -Duseshrplib -Dlibperl=libperl.so.5.22.1'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=define, usemultiplicity=define
    use64bitint=define, use64bitall=define, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='x86_64-linux-gnu-gcc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O2 -g',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fwrapv -fno-strict-aliasing -pipe -I/usr/local/include'
    ccversion='', gccversion='5.4.0 20160609', gccosandvers=''
    intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678, doublekind=3
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16, longdblkind=3
    ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='x86_64-linux-gnu-gcc', ldflags =' -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/lib/gcc/x86_64-linux-gnu/5/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
    libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt
    perllibs=-ldl -lm -lpthread -lc -lcrypt
    libc=libc-2.23.so, so=so, useshrplib=true, libperl=libperl.so.5.22
    gnulibc_version='2.23'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
    cccdlflags='-fPIC', lddlflags='-shared -L/usr/local/lib -fstack-protector-strong'

Locally applied patches:
    DEBPKG:debian/cpan_definstalldirs - Provide a sensible INSTALLDIRS default for modules installed from CPAN.
    DEBPKG:debian/db_file_ver - http://bugs.debian.org/340047 Remove overly restrictive DB_File version check.
    DEBPKG:debian/doc_info - Replace generic man(1) instructions with Debian-specific information.
    DEBPKG:debian/enc2xs_inc - http://bugs.debian.org/290336 Tweak enc2xs to follow symlinks and ignore missing @INC directories.
    DEBPKG:debian/errno_ver - http://bugs.debian.org/343351 Remove Errno version check due to upgrade problems with long-running processes.
    DEBPKG:debian/libperl_embed_doc - http://bugs.debian.org/186778 Note that libperl-dev package is required for embedded linking
    DEBPKG:fixes/respect_umask - Respect umask during installation
    DEBPKG:debian/writable_site_dirs - Set umask approproately for site install directories
    DEBPKG:debian/extutils_set_libperl_path - EU:MM: set location of libperl.a under /usr/lib
    DEBPKG:debian/no_packlist_perllocal - Don't install .packlist or perllocal.pod for perl or vendor
    DEBPKG:debian/fakeroot - Postpone LD_LIBRARY_PATH evaluation to the binary targets.
    DEBPKG:debian/instmodsh_doc - Debian policy doesn't install .packlist files for core or vendor.
    DEBPKG:debian/ld_run_path - Remove standard libs from LD_RUN_PATH as per Debian policy.
    DEBPKG:debian/libnet_config_path - Set location of libnet.cfg to /etc/perl/Net as /usr may not be writable.
    DEBPKG:debian/mod_paths - Tweak @INC ordering for Debian
    DEBPKG:debian/prune_libs - http://bugs.debian.org/128355 Prune the list of libraries wanted to what we actually need.
    DEBPKG:fixes/net_smtp_docs - [rt.cpan.org #36038] http://bugs.debian.org/100195 Document the Net::SMTP 'Port' option
    DEBPKG:debian/perlivp - http://bugs.debian.org/510895 Make perlivp skip include directories in /usr/local
    DEBPKG:debian/deprecate-with-apt - http://bugs.debian.org/747628 Point users to Debian packages of deprecated core modules
    DEBPKG:debian/squelch-locale-warnings - http://bugs.debian.org/508764 Squelch locale warnings in Debian package maintainer scripts
    DEBPKG:debian/skip-upstream-git-tests - Skip tests specific to the upstream Git repository
    DEBPKG:debian/patchlevel - http://bugs.debian.org/567489 List packaged patches for 5.22.1-9ubuntu0.6 in patchlevel.h
    DEBPKG:debian/skip-kfreebsd-crash - http://bugs.debian.org/628493 [perl #96272] Skip a crashing test case in t/op/threads.t on GNU/kFreeBSD
    DEBPKG:fixes/document_makemaker_ccflags - http://bugs.debian.org/628522 [rt.cpan.org #68613] Document that CCFLAGS should include $Config{ccflags}
    DEBPKG:debian/find_html2text - http://bugs.debian.org/640479 Configure CPAN::Distribution with correct name of html2text
    DEBPKG:debian/perl5db-x-terminal-emulator.patch - http://bugs.debian.org/668490 Invoke x-terminal-emulator rather than xterm in perl5db.pl
    DEBPKG:debian/cpan-missing-site-dirs - http://bugs.debian.org/688842 Fix CPAN::FirstTime defaults with nonexisting site dirs if a parent is writable
    DEBPKG:fixes/memoize_storable_nstore - [rt.cpan.org #77790] http://bugs.debian.org/587650 Memoize::Storable: respect 'nstore' option not respected
    DEBPKG:debian/regen-skip - Skip a regeneration check in unrelated git repositories
    DEBPKG:debian/makemaker-pasthru - http://bugs.debian.org/758471 Pass LD settings through to subdirectories
    DEBPKG:fixes/pod_man_reproducible_date - http://bugs.debian.org/759405 Support POD_MAN_DATE in Pod::Man for the left-hand footer
