Greetings Porters,

I have compiled bleadperl with the afl-gcc compiler using:

./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache afl-gcc' -Uuselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -Dusequadmath -des
AFL_HARDEN=1 make && make test

And then fuzzed the resulting binary using:

AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @@

After reducing testcases using `afl-tmin` and performing additional minimization by hand, I have located the following testcase that triggers a segfault in the perl interpreter. The testcase is the file below. On normal builds and debug builds with -W, this segfaults.

dcollins@nightshade64:~/perldebug$ ./perl -Ilib -e 'sub U::0{}undef*U::;*U::0=sub{}'
dcollins@nightshade64:~/perldebug$ ./perl -Ilib -W -e 'sub U::0{}undef*U::;*U::0=sub{}'
Segmentation fault

This testcase *looks* suspiciously like [perl #128254], but it is rather different. This one has nothing to do with ISA or taint mode. It is, however, rather bizarre. It only crashes under -W. Perhaps we're freeing something while it's still on the stack? But if this was a context stack issue, I think it would segfault regardless of whether warnings are enabled.

A bisect was attempted but this behavior has persisted since 5.12.0 at least.


dcollins@nightshade64:~/perldebug$ gdb --args ./perl -Ilib -W -e 'sub U::0{}undef*U::;*U::0=sub{}'
Reading symbols from ./perl...done.
(gdb) run
Starting program: /home/dcollins/perldebug/perl -Ilib -W -e sub\ U::0\{\}undef\*U::\;\*U::0=sub\{\}
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000005dd873 in Perl_gv_setref (dstr=0xab2798, sstr=0xab2780) at sv.c:4073
4073 report_redefined_cv(
(gdb) bt
#0 0x00000000005dd873 in Perl_gv_setref (dstr=0xab2798, sstr=0xab2780) at sv.c:4073
#1 0x00000000005e32ef in Perl_sv_setsv_flags (dstr=0xab2798, sstr=0xab2780, flags=1538)
     at sv.c:4510
#2 0x00000000005a6dd4 in Perl_pp_sassign () at pp_hot.c:226
#3 0x000000000055a245 in Perl_runops_debug () at dump.c:2239
#4 0x00000000004623d3 in S_run_body (oldscope=1) at perl.c:2517
#5 0x00000000004619fe in perl_run (my_perl=0xa9c010) at perl.c:2440
#6 0x000000000041eae0 in main (argc=5, argv=0x7fffffffe5f8, env=0x7fffffffe628)
     at perlmain.c:116
(gdb) l
4068 {
4069 SV * const new_const_sv =
4070 CvCONST((const CV *)sref)
4071 ? cv_const_sv((const CV *)sref)
4072 : NULL;
4073 report_redefined_cv(
4074 sv_2mortal(Perl_newSVpvf(aTHX_
4075 "%"HEKf"::%"HEKf,
4076 HEKfARG(
4077 HvNAME_HEK(GvSTASH((const GV *)dstr))
(gdb) info locals
new_const_sv = 0x0
cv = 0xab2738
sref = 0xab2708
__PRETTY_FUNCTION__ = "Perl_gv_setref"
dref = 0xab2738
intro = 0
location = 0xabc090
import_flag = 128 '\200'
stype = 13


