Segmentation Faults and Aborts 2017-06-05 #293

rwhitworth · 2017-06-06T11:51:43Z

Hello, I was using American Fuzzy Lop (afl-fuzz) to fuzz input to the perl program on Linux. Is fixing the crashes from these input files something you're interested in? The input files can be found here: https://github.com/rwhitworth/cperl-fuzz/tree/master/2017-06-05.

Additionally there is a README.md within that repo directory that contains the gdb backtrace output. The binary was compiled with AFL_HARDEN=1 (an afl-clang-fast compiler variable) so there may be some extra information that would not normally be printed to the screen during program execution.

The files can be executed as ./perl id_filename to cause seg faults and aborts. These were generated from commit 45ac51b

Let me know if I can provide any more information to help narrow down these issues. If you would rather each of these issues be reported as separate issues I can do that as well.

The text was updated successfully, but these errors were encountered:

rurban · 2017-06-07T23:39:08Z

Fantastic! I'll check

rurban · 2017-06-18T08:33:20Z

id:000000,sig:06,src:023772,op:havoc,rep:16 FIXED
id:000001,sig:06,src:024259,op:arith8,pos:5,val:+27 FIXED

5.27.x: Either correct panic: constant overflowed allocated space, 31 >= 24 at id:000000,sig:06,src:023772,op:havoc,rep:16 line 1.
or Assertion failed: (isUTF8_CHAR((U8 *) s, (U8 *) send)), function S_scan_const, file toke.c, line 4128.

5.26.0c, and perl5.2[67] just reports a syntax error.

id:000001,sig:11,src:017300+020757,op:splice,rep:64-minimized

SEGV in all 5.2[67] DEBUGGING variants, perl and cperl. security relevant.
regex stack exhaustion by unbounded recursion. Fixed by adding depth limit of 5000 open nested parens. Older perls failed with an unhelpful Unmatched ( in regex error.

id:000099,sig:11,src:027197,op:havoc,rep:4

cperl regression with 5.27. Aborts or asserts. Caused by inconsistent TOKENBUF_SIZE and
pads being now all utf8 in cperl.

id:000113,sig:06,src:029639+026337,op:splice,rep:4
id:000142,sig:11,src:027004,op:havoc,rep:32

cperl regression. Should error with Identifier too long.
Caused by inconsistent TOKENBUF_SIZE and pads being now all utf8 in cperl.

id:000162,sig:06,src:026278+031045,op:splice,rep:32

panic: constant overflowed allocated space, 173 >= 168 or isUTF8_CHAR assert. Ok I assume.
perl errors with Unescaped left brace in regex is illegal

The max identifier length depends on the max tokenbuf size, which went from 256 in perl5 to 1024 in cperl, mostly to speed up parsing with a larger parser buffer. Harmonize a few places which still kept a hardcoded 256. Fixes id:000099,sig:11,src:027197,op:havoc,rep:4 from #293 Use a larger IO buffer of 1024 for pp_backtick, when draining it for the sideeffect only. Get rid of unnecessary sv_gets COW logic. SvGROW already does add +1.

With cperl all pads are stored as utf8. Fix one forgotten call in ck_sort, caught by afl-fuzzing id:000113,sig:06,src:029639+026337,op:splice,rep:4 id:000142,sig:11,src:027004,op:havoc,rep:32 in #293

Some of them critical. Thanks to Ryan Whitworth.

The max identifier length depends on the max tokenbuf size, which went from 256 in perl5 to 1024 in cperl, mostly to speed up parsing with a larger parser buffer. Harmonize a few places which still kept a hardcoded 256. Fixes id:000099,sig:11,src:027197,op:havoc,rep:4 from #293 Use a larger IO buffer of 1024 for pp_backtick, when draining it for the sideeffect only. Get rid of unnecessary sv_gets COW logic. SvGROW already does add +1.

With cperl all pads are stored as utf8. Fix one forgotten call in ck_sort, caught by afl-fuzzing id:000113,sig:06,src:029639+026337,op:splice,rep:4 id:000142,sig:11,src:027004,op:havoc,rep:32 in #293

This is a critical regression since 5.26, but thanksfully only with DEBUGGING. Before or without DEBUGGING it failed with the somewhat unhelpful error message "Unmatched ( in regex", now with more than 5000 open parens do the same. Fixes id:000001,sig:11,src:017300+020757,op:splice,rep:64-minimized, Closes #293

rwhitworth · 2017-06-21T16:22:37Z

@rurban I tested the input files against a rebuilt master (35886a1) and still saw segmentation faults. Are these changes fully integrated in the master branch?

