Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Perl: porters

[perl #38869] SIGSEGV because $1 is bound into out-of-scope variable

  

 
Perl porters RSS feed   Index | Next | Previous | View Threaded


perlbug-followup at perl

Apr 6, 2006, 11:07 PM

Post #1 of 3 (179 views)
Permalink
[perl #38869] SIGSEGV because $1 is bound into out-of-scope variable
# New Ticket Created by Steffen_Ullrich[at]genua.de
# Please include the string: [perl #38869]
# in the subject line of all future correspondence about this issue.
# <URL: https://rt.perl.org/rt3/Ticket/Display.html?id=38869 >



This is a bug report for perl from steffen[at]genua.de,
generated with the help of perlbug 1.35 running under perl v5.8.6.


-----------------------------------------------------------------
[Please enter your report here]

The following code causes an segmentation fault on OpenBSD3.9.
The Problem happens with perl5.8.6 and also with perl5.8.8.
It cannot be reproduced on OpenBSD3.8 (5.8.6) nor on Linux
(Ubuntu, 5.8.7) nor on MacOSX 10.3 (with 5.8.7).

I guess there is some memory corruption which is detected by the
very strict OpenBSD checking.

my @list = (
'ab cd', # matches regex
( 'e' x 4000 ) .'ab c' # matches not, but 'ab c' matches part of it
);
foreach (@list) {
m/ab(.*)cd/i; # the ignore-case seems to be important
my $y = $1; # use $1, which might not be from the last match!
}

Stacktrace:

(gdb) bt
#0 0x0642dca9 in memmove () from /usr/lib/libc.so.39.0
#1 0x076ba597 in Perl_sv_setpvn (sv=0x1, ptr=0x846f2b72 <Address 0x846f2b72 out of bounds>, len=1)
at /usr/src/gnu/usr.bin/perl/sv.c:4150
#2 0x076b0b4d in Perl_magic_get (sv=0x8485676c, mg=0x1) at /usr/src/gnu/usr.bin/perl/mg.c:760
#3 0x076b01d5 in Perl_mg_get (sv=0x8485676c) at /usr/src/gnu/usr.bin/perl/mg.c:169
#4 0x076ba3f1 in Perl_sv_setsv_flags (dstr=0x84856748, sstr=0x8485676c, flags=2) at /usr/src/gnu/usr.bin/perl/sv.c:3819
#5 0x076a85b9 in Perl_pp_sassign () at /usr/src/gnu/usr.bin/perl/pp_hot.c:122
#6 0x07710c29 in Perl_runops_standard () at /usr/src/gnu/usr.bin/perl/run.c:37
#7 0x076ff457 in S_run_body (oldscope=1) at /usr/src/gnu/usr.bin/perl/perl.c:1936
#8 0x076ff257 in perl_run (my_perl=0x846f1030) at /usr/src/gnu/usr.bin/perl/perl.c:1855
#9 0x1c0012e6 in main ()




[Please do not change anything below this line]
-----------------------------------------------------------------
---
Flags:
category=core
severity=high
---
Site configuration information for perl v5.8.6:

Configured by root at Thu Jan 1 0:00:00 UTC 1970.

Summary of my perl5 (revision 5 version 8 subversion 6) configuration:
Platform:
osname=openbsd, osvers=3.9, archname=i386-openbsd
uname='openbsd'
config_args='-dsE -Dopenbsd_distribution=defined'
hint=recommended, useposix=true, d_sigaction=define
usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=undef
useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
use64bitint=undef use64bitall=undef uselongdouble=undef
usemymalloc=n, bincompat5005=undef
Compiler:
cc='cc', ccflags ='-fno-strict-aliasing -fno-delete-null-pointer-checks -pipe -I/usr/local/include',
optimize='-O2',
cppflags='-fno-strict-aliasing -fno-delete-null-pointer-checks -pipe -I/usr/local/include'
ccversion='', gccversion='3.3.5 (propolice)', gccosandvers='openbsd3.9'
intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
alignbytes=4, prototype=define
Linker and Libraries:
ld='cc', ldflags ='-Wl,-E '
libpth=/usr/lib
libs=-lm -lutil -lc
perllibs=-lm -lutil -lc
libc=/usr/lib/libc.so.39.0, so=so, useshrplib=true, libperl=libperl.so.10.0
gnulibc_version=''
Dynamic Linking:
dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-R/usr/libdata/perl5/i386-openbsd/5.8.6/CORE'
cccdlflags='-DPIC -fPIC ', lddlflags='-shared -fPIC '