    DEBPKG:debian/locale-robustness - http://bugs.debian.org/782068 [perl #124310] Make t/run/locale.t survive missing locales masked by LC_ALL
    DEBPKG:fixes/podman-utc - http://bugs.debian.org/780259 Make the embedded date from Pod::Man reproducible
    DEBPKG:fixes/podman-utc-docs - http://bugs.debian.org/780259 Documentation and test suite updates for UTC fix
    DEBPKG:fixes/podman-empty-date - http://bugs.debian.org/780259 Support an empty POD_MAN_DATE environment variable
    DEBPKG:fixes/podman-pipe - http://bugs.debian.org/777405 Better errors for man pages from standard input
    DEBPKG:debian/pod2man-customized - Update porting/customized.dat for pod2man modifications
    DEBPKG:debian/makemaker-manext - http://bugs.debian.org/247370 Make EU::MakeMaker honour MANnEXT settings in generated manpage headers
    DEBPKG:debian/makemaker_customized - Update t/porting/customized.dat for files patched in Debian
    DEBPKG:debian/do-not-record-build-date - [6baa8db] http://bugs.debian.org/774422 [perl #125830] Allow overriding the compile time in "perl -V" output
    DEBPKG:fixes/podman-source-date-epoch - http://bugs.debian.org/801621 Make Pod::Man honor the SOURCE_DATE_EPOCH environment variable
    DEBPKG:fixes/podman-source-date-epoch-cleanups - http://bugs.debian.org/801621 Coding style and documentation for SOURCE_EPOCH_DATE
    DEBPKG:fixes/podman-source-date-epoch-testfix - http://bugs.debian.org/807086 Guard for building with SOURCE_DATE_EPOCH or POD_MAN_DATE set
    DEBPKG:debian/devel-ppport-reproducibility - http://bugs.debian.org/801523 Sort the list of XS code files when generating RealPPPort.xs
    DEBPKG:fixes/encode-unicode-bom - http://bugs.debian.org/798727 [rt.cpan.org #107043] Address https://rt.cpan.org/Public/Bug/Display.html?id=107043
    DEBPKG:debian/encode-unicode-bom-doc - http://bugs.debian.org/798727 Document Debian backport of Encode::Unicode fix
    DEBPKG:debian/kfreebsd-softupdates - http://bugs.debian.org/796798 Work around Debian Bug#796798
    DEBPKG:fixes/autodie-scope - http://bugs.debian.org/798096 Fix a scoping issue with "no autodie" and the "system" sub
    DEBPKG:debian/debugperl-compat-fix - [perl #127212] http://bugs.debian.org/810326 Disable PERL_TRACK_MEMPOOL for debugging builds
    DEBPKG:fixes/CVE-2015-8607_file_spec_taint_fix - http://bugs.debian.org/810719 [perl #126862] ensure File::Spec::canonpath() preserves taint
    DEBPKG:fixes/mkstemp-umask - http://bugs.debian.org/810924 [perl #127322] [e57270b] Fix umask for mkstemp(3) calls
    DEBPKG:fixes/crosscompile-no-targethost - [perl #127234] Fix the Configure escape with usecrosscompile but no targethost
    DEBPKG:fixes/podlators-no-encode - [rt.cpan.org #111156] Degrade gracefully if utf8 is requested but Encode is not available
    DEBPKG:debian/cross-time-hires - [rt.cpan.org #111391] Add an environment variable to skip running configuration probes
    DEBPKG:fixes/encode-unicode-pod - Unicode.pm: Fix POD error
    DEBPKG:fixes/memoize-pod - [rt.cpan.org #89441] Fix POD errors in Memoize
    DEBPKG:fixes/ok-pod - Added encoding for pod.
    DEBPKG:fixes/CVE-2016-2381_duplicate_env - remove duplicate environment variables from environ
    DEBPKG:fixes/CVE-2017-12837.patch - [PATCH] regcomp [perl #131582]
    DEBPKG:fixes/CVE-2017-12883.patch - [PATCH] PATCH: [perl #131598]
    DEBPKG:fixes/CVE-2016-6185.patch - [PATCH] =?utf8?q?Don=E2=80=99t=20let=20XSLoader=20load=20relative?= =?utf8?q?=20paths?=
    DEBPKG:fixes/CVE-2017-6512-pre.patch - [PATCH] Correct the order of tests of chmod(). (#294)
    DEBPKG:fixes/CVE-2017-6512.patch - http://bugs.debian.org/863870 [rt.cpan.org #121951] Prevent directory chmod race attack.
    DEBPKG:fixes/CVE-2018-6797.patch - (perl #132227) restart a node if we change to uni rules within the node and encounter a sharp S
    DEBPKG:fixes/CVE-2018-6798-1.patch - [perl #132063]: Heap buffer overflow
    DEBPKG:fixes/CVE-2018-6798-2.patch - v5.24.3: fix TRIE_READ_CHAR and DECL_TRIE_TYPE to account for non-utf8 target
    DEBPKG:fixes/CVE-2018-6798-3.patch - (perl #132063) we should no longer warn for this code
    DEBPKG:fixes/CVE-2018-6913.patch - (perl #131844) fix various space calculation issues in pp_pack.c
    DEBPKG:fixes/CVE-2018-12015.patch - [PATCH] [PATCH] Remove existing files before overwriting them
    DEBPKG:fixes/CVE-2018-18311.patch - [PATCH] Perl_my_setenv(); handle integer wrap
    DEBPKG:fixes/CVE-2018-18312.patch - [PATCH 242/242] PATCH: [perl #133423] for 5.26 maint
    DEBPKG:fixes/CVE-2018-18313.patch - [PATCH] regcomp.c: Convert some strchr to memchr
    DEBPKG:fixes/CVE-2018-18314.patch - [PATCH] fix #131649 - extended charclass can trigger assert