I can re-do testing on a new git clone and post gdb output if you think it'll help.

rurban · 2017-06-21T22:15:16Z

Yes, I thought I fixed all of them. Which one is still segfaulting?

rwhitworth · 2017-06-22T00:59:30Z

1 - id:000001,sig:06,src:024259,op:arith8,pos:5,val:+27

Malformed UTF-8 character: \xff\x80\x00\x00\x00\xc2\xc2\xc2\x9f\xc2\x3e\x80\xdf (unexpected non-continuation byte 0x00, 2 bytes after start byte 0xff; need 13 bytes, got 2) at id:000001,sig:06,src:024259,op:arith8,pos:5,val:+27 line 1.
perl: malloc.c:3760: _int_malloc: Assertion `(unsigned long) (size) >= (unsigned long) (nb)' failed.
Aborted (core dumped)

with gdb backtrace of:

#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007f57940243fa in __GI_abort () at abort.c:89
#2  0x00007f57940669c8 in __malloc_assert (assertion=assertion@entry=0x7f57941562d0 "(unsigned long) (size) >= (unsigned long) (nb)",
    file=file@entry=0x7f5794152867 "malloc.c", line=line@entry=3760, function=function@entry=0x7f57941568e0 <__func__.11500> "_int_malloc") at malloc.c:301
#3  0x00007f57940696f9 in _int_malloc (av=av@entry=0x7f5794389b00 <main_arena>, bytes=bytes@entry=2) at malloc.c:3760
#4  0x00007f579406af34 in __GI___libc_malloc (bytes=2) at malloc.c:2928
#5  0x00000000004c3146 in Perl_safesysmalloc (size=1) at util.c:157
#6  0x00000000004f2c6d in Perl_sv_grow (sv=0x2885b40, newlen=<optimized out>) at sv.c:1658
#7  0x00000000004f5fd0 in Perl_sv_setpvn (sv=0x2885b40, ptr=0x5de9a9 "", len=0) at sv.c:5063
#8  0x00000000005003d6 in Perl_newSVpvn_flags (s=<optimized out>, len=<optimized out>, flags=<optimized out>) at sv.c:9436
#9  0x00000000004c5408 in S_mess_alloc () at util.c:1192
#10 Perl_vmess (pat=<optimized out>, args=<optimized out>) at util.c:1476
#11 Perl_vcroak (pat=0x5e4035 "panic: constant overflowed allocated space, %lu >= %lu", args=<optimized out>) at util.c:1709
#12 Perl_croak (pat=0x5e4035 "panic: constant overflowed allocated space, %lu >= %lu") at util.c:1756
#13 0x000000000047ef9c in S_scan_const (start=<optimized out>) at toke.c:4178
#14 Perl_yylex () at toke.c:5243
#15 0x000000000048c516 in Perl_yyparse (gramtype=<optimized out>) at perly.c:338
#16 0x0000000000453028 in S_parse_body (env=<optimized out>, xsinit=<optimized out>) at perl.c:2504
#17 perl_parse (my_perl=<optimized out>, xsinit=<optimized out>, argc=<optimized out>, argv=<optimized out>, env=<optimized out>) at perl.c:1722
#18 0x000000000042a2f1 in main (argc=0, argv=0x7f5794022fcf <__GI_raise+207>, env=<optimized out>) at perlmain.c:121

2 - id:000162,sig:06,src:026278+031045,op:splice,rep:32

Malformed UTF-8 character: \x90 (unexpected continuation byte 0x90, with no preceding start byte) at id:000162,sig:06,src:026278+031045,op:splice,rep:32 line 1.
panic: constant overflowed allocated space, 173 >= 168 at id:000162,sig:06,src:026278+031045,op:splice,rep:32 line 1.
*** Error in `/root/cperl/perl': double free or corruption (!prev): 0x0000000000928660 ***
[[[ more output snipped ]]]

gdb backtrace:

