writing to magic variables connected to the selected output GV when its IO object has been cleared crashes perl #20733

sigdevel · 2023-01-21T20:55:47Z

Description

Tested at 5.15.78-2.el7.3.x86_64 (RED OS release MUROM 7.3.2 - Centos based system), but also reproduced this bug on other platforms x86_64.

Steps to Reproduce

Fonded several examples were found using endless recursion and causing falls.
Insert this string and run with perl -e or run string from file.

while(()){$0=();int""}((unpack("p>",pack("P"))))

for(0){$0=('',unpack('P>',pack('P')))}

sub o{}*STDOUT=0;{{$~=0}{()}}

Expected behavior

Is it correct that the interpreter does not processing such samples (even with the flag -w) and just calling SEGFAULT when trying to address the memory areas inaccessible to recording?

Perl configuration

perl version: v5.30.1

The text was updated successfully, but these errors were encountered:

jkeenan · 2023-01-21T21:17:56Z

Steps to Reproduce

Found several examples were found using endless recursion and causing falls. Insert this string and run with perl -e or run string from file.
while(()){$0=();int""}((unpack("p>",pack("P"))))
for(0){$0=('',unpack('P>',pack('P')))}

Rewritten slightly for quotation marks as:
$ perl -e 'for(0){$0=(q||,unpack(q|P>|,pack(q|P|)))}'

sub o{}*STDOUT=0;{{$~=0}{()}}

In all cases, confirmed on FreeBSD-12 at both perl-5.32 and blead. Output:

Bus error (core dumped)

demerphq · 2023-01-22T01:53:38Z

On Sun, 22 Jan 2023, 05:48 a-shvedov, ***@***.***> wrote: Binary builded without Asan instrumented flags. Would it be necessary to add a asanlog file?

No, thanks for offering. We have reproducible case, anything else can be done by whomever picks up this bug. If you felt like accelerating the debugging of this or wanted to try your hand at a fix you could building a debugging perl, run the cases under gdb and get a stack trace of what blew up. Yves

…

tonycoz · 2023-01-23T00:35:21Z

while(()){$0=();int""}((unpack("p>",pack("P"))))

for(0){$0=('',unpack('P>',pack('P')))}

You're creating a pointer to something (pack 'P') then swapping the byte order of the pointer, and trying to access what it refers to.

The P/p pack/unpack template characters are very low level, you can't blindly use them and expect a sane result.

If you have a specific case where you expect some behaviour from these template characters and don't get it, please provide all the details, not just a "this crashes". You can assume unpack "P" or "p" crashes by default.

sub o{}*STDOUT=0;{{$~=0}{()}}

This is a real problem, and applies to other magic variables when *STDOUT has been cleared:

tony@venus:.../git/perl6$ ./perl -e '*STDOUT=0; $~ = 0;'
Segmentation fault
tony@venus:.../git/perl6$ ./perl -e '*STDOUT=0; $^ = 0;'
Segmentation fault
tony@venus:.../git/perl6$ ./perl -e '*STDOUT=0; $% = 0;'
Segmentation fault
tony@venus:.../git/perl6$ ./perl -e '*STDOUT=0; $- = 0;'
Segmentation fault
tony@venus:.../git/perl6$ ./perl -e '*STDOUT=0; $= = 0;'
Segmentation fault

pp_select() ensures that the GV in PL_defoutgv has an IO object when it the default output is set, but can't prevent that GV being cleared afterwards, resulting in a seg fault when the variable is written. To prevent this, check PL_defoutgv has an IO object before trying to write to it. Fixes Perl#20733

pp_select() ensures that the GV in PL_defoutgv has an IO object when it the default output is set, but can't prevent that GV being cleared afterwards, resulting in a seg fault when the variable is written. To prevent this, check PL_defoutgv has an IO object before trying to write to it. Fixes #20733

pp_select() ensures that the GV in PL_defoutgv has an IO object when it the default output is set, but can't prevent that GV being cleared afterwards, resulting in a seg fault when the variable is written. To prevent this, check PL_defoutgv has an IO object before trying to write to it. Fixes #20733 (cherry picked from commit af62106)

pp_select() ensures that the GV in PL_defoutgv has an IO object when it the default output is set, but can't prevent that GV being cleared afterwards, resulting in a seg fault when the variable is written. To prevent this, check PL_defoutgv has an IO object before trying to write to it. Fixes Perl#20733

sigdevel added the Needs Triage label Jan 21, 2023

jkeenan added type-core and removed Needs Triage labels Jan 21, 2023

tonycoz mentioned this issue Jan 23, 2023

check the IO object exists when writing to IO magic variables #20736

Merged

tonycoz changed the title ~~Some samples with endless recursion cause Segfault~~ writing to magic variables connected to the selected output GV when its IO object has been cleared crashes perl Jan 24, 2023

tonycoz closed this as completed in #20736 Jan 24, 2023

sigdevel mentioned this issue Apr 13, 2023

Report a Trophy AFLplusplus/AFLplusplus#286

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

writing to magic variables connected to the selected output GV when its IO object has been cleared crashes perl #20733

writing to magic variables connected to the selected output GV when its IO object has been cleared crashes perl #20733

sigdevel commented Jan 21, 2023

jkeenan commented Jan 21, 2023

demerphq commented Jan 22, 2023 via email

tonycoz commented Jan 23, 2023

writing to magic variables connected to the selected output GV when its IO object has been cleared crashes perl #20733

writing to magic variables connected to the selected output GV when its IO object has been cleared crashes perl #20733

Comments

sigdevel commented Jan 21, 2023

jkeenan commented Jan 21, 2023

demerphq commented Jan 22, 2023 via email

tonycoz commented Jan 23, 2023