@INC for perl 5.22.1:
    /etc/perl
    /usr/local/lib/x86_64-linux-gnu/perl/5.22.1
    /usr/local/share/perl/5.22.1
    /usr/lib/x86_64-linux-gnu/perl5/5.22
    /usr/share/perl5
    /usr/lib/x86_64-linux-gnu/perl/5.22
    /usr/share/perl/5.22
    /usr/local/lib/site_perl
    /usr/lib/x86_64-linux-gnu/perl-base
    .


Environment for perl 5.22.1:
    HOME=/home/ccrook
    LANG=en_NZ.UTF-8
    LANGUAGE=en_NZ:en
    LD_LIBRARY_PATH=/home/ccrook/apps/lib:
    LOGDIR (unset)
    PATH=:/usr/share/linz/snap:/usr/lib/ccache:/home/ccrook/bin:/home/ccrook/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/home/ccrook/bin
    PERL_BADLANG (unset)
    SHELL=/bin/bash

________________________________

This message contains information, which may be in confidence and may be subject to legal privilege. If you are not the intended recipient, you must not peruse, use, disseminate, distribute or copy this message. If you have received this message in error, please notify us immediately (Phone 0800 665 463 or info@linz.govt.nz) and destroy the original message. LINZ accepts no responsibility for changes to this email, or for any attachments, after its transmission from LINZ. Thank You.

@p5pRT
Copy link
Author

p5pRT commented Sep 6, 2019

From @jkeenan

On Thu, 05 Sep 2019 20​:37​:32 GMT, ccrook@​linz.govt.nz wrote​:

This is a bug report for perl from ccrook@​linz.govt.nz,
generated with the help of perlbug 1.40 running under perl 5.22.1.

-----------------------------------------------------------------
[Please describe your issue here]

Perl raises exception on search and replace​:

panic​: sv_pos_b2u​: bad byte offset, blen=20, byte=27 at
lib/GDSearchSQLite.pm line 81

75 sub SubstituteSql
76 {
77 my ($sql,$lookup)=@​_;
78 my $updated_sql={};
79 while( my($k,$v)=each(%$sql))
80 {
81 $v =~ s/\{(\w+)\}/$lookup->{$1}/eg;
82 $updated_sql->{$k}=$v;
83 }
84 return $updated_sql;
85 }

Note​: this is old code buried fairly deeply in CGI web source. I was
able dump the inputs
to this specific routine, below, but in isolation this did not trigger
the error. So unfortunately
I am not able to provide a useful reproducible test case.

As you probably can guess, this is going to make it difficult for us to diagnose your problem.

In addition, your ticket suggests that you were using perl 5.22.1. That's out of support. Can you reproduce this problem using either perl-5.30 or a git checkout of the Perl 5 core distribution?

I was able to work around this by replacing line 81 with the following
lines (which
are equivalent in the context in which this is called - key is defined
in code always
alpha, all strings {\w+} in $k have corresponding value in $lookup).

80 while( my($k1,$v1)=each(%$lookup) )
81 {
82 $v =~ s/\{$k1\}/$v1/eg;
83 };

Below​: test code with offending input doesn't reproduces issue​:

use Data​::Dumper;

$sql = {
'where' => 'gwdi{nword}.word {wordop} \'{word}\'',
'table' => 'JOIN word_index gwdi{nword} ON
gwdi{nword}.geodetic_code=ati.geodetic_code'
};
$lookup = {
'wordop' => '=',
'word' => 'SMITH',
'nword' => 0
};

sub SubstituteSql
{
my ($sql,$lookup)=@​_;
use Data​::Dumper;
open(my $tf, ">>/tmp/badstuff");
print $tf Dumper($sql);
print $tf Dumper($lookup);
close($tf);
my $updated_sql={};
while( my($k,$v)=each(%$sql))
{
$v =~ s/\{(\w+)\}/$lookup->{$1}/eg;
$updated_sql->{$k}=$v;
}
return $updated_sql;
}

print Dumper(SubstituteSql($sql,$lookup)),"\n";

--
James E Keenan (jkeenan@​cpan.org)

@p5pRT
Copy link
Author

p5pRT commented Sep 6, 2019

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Sep 6, 2019

From @jkeenan

On Fri, 06 Sep 2019 00​:04​:13 GMT, jkeenan wrote​:

On Thu, 05 Sep 2019 20​:37​:32 GMT, ccrook@​linz.govt.nz wrote​:

This is a bug report for perl from ccrook@​linz.govt.nz,
generated with the help of perlbug 1.40 running under perl 5.22.1.