#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007fbb1c49f3fa in __GI_abort () at abort.c:89
#2  0x00007fbb1c4dbbd0 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7fbb1c5d0dd0 "*** Error in `%s': %s: 0x%s ***\n")
    at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007fbb1c4e1f96 in malloc_printerr (action=3, str=0x7fbb1c5d0e48 "double free or corruption (!prev)", ptr=<optimized out>, ar_ptr=<optimized out>)
    at malloc.c:5049
#4  0x00007fbb1c4e27de in _int_free (av=0x7fbb1c804b00 <main_arena>, p=0x9199e0, have_lock=0) at malloc.c:3905
#5  0x00000000004c3288 in Perl_safesysfree (where=0x2) at util.c:393
#6  0x00000000005251c0 in Perl_leave_scope (base=<optimized out>) at scope.c:1219
#7  0x0000000000454b42 in S_my_exit_jump () at perl.c:5405
#8  0x00000000004570ea in Perl_my_failure_exit () at perl.c:5389
#9  0x000000000052db63 in Perl_die_unwind (msv=<optimized out>) at pp_ctl.c:1820
#10 0x00000000004c54ca in Perl_vcroak (pat=0x5e4035 "panic: constant overflowed allocated space, %lu >= %lu", args=<optimized out>) at util.c:1711
#11 Perl_croak (pat=0x5e4035 "panic: constant overflowed allocated space, %lu >= %lu") at util.c:1756
#12 0x000000000047ef9c in S_scan_const (start=<optimized out>) at toke.c:4178
#13 Perl_yylex () at toke.c:5243
#14 0x000000000048c516 in Perl_yyparse (gramtype=<optimized out>) at perly.c:338
#15 0x0000000000453028 in S_parse_body (env=<optimized out>, xsinit=<optimized out>) at perl.c:2504
#16 perl_parse (my_perl=<optimized out>, xsinit=<optimized out>, argc=<optimized out>, argv=<optimized out>, env=<optimized out>) at perl.c:1722
#17 0x000000000042a2f1 in main (argc=0, argv=0x7fbb1c49dfcf <__GI_raise+207>, env=<optimized out>) at perlmain.c:121

rurban · 2017-06-22T09:10:30Z

Fixed the 2 utf8 errors which segv in the error handler in cc56c5e76fa82e4cbadd842d7a7ff6256bab6576

but the new 2017-06-19 dir has many more. Working on these now

utf8n_to_uvchr_error() only warns on some Malformed UTF-8 characters, but scan_const needs to error here. Do it with yyerror() which accumulates all parser errors until it "has too many errors". Fixes 2 errors in #293, esp. id:000162,sig:06,src:026278+031045,op:splice,rep:32 and id:000001,sig:06,src:024259,op:arith8,pos:5,val:+27 which segfaulted in the error handler for "panic: constant overflowed allocated space"

rurban self-assigned this Jun 18, 2017

rurban added blocking bug labels Jun 18, 2017

rurban added this to the v5.27.1c milestone Jun 18, 2017

rurban added a commit that referenced this issue Jun 18, 2017

perlcdelta: for the afl-fuzzer #293 fixed bugs

35886a1

Some of them critical. Thanks to Ryan Whitworth.

rurban closed this as completed in 8e11a66 Jun 18, 2017

rurban mentioned this issue Jun 21, 2017

Add -fstack-check #297

Open

rurban reopened this Jun 21, 2017

rurban closed this as completed Jun 24, 2017

rurban mentioned this issue Jun 24, 2017

afl-fuzz 2017-06-19: '$*+=**=0' freed temp stack value #299

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Segmentation Faults and Aborts 2017-06-05 #293

Segmentation Faults and Aborts 2017-06-05 #293

rwhitworth commented Jun 6, 2017

rurban commented Jun 7, 2017

rurban commented Jun 18, 2017 •

edited

Loading

rwhitworth commented Jun 21, 2017

rurban commented Jun 21, 2017

rwhitworth commented Jun 22, 2017

rurban commented Jun 22, 2017 •

edited

Loading

Segmentation Faults and Aborts 2017-06-05 #293

Segmentation Faults and Aborts 2017-06-05 #293

Comments

rwhitworth commented Jun 6, 2017

rurban commented Jun 7, 2017

rurban commented Jun 18, 2017 • edited Loading

rwhitworth commented Jun 21, 2017

rurban commented Jun 21, 2017

rwhitworth commented Jun 22, 2017

rurban commented Jun 22, 2017 • edited Loading

rurban commented Jun 18, 2017 •

edited

Loading

rurban commented Jun 22, 2017 •

edited

Loading