Locally applied patches:
SUIDPERLIO1 - fix PERLIO_DEBUG buffer overflow (CAN-2005-0156)
SPRINTF0 - fixes for sprintf formatting issues - CVE-2005-3962

---
@INC for perl v5.8.6:
/usr/libdata/perl5/i386-openbsd/5.8.6
/usr/local/libdata/perl5/i386-openbsd/5.8.6
/usr/libdata/perl5
/usr/local/libdata/perl5
/usr/local/libdata/perl5/site_perl/i386-openbsd
/usr/libdata/perl5/site_perl/i386-openbsd
/usr/local/libdata/perl5/site_perl
/usr/libdata/perl5/site_perl
/usr/local/lib/perl5/site_perl
.

---
Environment for perl v5.8.6:
HOME=/home/steffen
LANG (unset)
LANGUAGE (unset)
LD_LIBRARY_PATH (unset)
LOGDIR (unset)
PATH=/home/steffen/bin:/home/steffen/bin/OpenBSD.bin:/mount/share/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/bin
PERL_BADLANG (unset)
SHELL=/usr/local/bin/bash


rgarciasuarez at mandriva

Apr 7, 2006, 12:15 AM

Post #2 of 3 (167 views)
Permalink
Re: [perl #38869] SIGSEGV because $1 is bound into out-of-scope variable [In reply to]
Steffen_Ullrich[at]genua.de (via RT) wrote:
> The following code causes an segmentation fault on OpenBSD3.9.
> The Problem happens with perl5.8.6 and also with perl5.8.8.
> It cannot be reproduced on OpenBSD3.8 (5.8.6) nor on Linux
> (Ubuntu, 5.8.7) nor on MacOSX 10.3 (with 5.8.7).
>
> I guess there is some memory corruption which is detected by the
> very strict OpenBSD checking.
>
> my @list = (
> 'ab cd', # matches regex
> ( 'e' x 4000 ) .'ab c' # matches not, but 'ab c' matches part of it
> );
> foreach (@list) {
> m/ab(.*)cd/i; # the ignore-case seems to be important
> my $y = $1; # use $1, which might not be from the last match!
> }
>
> Stacktrace:

Even though this doesn't segfault here on Linux with bleadperl, valgrind
confirms this stacktrace.


rgarciasuarez at gmail

Nov 14, 2006, 3:35 AM

Post #3 of 3 (156 views)
Permalink
Re: [perl #38869] SIGSEGV because $1 is bound into out-of-scope variable [In reply to]
On 07/04/06, Rafael Garcia-Suarez <rgarciasuarez[at]mandriva.com> wrote:
> Steffen_Ullrich[at]genua.de (via RT) wrote:
> > The following code causes an segmentation fault on OpenBSD3.9.
> > The Problem happens with perl5.8.6 and also with perl5.8.8.
> > It cannot be reproduced on OpenBSD3.8 (5.8.6) nor on Linux
> > (Ubuntu, 5.8.7) nor on MacOSX 10.3 (with 5.8.7).
> >
> > I guess there is some memory corruption which is detected by the
> > very strict OpenBSD checking.
> >
> > my @list = (
> > 'ab cd', # matches regex
> > ( 'e' x 4000 ) .'ab c' # matches not, but 'ab c' matches part of it
> > );
> > foreach (@list) {
> > m/ab(.*)cd/i; # the ignore-case seems to be important
> > my $y = $1; # use $1, which might not be from the last match!
> > }
> >
> > Stacktrace:
>
> Even though this doesn't segfault here on Linux with bleadperl, valgrind
> confirms this stacktrace.

I've added an assert() to catch such cases, but the bug should be fixed instead.

Change 29271 by rgs[at]stencil on 2006/11/14 11:35:04

Assert that we don't access strings saved for $1 etc. out of bounds

Affected files ...

... //depot/perl/mg.c#455 edit

Differences ...

==== //depot/perl/mg.c#455 (text) ====

@@ -854,6 +854,7 @@
i = t1 - s1;
s = rx->subbeg + s1;
assert(rx->subbeg);
+ assert(rx->sublen >= s1);

getrx:
if (i >= 0) {

Perl porters RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.