-----------------------------------------------------------------
[Please describe your issue here]

Perl raises exception on search and replace​:

panic​: sv_pos_b2u​: bad byte offset, blen=20, byte=27 at
lib/GDSearchSQLite.pm line 81

Also, I searched for 'GDSearchSQLite' in both DDG and the big internet search thing -- and came up with nothing significant. Is this code publicly available?

75 sub SubstituteSql
76 {
77 my ($sql,$lookup)=@​_;
78 my $updated_sql={};
79 while( my($k,$v)=each(%$sql))
80 {
81 $v =~ s/\{(\w+)\}/$lookup->{$1}/eg;
82 $updated_sql->{$k}=$v;
83 }
84 return $updated_sql;
85 }

Note​: this is old code buried fairly deeply in CGI web source. I was
able dump the inputs
to this specific routine, below, but in isolation this did not
trigger
the error. So unfortunately
I am not able to provide a useful reproducible test case.

As you probably can guess, this is going to make it difficult for us
to diagnose your problem.

In addition, your ticket suggests that you were using perl 5.22.1.
That's out of support. Can you reproduce this problem using either
perl-5.30 or a git checkout of the Perl 5 core distribution?

I was able to work around this by replacing line 81 with the
following
lines (which
are equivalent in the context in which this is called - key is
defined
in code always
alpha, all strings {\w+} in $k have corresponding value in $lookup).

80 while( my($k1,$v1)=each(%$lookup) )
81 {
82 $v =~ s/\{$k1\}/$v1/eg;
83 };

Below​: test code with offending input doesn't reproduces issue​:

use Data​::Dumper;

$sql = {
'where' => 'gwdi{nword}.word {wordop} \'{word}\'',
'table' => 'JOIN word_index gwdi{nword} ON
gwdi{nword}.geodetic_code=ati.geodetic_code'
};
$lookup = {
'wordop' => '=',
'word' => 'SMITH',
'nword' => 0
};

sub SubstituteSql
{
my ($sql,$lookup)=@​_;
use Data​::Dumper;
open(my $tf, ">>/tmp/badstuff");
print $tf Dumper($sql);
print $tf Dumper($lookup);
close($tf);
my $updated_sql={};
while( my($k,$v)=each(%$sql))
{
$v =~ s/\{(\w+)\}/$lookup->{$1}/eg;
$updated_sql->{$k}=$v;
}
return $updated_sql;
}

print Dumper(SubstituteSql($sql,$lookup)),"\n";

--
James E Keenan (jkeenan@​cpan.org)

@p5pRT
Copy link
Author

p5pRT commented Sep 6, 2019

From @iabyn

On Thu, Sep 05, 2019 at 05​:04​:14PM -0700, James E Keenan via RT wrote​:

Perl raises exception on search and replace​:

panic​: sv_pos_b2u​: bad byte offset, blen=20, byte=27 at
lib/GDSearchSQLite.pm line 81

81 $v =~ s/\{(\w+)\}/$lookup->{$1}/eg;
I am not able to provide a useful reproducible test case.

Can you replace the substitution line with something like the following?

  eval { $v =~ s/\{(\w+)\}/$lookup->{$1}/eg; };

  if ($@​) {
  require Devel​::Peek;
  Devel​::Peek​::Dump($v);
  Devel​::Peek​::Dump($1);
  Devel​::Peek​::Dump($lookup->{$1});
  }

Then if the panic is triggered, it should produce a low-level dump to
STDERR of the likely bad values.

--
"Procrastination grows to fill the available time"
  -- Mitchell's corollary to Parkinson's Law

@p5pRT
Copy link
Author

p5pRT commented Sep 7, 2019

From ccrook@linz.govt.nz

Hi

Here is the log resulting from adding the logging and exception handler. This is still on perl 5.22.1. Also with this exception handler in place the program continued to run after hitting the panic condition and appeared to complete correctly.

In the process of trying to create a useful test case I did notice that the panic is not triggered if I turn off taint checking.

I am trying to set up a useful test that I can provide you with on perl 5.30 but taking a while.

Regards
Chris
________________________________________
From​: Dave Mitchell via RT [perlbug-followup@​perl.org]
Sent​: Friday, 6 September 2019 8​:55 p.m.
To​: Chris Crook
Subject​: Re​: [perl #134409] Perl intepreter exception on expression substitution

On Thu, Sep 05, 2019 at 05​:04​:14PM -0700, James E Keenan via RT wrote​:

Perl raises exception on search and replace​:

panic​: sv_pos_b2u​: bad byte offset, blen=20, byte=27 at
lib/GDSearchSQLite.pm line 81

81 $v =~ s/\{(\w+)\}/$lookup->{$1}/eg;
I am not able to provide a useful reproducible test case.

Can you replace the substitution line with something like the following?

  eval { $v =~ s/\{(\w+)\}/$lookup->{$1}/eg; };

  if ($@​) {
  require Devel​::Peek;
  Devel​::Peek​::Dump($v);
  Devel​::Peek​::Dump($1);
  Devel​::Peek​::Dump($lookup->{$1});
  }

Then if the panic is triggered, it should produce a low-level dump to
STDERR of the likely bad values.