dcollins@nightshade64:~/perldebug$ valgrind ./perl -Ilib -W -e 'sub U::0{}undef*U::;*U::0=sub{}'
==47187== Memcheck, a memory error detector
==47187== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==47187== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==47187== Command: ./perl -Ilib -W -e sub\ U::0{}undef*U::;*U::0=sub{}
==47187== Invalid read of size 4
==47187== at 0x5DD873: Perl_gv_setref (sv.c:4073)
==47187== by 0x5E32EE: Perl_sv_setsv_flags (sv.c:4510)
==47187== by 0x5A6DD3: Perl_pp_sassign (pp_hot.c:226)
==47187== by 0x55A244: Perl_runops_debug (dump.c:2239)
==47187== by 0x4623D2: S_run_body (perl.c:2517)
==47187== by 0x4619FD: perl_run (perl.c:2440)
==47187== by 0x41EADF: main (perlmain.c:116)
==47187== Address 0xc is not stack'd, malloc'd or (recently) free'd
==47187== Process terminating with default action of signal 11 (SIGSEGV)
==47187== Access not within mapped region at address 0xC
==47187== at 0x5DD873: Perl_gv_setref (sv.c:4073)
==47187== by 0x5E32EE: Perl_sv_setsv_flags (sv.c:4510)
==47187== by 0x5A6DD3: Perl_pp_sassign (pp_hot.c:226)
==47187== by 0x55A244: Perl_runops_debug (dump.c:2239)
==47187== by 0x4623D2: S_run_body (perl.c:2517)
==47187== by 0x4619FD: perl_run (perl.c:2440)
==47187== by 0x41EADF: main (perlmain.c:116)
==47187== If you believe this happened as a result of a stack
==47187== overflow in your program's main thread (unlikely but
==47187== possible), you can try to increase the size of the
==47187== main thread stack using the --main-stacksize= flag.
==47187== The main thread stack size used in this run was 8388608.
==47187== HEAP SUMMARY:
==47187== in use at exit: 112,125 bytes in 569 blocks
==47187== total heap usage: 696 allocs, 127 frees, 132,072 bytes allocated
==47187== LEAK SUMMARY:
==47187== definitely lost: 192 bytes in 1 blocks
==47187== indirectly lost: 2,016 bytes in 22 blocks
==47187== possibly lost: 1,024 bytes in 2 blocks
==47187== still reachable: 108,893 bytes in 544 blocks
==47187== suppressed: 0 bytes in 0 blocks
==47187== Rerun with --leak-check=full to see details of leaked memory
==47187== For counts of detected and suppressed errors, rerun with: -v
==47187== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault

**PERL -V**

dcollins@nightshade64:~/perldebug$ ./perl -Ilib -V
Summary of my perl5 (revision 5 version 25 subversion 2) configuration:
   Commit id: c29dfc6a6c45f86648c51f961304254cc3c449b9
     osname=linux, osvers=4.5.0-2-amd64, archname=x86_64-linux-ld
     uname='linux nightshade64 4.5.0-2-amd64 #1 smp debian 4.5.3-2 (2016-05-08) x86_64 gnulinux '
     config_args='-Dusedevel -Dprefix=/usr/local/perl-afl -Dcc=ccache gcc-6.1 -Duselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -DDEBUGGING -DPERL_POISON -des'
     hint=recommended, useposix=true, d_sigaction=define
     useithreads=undef, usemultiplicity=undef
     use64bitint=define, use64bitall=define, uselongdouble=define
     usemymalloc=n, bincompat5005=undef
     cc='ccache gcc-6.1', ccflags ='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
     cppflags='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
     ccversion='', gccversion='6.1.0', gccosandvers=''
     intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678, doublekind=3
     d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16, longdblkind=3
     ivtype='long', ivsize=8, nvtype='long double', nvsize=16, Off_t='off_t', lseeksize=8
     alignbytes=16, prototype=define
   Linker and Libraries:
     ld='ccache gcc-6.1', ldflags =' -fstack-protector-strong -L/usr/local/lib'
     libpth=/usr/local/lib /usr/local/lib/gcc/x86_64-pc-linux-gnu/6.1.0/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
     libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
     perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
     libc=libc-2.22.so, so=so, useshrplib=false, libperl=libperl.a
   Dynamic Linking:
     dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
     cccdlflags='-fPIC', lddlflags='-shared -g -L/usr/local/lib -fstack-protector-strong'

Characteristics of this binary (from libperl):
                         USE_64_BIT_ALL USE_64_BIT_INT USE_LARGE_FILES
                         USE_PERLIO USE_PERL_ATOF
   Built under linux
   Compiled at May 26 2016 17:57:37

