# New Ticket Created by Dan Collins
# Please include the string: [perl #128256]
# in the subject line of all future correspondence about this issue.
# <URL: https://rt.perl.org/Ticket/Display.html?id=128256 >
Greetings Porters,
I have compiled bleadperl with the afl-gcc compiler using:
./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache afl-gcc' -Uuselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -Dusequadmath -des
AFL_HARDEN=1 make && make test
And then fuzzed the resulting binary using:
AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @@
After reducing testcases using `afl-tmin` and performing additional minimization by hand, I have located the following testcase that triggers a segfault in the perl interpreter. The testcase is the file below. On normal builds and debug builds, this segfaults.
[email protected]:~/perl$ ./perl -Ilib -We 'use lib sub{eval"use WHATEVER"};use WHATEVER'
Deep recursion on anonymous subroutine at (eval 99) line 1.
Segmentation fault
This appears to be a stack overflow bug caused by infinite recursion. Here is the iterating series of stack frames:
#391 0x0000000000449949 in Perl_call_sv (sv=0x1d23290, flags=13) at perl.c:2841
#392 0x000000000044eb5a in Perl_call_list (oldscope=8832, paramList=0x1d23230) at perl.c:5009
#393 0x0000000000435f80 in S_process_special_blocks (floor=181937, fullname=0x8780c0 "BEGIN",
gv=0x86e730, cv=0x1d23290) at op.c:8793
#394 0x0000000000435b34 in Perl_newATTRSUB_x (floor=181937, o=0x1d30fe0, proto=0x0, attrs=0x0,
block=0x1d30fa0, o_is_gv=false) at op.c:8722
#395 0x000000000042c985 in Perl_utilize (aver=1, floor=181937, version=0x0, idop=0x1d30a08,
arg=0x0) at op.c:6096
#396 0x000000000048971d in Perl_yyparse (gramtype=258) at perly.y:351
#397 0x0000000000564f63 in S_try_yyparse (gramtype=258) at pp_ctl.c:3233
#398 0x0000000000565843 in S_doeval_compile (gimme=3 '\003', outside=0x86e778, seq=2, hh=0x0)
at pp_ctl.c:3383
#399 0x0000000000568678 in Perl_pp_entereval () at pp_ctl.c:4244
#400 0x0000000000508a25 in Perl_runops_standard () at run.c:41
#401 0x00000000004497ed in Perl_call_sv (sv=0x8a4d80, flags=3) at perl.c:2824
#402 0x0000000000566ceb in S_require_file (sv=0x1d230b0) at pp_ctl.c:3832
#403 0x0000000000567f16 in Perl_pp_require () at pp_ctl.c:4124
#404 0x0000000000508a25 in Perl_runops_standard () at run.c:41
Valgrind confirms:
==39283== Stack overflow in thread #1: can't grow stack to 0xffe801000
==39283==
==39283== Process terminating with default action of signal 11 (SIGSEGV)
==39283== Access not within mapped region at address 0xFFE801F18
==39283== Stack overflow in thread #1: can't grow stack to 0xffe801000
==39283== at 0x474CA8: S_pad_findlex (pad.c:1115)
==39283== If you believe this happened as a result of a stack
==39283== overflow in your program's main thread (unlikely but
==39283== possible), you can try to increase the size of the
==39283== main thread stack using the --main-stacksize= flag.
==39283== The main thread stack size used in this run was 8388608.
==39283== Stack overflow in thread #1: can't grow stack to 0xffe801000
Bisect has been decidedly unhelpful, this bug has persisted since at least 5.12.0
**PERL -V**
[email protected]:~/perldebug$ ./perl -Ilib -V
Summary of my perl5 (revision 5 version 25 subversion 2) configuration:
Commit id: c29dfc6a6c45f86648c51f961304254cc3c449b9
Platform:
osname=linux, osvers=4.5.0-2-amd64, archname=x86_64-linux-ld
uname='linux nightshade64 4.5.0-2-amd64 #1 smp debian 4.5.3-2 (2016-05-08) x86_64 gnulinux '
config_args='-Dusedevel -Dprefix=/usr/local/perl-afl -Dcc=ccache gcc-6.1 -Duselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -DDEBUGGING -DPERL_POISON -des'
hint=recommended, useposix=true, d_sigaction=define
useithreads=undef, usemultiplicity=undef
use64bitint=define, use64bitall=define, uselongdouble=define
usemymalloc=n, bincompat5005=undef
Compiler:
cc='ccache gcc-6.1', ccflags ='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
optimize='-g',
cppflags='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
ccversion='', gccversion='6.1.0', gccosandvers=''
intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678, doublekind=3
d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16, longdblkind=3
ivtype='long', ivsize=8, nvtype='long double', nvsize=16, Off_t='off_t', lseeksize=8
alignbytes=16, prototype=define
Linker and Libraries:
ld='ccache gcc-6.1', ldflags =' -fstack-protector-strong -L/usr/local/lib'
libpth=/usr/local/lib /usr/local/lib/gcc/x86_64-pc-linux-gnu/6.1.0/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
libc=libc-2.22.so, so=so, useshrplib=false, libperl=libperl.a
gnulibc_version='2.22'
Dynamic Linking:
dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
cccdlflags='-fPIC', lddlflags='-shared -g -L/usr/local/lib -fstack-protector-strong'
Characteristics of this binary (from libperl):
Compile-time options: DEBUGGING HAS_TIMES PERLIO_LAYERS PERL_COPY_ON_WRITE
PERL_DONT_CREATE_GVSV
PERL_HASH_FUNC_ONE_AT_A_TIME_HARD PERL_MALLOC_WRAP
PERL_OP_PARENT PERL_PRESERVE_IVUV PERL_USE_DEVEL
USE_64_BIT_ALL USE_64_BIT_INT USE_LARGE_FILES
USE_LOCALE USE_LOCALE_COLLATE USE_LOCALE_CTYPE
USE_LOCALE_NUMERIC USE_LOCALE_TIME USE_LONG_DOUBLE
USE_PERLIO USE_PERL_ATOF
Built under linux
Compiled at May 26 2016 17:57:37
@INC:
lib
/usr/local/perl-afl/lib/site_perl/5.25.2/x86_64-linux-ld
/usr/local/perl-afl/lib/site_perl/5.25.2
/usr/local/perl-afl/lib/5.25.2/x86_64-linux-ld
/usr/local/perl-afl/lib/5.25.2
/usr/local/perl-afl/lib/site_perl/5.25.1
/usr/local/perl-afl/lib/site_perl/5.24.0
/usr/local/perl-afl/lib/site_perl
.