--
"Procrastination grows to fill the available time"
  -- Mitchell's corollary to Parkinson's Law

________________________________

This message contains information, which may be in confidence and may be subject to legal privilege. If you are not the intended recipient, you must not peruse, use, disseminate, distribute or copy this message. If you have received this message in error, please notify us immediately (Phone 0800 665 463 or info@​linz.govt.nz) and destroy the original message. LINZ accepts no responsibility for changes to this email, or for any attachments, after its transmission from LINZ. Thank You.

@p5pRT
Copy link
Author

p5pRT commented Sep 7, 2019

From ccrook@linz.govt.nz

peek.log

@p5pRT
Copy link
Author

p5pRT commented Sep 7, 2019

From ccrook@linz.govt.nz

Hi James

Thanks for your quick response - always amazes me how well supported these tools are. I couldn't spot current supported perl versions on the website. I am using 5.22.1 whcih is current default on ubuntu 16.04. The problem originally showed on ubuntu 18.04, perl version info below.

This is perl 5, version 26, subversion 1 (v5.26.1) built for x86_64-linux-gnu-thread-multi
(with 67 registered patches, see perl -V for more detail)

I'm not surprised you couldn't find the GDSearchSQLite anywhere (would have been surprised if you could). I'll try and build a smaller test case/data set and then see if I can still reproduce it. Next week I expect.

Thanks
Chris

-----Original Message-----
From​: James E Keenan via RT [mailto​:perlbug-followup@​perl.org]
Sent​: Friday, 6 September 2019 12​:10 p.m.
To​: Chris Crook
Subject​: [perl #134409] Perl intepreter exception on expression substitution

On Fri, 06 Sep 2019 00​:04​:13 GMT, jkeenan wrote​:

On Thu, 05 Sep 2019 20​:37​:32 GMT, ccrook@​linz.govt.nz wrote​:

This is a bug report for perl from ccrook@​linz.govt.nz, generated
with the help of perlbug 1.40 running under perl 5.22.1.

-----------------------------------------------------------------
[Please describe your issue here]

Perl raises exception on search and replace​:

panic​: sv_pos_b2u​: bad byte offset, blen=20, byte=27 at
lib/GDSearchSQLite.pm line 81

Also, I searched for 'GDSearchSQLite' in both DDG and the big internet search thing -- and came up with nothing significant. Is this code publicly available?

75 sub SubstituteSql
76 {
77 my ($sql,$lookup)=@​_;
78 my $updated_sql={};
79 while( my($k,$v)=each(%$sql))
80 {
81 $v =~ s/\{(\w+)\}/$lookup->{$1}/eg;
82 $updated_sql->{$k}=$v;
83 }
84 return $updated_sql;
85 }

Note​: this is old code buried fairly deeply in CGI web source. I
was able dump the inputs to this specific routine, below, but in
isolation this did not trigger the error. So unfortunately I am not
able to provide a useful reproducible test case.

As you probably can guess, this is going to make it difficult for us
to diagnose your problem.

In addition, your ticket suggests that you were using perl 5.22.1.
That's out of support. Can you reproduce this problem using either
perl-5.30 or a git checkout of the Perl 5 core distribution?

I was able to work around this by replacing line 81 with the
following lines (which are equivalent in the context in which this
is called - key is defined in code always alpha, all strings {\w+}
in $k have corresponding value in $lookup).

80 while( my($k1,$v1)=each(%$lookup) )
81 {
82 $v =~ s/\{$k1\}/$v1/eg;
83 };

Below​: test code with offending input doesn't reproduces issue​:

use Data​::Dumper;

$sql = {
'where' => 'gwdi{nword}.word {wordop} \'{word}\'',
'table' => 'JOIN word_index gwdi{nword} ON
gwdi{nword}.geodetic_code=ati.geodetic_code'
};
$lookup = {
'wordop' => '=',
'word' => 'SMITH',
'nword' => 0
};

sub SubstituteSql
{
my ($sql,$lookup)=@​_;
use Data​::Dumper;
open(my $tf, ">>/tmp/badstuff");
print $tf Dumper($sql);
print $tf Dumper($lookup);
close($tf);
my $updated_sql={};
while( my($k,$v)=each(%$sql))
{
$v =~ s/\{(\w+)\}/$lookup->{$1}/eg;
$updated_sql->{$k}=$v;
}
return $updated_sql;
}

print Dumper(SubstituteSql($sql,$lookup)),"\n";

--
James E Keenan (jkeenan@​cpan.org)

________________________________

This message contains information, which may be in confidence and may be subject to legal privilege. If you are not the intended recipient, you must not peruse, use, disseminate, distribute or copy this message. If you have received this message in error, please notify us immediately (Phone 0800 665 463 or info@​linz.govt.nz) and destroy the original message. LINZ accepts no responsibility for changes to this email, or for any attachments, after its transmission from LINZ. Thank You.

@p5pRT
Copy link
Author

p5pRT commented Sep 9, 2019

From @iabyn

On Sat, Sep 07, 2019 at 07​:14​:51PM +0000, Chris Crook wrote​:

Hi

Here is the log resulting from adding the logging and exception handler. This is still on perl 5.22.1. Also with this exception handler in place the program continued to run after hitting the panic condition and appeared to complete correctly.

