Open
Description
This is a bug report for perl from afl@dorothy,
generated with the help of perlbug 1.41 running under perl 5.31.5.
[Please describe your issue here]
While fuzzing perl v5.29.10-23-g7c0d7520a3 built with afl and run
under libdislocator, I found the following program (no newline at the end)
my sub
my(&);my{$0{0}}\
to cause a double free: free(): double free detected in tcache 2
ASAN report is
==46628==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000000b82 at pc 0x00000053a28c bp 0x7ffe75269d50 sp 0x7ffe75269d48
READ of size 1 at 0x606000000b82 thread T0
#0 0x53a28b in Perl_op_free /home/afl/afl-asan/op.c:855:28
#1 0x7590ef in Perl_cv_undef_flags /home/afl/afl-asan/pad.c:328:13
#2 0xa58c45 in Perl_sv_clear /home/afl/afl-asan/sv.c:6649:6
#3 0xa60ed1 in Perl_sv_free2 /home/afl/afl-asan/sv.c:7110:9
#4 0x75a050 in Perl_SvREFCNT_dec_NN /home/afl/afl-asan/./inline.h:241:2
#5 0x75a050 in Perl_cv_undef_flags /home/afl/afl-asan/pad.c:406
#6 0xa58c45 in Perl_sv_clear /home/afl/afl-asan/sv.c:6649:6
#7 0xa60ed1 in Perl_sv_free2 /home/afl/afl-asan/sv.c:7110:9
#8 0x601468 in Perl_SvREFCNT_dec /home/afl/afl-asan/./inline.h:227:6
#9 0x601468 in perl_destruct /home/afl/afl-asan/perl.c:904
#10 0x5354c6 in main /home/afl/afl-asan/perlmain.c:145:18
#11 0x7f37c38e609a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
#12 0x43ccc9 in _start (/home/afl/afl-asan/perl+0x43ccc9)
0x606000000b82 is located 34 bytes inside of 56-byte region [0x606000000b60,0x606000000b98)
freed by thread T0 here:
#0 0x5018d0 in __interceptor_free.localalias.0 (/home/afl/afl-asan/perl+0x5018d0)
#1 0x537bbe in Perl_Slab_Free /home/afl/afl-asan/op.c:457:6
#2 0x539e8e in Perl_op_free /home/afl/afl-asan/op.c:920:9
#3 0x7492e6 in Perl_yyparse /home/afl/afl-asan/perly.c:546:17
#4 0x6120dc in S_parse_body /home/afl/afl-asan/perl.c:2527:9
#5 0x607e96 in perl_parse /home/afl/afl-asan/perl.c:1818:2
#6 0x5352cd in main /home/afl/afl-asan/perlmain.c:132:18
#7 0x7f37c38e609a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
previously allocated by thread T0 here:
#0 0x501cc8 in calloc (/home/afl/afl-asan/perl+0x501cc8)
#1 0x535779 in Perl_Slab_Alloc /home/afl/afl-asan/op.c:281:11
#2 0x571222 in Perl_newUNOP_AUX /home/afl/afl-asan/op.c:6568:5
#3 0x5e6eb8 in S_maybe_multideref /home/afl/afl-asan/op.c:15407:22
#4 0x5d8afe in Perl_rpeep /home/afl/afl-asan/op.c
#5 0x578f80 in S_process_optree /home/afl/afl-asan/op.c:3616:5
#6 0x578f80 in Perl_newATTRSUB_x /home/afl/afl-asan/op.c:10695
#7 0x5b3ba0 in Perl_newANONATTRSUB /home/afl/afl-asan/op.c:11314:21
#8 0x75053b in Perl_yyparse /home/afl/afl-asan/perly.y
#9 0x6120dc in S_parse_body /home/afl/afl-asan/perl.c:2527:9
#10 0x607e96 in perl_parse /home/afl/afl-asan/perl.c:1818:2
#11 0x5352cd in main /home/afl/afl-asan/perlmain.c:132:18
#12 0x7f37c38e609a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
This is a regression in blead, bisect points to
73cdf3a is the first bad commit
commit 73cdf3a
Author: David Mitchell [email protected]
Date: Mon Apr 8 14:17:59 2019 +0100
Make op_free() non-recursive
Stop using the DEFER mechanism (which could leak if something croaks)
and instead tree walk using the new OP_PARENT link to allow walking
back up the tree.