Can you give me the output with he following updated instrumentation​:

  use Devel​::Peek;
  my $orig_v = $v;
  eval {$v =~ s/\{(\w+)\}/$lookup->{$1}/eg; };

  if ($@​) {
  Dump($orig_v);
  Dump($v);
  Dump($1);
  Dump($lookup);
  }

or even better, if the loop isn't hit too many times​:

  use Devel​::Peek;
  Dump($v);
  eval {$v =~ s/\{(\w+)\}/$lookup->{$1}/eg; };

  if ($@​) {
  Dump($v);
  Dump($1);
  Dump($lookup);
  }

So I can get an accurate picture of the contents of $v *before* the
substitution.

Thanks.

--
Monto Blanco... scorchio!

@p5pRT
Copy link
Author

p5pRT commented Sep 11, 2019

From ccrook@linz.govt.nz

Thanks Dave

First - apologies again for this very painful process of tracking the problem.

Good news - the loop is only hit once or twice before it errors (depending on the order of retrieval from hash). I put a bit more code in ... results below.

sub SubstituteSql
{
  my ($sql,$lookup)=@​_;
  my $updated_sql={};
  while( my($k,$v)=each(%$sql))
  {
  printf STDERR "=================================\nHERE WE GO\n";
  use Devel​::Peek;
  use Data​::Dumper;
  #printf STDERR Dumper($lookup);
  Dump($k);
  Dump($v);
  eval {$v =~ s/\{(\w+)\}/$lookup->{$1}/eg;};
  if( $@​ )
  {
  my $msg=$@​;
  Dump($v);
  Dump($1);
  Dump($lookup->{$1});
  printf STDERR "Error​: %s\n",$msg;
  die "Bang!";
  }
  $updated_sql->{$k}=$v;
  }
  return $updated_sql;
}

However the possibly the most useful thing is that when I included the Dumper($lookup) it died due to the taint checking. $lookup is

$VAR1 = {
  'word' => 'ANYTHING',
  'wordop' => '=',
  'nword' => 0
  };

and $lookup->{word} is tainted.

I did try a simple test script (attached), which puts a bit more context around this error. I had hoped that perl -T test.pl ANYTHING would trigger the error - but it didn't :-(

Output from dump is below (followed by output without -T).

=================================
HERE WE GO
SV = PV(0x1dc8bd0) at 0x1dc7c40
  REFCNT = 1
  FLAGS = (POK,IsCOW,pPOK)
  PV = 0x1ef6780 "where"
  CUR = 5
  LEN = 0
SV = PV(0x1dc8be0) at 0x1dc7c58
  REFCNT = 1
  FLAGS = (POK,IsCOW,pPOK)
  PV = 0x1cfd770 "gwdi{nword}.word {wordop} '{word}'"\0
  CUR = 34
  LEN = 36
  COW_REFCNT = 1
Error​: panic​: sv_pos_b2u​: bad byte offset, blen=23, byte=27 at /usr/share/linz/geodetic/gdbweb/app/lib/GDSearchSQLite.pm line 85.

SV = PVMG(0x1bf9f60) at 0x1dc7c58
  REFCNT = 1
  FLAGS = (SMG,POK,pPOK,UTF8)
  IV = 0
  NV = 0
  PV = 0x1f072a0 "gwdi0.word = 'ANYTHING'"\0 [UTF8 "gwdi0.word = 'ANYTHING'"]
  CUR = 23
  LEN = 32
  MAGIC = 0x1f06670
  MG_VIRTUAL = &PL_vtbl_mglob
  MG_TYPE = PERL_MAGIC_regex_global(g)
  MG_FLAGS = 0x40
  BYTES
  MG_LEN = 27
SV = PVMG(0x120d690) at 0x122bc20
  REFCNT = 1
  FLAGS = (GMG,SMG,POK,pPOK)
  IV = 0
  NV = 0
  PV = 0x1e74d50 "word"\0
  CUR = 4
  LEN = 10
  MAGIC = 0x126f300
  MG_VIRTUAL = &PL_vtbl_sv
  MG_TYPE = PERL_MAGIC_sv(\0)
  MG_OBJ = 0x122bc98
  MG_LEN = 1
SV = NULL(0x0) at 0x11ca140
  REFCNT = 2147483582
  FLAGS = (READONLY,PROTECT)

HERE WE GO
SV = PV(0x1dc8bd0) at 0x1dc7c40
  REFCNT = 1
  FLAGS = (POK,IsCOW,pPOK)
  PV = 0x182b720 "table"
  CUR = 5
  LEN = 0
SV = PVMG(0x1bf9f60) at 0x1dc7c58
  REFCNT = 1
  FLAGS = (POK,IsCOW,pPOK)
  IV = 0
  NV = 0
  PV = 0x14e6080 "JOIN word_index gwdi{nword} ON gwdi{nword}.geodetic_code=ati.geodetic_code"\0
  CUR = 74
  LEN = 76
  COW_REFCNT = 1
SV = PVMG(0x1bf9f60) at 0x1dc7c58
  REFCNT = 1
  FLAGS = (SMG,POK,pPOK)
  IV = 0
  NV = 0
  PV = 0x1f044a0 "JOIN word_index gwdi0 ON gwdi0.geodetic_code=ati.geodetic_code"\0
  CUR = 62
  LEN = 64
  MAGIC = 0x1f06050
  MG_VIRTUAL = &PL_vtbl_mglob
  MG_TYPE = PERL_MAGIC_regex_global(g)
  MG_FLAGS = 0x40
  BYTES
  MG_LEN = -1
SV = PVMG(0x120d690) at 0x122bc20
  REFCNT = 1
  FLAGS = (GMG,SMG,POK,pPOK)
  IV = 0
  NV = 0
  PV = 0x1e74d50 "nword"\0
  CUR = 5
  LEN = 10
  MAGIC = 0x126f300
  MG_VIRTUAL = &PL_vtbl_sv
  MG_TYPE = PERL_MAGIC_sv(\0)
  MG_OBJ = 0x122bc98
  MG_LEN = 1
SV = NULL(0x0) at 0x11ca140
  REFCNT = 2147483582
  FLAGS = (READONLY,PROTECT)

Also here is the output without -T​:

=================================
HERE WE GO
SV = PV(0x3142520) at 0x3142988
  REFCNT = 1
  FLAGS = (POK,IsCOW,pPOK)
  PV = 0x2bb8630 "table"
  CUR = 5
  LEN = 0
SV = PV(0x3142530) at 0x31429a0
  REFCNT = 1
  FLAGS = (POK,IsCOW,pPOK)
  PV = 0x315ab60 "JOIN word_index gwdi{nword} ON gwdi{nword}.geodetic_code=ati.geodetic_code"\0
  CUR = 74
  LEN = 76
  COW_REFCNT = 1
SV = PVMG(0x32864f0) at 0x31429a0
  REFCNT = 1
  FLAGS = (SMG,POK,pPOK)
  IV = 0
  NV = 0
  PV = 0x327e010 "JOIN word_index gwdi0 ON gwdi0.geodetic_code=ati.geodetic_code"\0
  CUR = 62
  LEN = 64
  MAGIC = 0x327dda0
  MG_VIRTUAL = &PL_vtbl_mglob
  MG_TYPE = PERL_MAGIC_regex_global(g)
  MG_FLAGS = 0x40
  BYTES
  MG_LEN = -1
SV = PVMG(0x25c9430) at 0x25c2788
  REFCNT = 1
  FLAGS = (GMG,SMG,POK,pPOK)
  IV = 0
  NV = 0
  PV = 0x31f2230 "nword"\0
  CUR = 5
  LEN = 10
  MAGIC = 0x2607130
  MG_VIRTUAL = &PL_vtbl_sv
  MG_TYPE = PERL_MAGIC_sv(\0)
  MG_OBJ = 0x25c2800
  MG_LEN = 1
SV = NULL(0x0) at 0x2563140
  REFCNT = 2147483582
  FLAGS = (READONLY,PROTECT)

HERE WE GO
SV = PV(0x3142520) at 0x3142988
  REFCNT = 1
  FLAGS = (POK,IsCOW,pPOK)
  PV = 0x3273c70 "where"
  CUR = 5
  LEN = 0
SV = PVMG(0x32864f0) at 0x31429a0
  REFCNT = 1
  FLAGS = (POK,IsCOW,pPOK)
  IV = 0
  NV = 0
  PV = 0x315abf0 "gwdi{nword}.word {wordop} '{word}'"\0
  CUR = 34
  LEN = 36
  COW_REFCNT = 1
SV = PVMG(0x32864f0) at 0x31429a0
  REFCNT = 1
  FLAGS = (SMG,POK,pPOK,UTF8)
  IV = 0
  NV = 0
  PV = 0x3281790 "gwdi0.word = 'ANYTHING'"\0 [UTF8 "gwdi0.word = 'ANYTHING'"]
  CUR = 23
  LEN = 32
  MAGIC = 0x327dda0
  MG_VIRTUAL = &PL_vtbl_mglob
  MG_TYPE = PERL_MAGIC_regex_global(g)
  MG_FLAGS = 0x40
  BYTES
  MG_LEN = -1
SV = PVMG(0x25c9430) at 0x25c2788
  REFCNT = 1
  FLAGS = (GMG,SMG,POK,pPOK)
  IV = 0
  NV = 0
  PV = 0x31f2230 "word"\0
  CUR = 4
  LEN = 10
  MAGIC = 0x2607130
  MG_VIRTUAL = &PL_vtbl_sv
  MG_TYPE = PERL_MAGIC_sv(\0)
  MG_OBJ = 0x25c2800
  MG_LEN = 1
SV = NULL(0x0) at 0x2563140
  REFCNT = 2147483582
  FLAGS = (READONLY,PROTECT)

Hope this helps a bit

Cheers
Chris

________________________________________
From​: Dave Mitchell via RT [perlbug-followup@​perl.org]
Sent​: Monday, 9 September 2019 11​:39 p.m.
To​: Chris Crook
Subject​: Re​: [perl #134409] Perl intepreter exception on expression substitution

On Sat, Sep 07, 2019 at 07​:14​:51PM +0000, Chris Crook wrote​:

Hi

Here is the log resulting from adding the logging and exception handler. This is still on perl 5.22.1. Also with this exception handler in place the program continued to run after hitting the panic condition and appeared to complete correctly.