The freeing is done depth-first: children are freed before their
parents.
[Please do not change anything below this line]
Flags:
category=core
severity=medium
Site configuration information for perl 5.31.5:
Configured by root at Fri Oct 18 05:50:54 MSK 2019.
Summary of my perl5 (revision 5 version 31 subversion 5) configuration:
Derived from: 859b78b
Platform:
osname=linux
osvers=4.19.0-6-amd64
archname=x86_64-linux
uname='linux dorothy 4.19.0-6-amd64 #1 smp debian 4.19.67-2+deb10u1 (2019-09-20) x86_64 gnulinux '
config_args='-des -Dusedevel -Dcc=gcc -DDEBUGGING -Doptimize=-O0 -g -ggdb3'
hint=recommended
useposix=true
d_sigaction=define
useithreads=undef
usemultiplicity=undef
use64bitint=define
use64bitall=define
uselongdouble=undef
usemymalloc=n
default_inc_excludes_dot=define
bincompat5005=undef
Compiler:
cc='gcc'
ccflags ='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2'
optimize='-O0 -g -ggdb3'
cppflags='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
ccversion=''
gccversion='8.3.0'
gccosandvers=''
intsize=4
longsize=8
ptrsize=8
doublesize=8
byteorder=12345678
doublekind=3
d_longlong=define
longlongsize=8
d_longdbl=define
longdblsize=16
longdblkind=3
ivtype='long'
ivsize=8
nvtype='double'
nvsize=8
Off_t='off_t'
lseeksize=8
alignbytes=8
prototype=define
Linker and Libraries:
ld='gcc'
ldflags =' -fstack-protector-strong -L/usr/local/lib'
libpth=/usr/local/lib /usr/lib/gcc/x86_64-linux-gnu/8/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
libc=libc-2.28.so
so=so
useshrplib=false
libperl=libperl.a
gnulibc_version='2.28'
Dynamic Linking:
dlsrc=dl_dlopen.xs
dlext=so
d_dlsymun=undef
ccdlflags='-Wl,-E'
cccdlflags='-fPIC'
lddlflags='-shared -O0 -g -ggdb3 -L/usr/local/lib -fstack-protector-strong'
Characteristics of this binary (from libperl):
Compile-time options:
DEBUGGING
HAS_TIMES
PERLIO_LAYERS
PERL_COPY_ON_WRITE
PERL_DONT_CREATE_GVSV
PERL_MALLOC_WRAP
PERL_OP_PARENT
PERL_PRESERVE_IVUV
PERL_USE_DEVEL
USE_64_BIT_ALL
USE_64_BIT_INT
USE_LARGE_FILES
USE_LOCALE
USE_LOCALE_COLLATE
USE_LOCALE_CTYPE
USE_LOCALE_NUMERIC
USE_LOCALE_TIME
USE_PERLIO
USE_PERL_ATOF
Locally applied patches:
uncommitted-changes
Built under linux
Compiled at Oct 18 2019 06:02:50
%ENV:
PERLBREW_BASHRC_VERSION="0.78"
PERLBREW_HOME="/home/afl/.perlbrew"
PERLBREW_MANPATH="/home/afl/perlbrew/perls/perl-5.20.2/man"
PERLBREW_PATH="/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.20.2/bin"
PERLBREW_PERL="perl-5.20.2"
PERLBREW_ROOT="/home/afl/perlbrew"
PERLBREW_VERSION="0.78"
@inc:
lib
/usr/local/lib/perl5/site_perl/5.31.5/x86_64-linux
/usr/local/lib/perl5/site_perl/5.31.5
/usr/local/lib/perl5/5.31.5/x86_64-linux
/usr/local/lib/perl5/5.31.5