Can you give me the output with he following updated instrumentation​:

  use Devel​::Peek;
  my $orig_v = $v;
  eval {$v =~ s/\{(\w+)\}/$lookup->{$1}/eg; };

  if ($@​) {
  Dump($orig_v);
  Dump($v);
  Dump($1);
  Dump($lookup);
  }

or even better, if the loop isn't hit too many times​:

  use Devel​::Peek;
  Dump($v);
  eval {$v =~ s/\{(\w+)\}/$lookup->{$1}/eg; };

  if ($@​) {
  Dump($v);
  Dump($1);
  Dump($lookup);
  }

So I can get an accurate picture of the contents of $v *before* the
substitution.

Thanks.

--
Monto Blanco... scorchio!

________________________________

This message contains information, which may be in confidence and may be subject to legal privilege. If you are not the intended recipient, you must not peruse, use, disseminate, distribute or copy this message. If you have received this message in error, please notify us immediately (Phone 0800 665 463 or info@​linz.govt.nz) and destroy the original message. LINZ accepts no responsibility for changes to this email, or for any attachments, after its transmission from LINZ. Thank You.

@p5pRT
Copy link
Author

p5pRT commented Sep 11, 2019

From ccrook@linz.govt.nz

test.pl

@p5pRT
Copy link
Author

p5pRT commented Sep 12, 2019

From @iabyn

On Mon, Sep 09, 2019 at 08​:37​:48PM +0000, Chris Crook wrote​:

Good news - the loop is only hit once or twice before it errors
(depending on the order of retrieval from hash). I put a bit more code
in ... results below.

More good news​: with the help of the extra feedback, I've managed to
construct a short script which fails on bleadperl. I'm looking into it
now.

--
This email is confidential, and now that you have read it you are legally
obliged to shoot yourself. Or shoot a lawyer, if you prefer. If you have
received this email in error, place it in its original wrapping and return
for a full refund. By opening this email, you accept that Elvis lives.

@p5pRT
Copy link
Author

p5pRT commented Sep 14, 2019

From @iabyn

On Thu, Sep 12, 2019 at 11​:07​:13AM +0100, Dave Mitchell wrote​:

On Mon, Sep 09, 2019 at 08​:37​:48PM +0000, Chris Crook wrote​:

Good news - the loop is only hit once or twice before it errors
(depending on the order of retrieval from hash). I put a bit more code
in ... results below.

More good news​: with the help of the extra feedback, I've managed to
construct a short script which fails on bleadperl. I'm looking into it
now.

Now fixed in blead with the following commit​:

commit 4a69216
Author​: David Mitchell <davem@​iabyn.com>
AuthorDate​: Sat Sep 14 16​:18​:46 2019 +0100
Commit​: David Mitchell <davem@​iabyn.com>
CommitDate​: Sat Sep 14 16​:18​:46 2019 +0100

  Avoid panic when last s///g is tainted and utf8
 
  RT #134409
 
  In a repeated substitution, where the replacement is an expression,
  and when the last replacement value is both tainted and utf8, and
  everything earlier has been plain, and the final string is suitably
  shorter than the original, a panic resulted​:
 
  sv_pos_b2u​: bad byte offset, blen=1, byte=6
 
  This is because when at the end, taint magic is being being added to
  the target of the s///, the target SV has already had its buffer updated
  with the shorter result string, but still has the pos() magic set which
  corresponded to the original longer string (this pos value would, in the
  normal flow of things, be reset shortly afterwards).
 
  One quirk of sv_magic(), which adds any sort of magic including taint
  magic, is that it always checks for the presence of pos() magic, and if
  so, converts the byte to utf8 offset if necessary. This was seeing the
  invalid pos() offset and panicing.
 
  The check was added by v5.19.3-111-g25fdce4a16​:
  "Stop pos() from being confused by changing utf8ness"
  It seems like a bit of hack to recalibrate pos() each time sv_magic()
  is called, but I've left that alone (sleeping dogs and all that) and
  instead added a hack in the taint code path in pp_substcont to reset pos
  before setting taint.

--
Spock (or Data) is fired from his high-ranking position for not being able
to understand the most basic nuances of about one in three sentences that
anyone says to him.
  -- Things That Never Happen in "Star Trek" #19

@toddr toddr removed the khw label Oct 25, 2019
@khwilliamson
Copy link
Contributor

Is this then closable?

@xsawyerx
Copy link
Member

One of the ticket examples where we need an indication from the author but, while their email is available, it doesn't automatically send them an update.

@khwilliamson
Copy link
Contributor

I emailed the OP privately, and their response was that it is ok to close

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
distro-Linux type-core
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@xsawyerx @toddr @khwilliamson @p5pRT