$ ./miniperl -e 'goto X; meth {X:}'
Use of "goto" to jump into a construct is deprecated at -e line 1.
ASAN:SIGSEGV

==73698==ERROR: AddressSanitizer: SEGV on unknown address
0x618df5f6af78 (pc 0x000102b549ff bp 0x7fff5d49fe90 sp 0x7fff5d49fda0
T0)
#0 0x102b549fe in S_opmethod_stash (miniperl+0x1003f59fe)
#1 0x102b55fca in Perl_pp_method_named (miniperl+0x1003f6fca)
#2 0x102b0f822 in Perl_runops_standard (miniperl+0x1003b0822)
#3 0x10283eb69 in perl_run (miniperl+0x1000dfb69)
#4 0x102f46c7f in main (miniperl+0x1007e7c7f)
#5 0x7fff92f4a5fc in start (libdyld.dylib+0x35fc)
#6 0x2 (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (miniperl+0x1003f59fe) in S_opmethod_stash
==73698==ABORTING
Abort trap: 6

Patch attached. I think this isn't a security vulnerability, as it
doesn't involve attacker-controlled data. I therefore propose it for
application to blead before 5.26.0; Sawyer?

I believe that other uses of TOPMARK may have similar bugs. For example:

$ ./miniperl -e 'goto X; map { X: } ()'
Use of "goto" to jump into a construct is deprecated at -e line 1.

==93438==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60c00000bf7c at pc 0x0001101addf8 bp 0x7fff4ffa8e40 sp
0x7fff4ffa8e38
READ of size 4 at 0x60c00000bf7c thread T0
#0 0x1101addf7 in Perl_pp_mapwhile (miniperl+0x100557df7)
#1 0x110006782 in Perl_runops_standard (miniperl+0x1003b0782)
#2 0x10fd35ac9 in perl_run (miniperl+0x1000dfac9)
#3 0x11043dc7f in main (miniperl+0x1007e7c7f)
#4 0x7fff92f4a5fc in start (libdyld.dylib+0x35fc)
#5 0x2 (<unknown module>)

0x60c00000bf7c is located 4 bytes to the left of 128-byte region
[0x60c00000bf80,0x60c00000c000)
allocated by thread T0 here:
#0 0x110626770 in wrap_malloc (libclang_rt.asan_osx_dynamic.dylib+0x46770)
#1 0x10ff45d41 in Perl_safesysmalloc (miniperl+0x1002efd41)
#2 0x10fd1b299 in perl_construct (miniperl+0x1000c5299)
#3 0x11043dbcc in main (miniperl+0x1007e7bcc)
#4 0x7fff92f4a5fc in start (libdyld.dylib+0x35fc)
#5 0x2 (<unknown module>)

I'm not sure on how to fix that.

Or entersub, the prospect of hacking on which scares me even more:

$ ./miniperl -e 'sub f {} goto X; f(do { X: })'
Use of "goto" to jump into a construct is deprecated at -e line 1.
ASAN:SIGSEGV

==93645==ERROR: AddressSanitizer: SEGV on unknown address
0x618df5f6af78 (pc 0x000101dd7ce7 bp 0x7fff5e216ef0 sp 0x7fff5e216d80
T0)
#0 0x101dd7ce6 in Perl_pp_entersub (miniperl+0x1003efce6)
#1 0x101d98782 in Perl_runops_standard (miniperl+0x1003b0782)
#2 0x101ac7ac9 in perl_run (miniperl+0x1000dfac9)
#3 0x1021cfc7f in main (miniperl+0x1007e7c7f)
#4 0x7fff92f4a5fc in start (libdyld.dylib+0x35fc)
#5 0x2 (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (miniperl+0x1003efce6) in Perl_pp_entersub
==93645==ABORTING
Abort trap: 6

At the p5h we decided to remove goto-into-a-construct in the 5.27.x
series, but it got reprieved after objections on the mailing list.
Perhaps we should reconsider its reprieval.

--
Aaron Crane ** http://aaroncrane.co.uk/

From @arc

$ ./miniperl -e 'goto X; meth {X​:}' Use of "goto" to jump into a construct is deprecated at -e line 1. ASAN​:SIGSEGV

$ ./miniperl -e 'goto X; map { X​: } ()' Use of "goto" to jump into a construct is deprecated at -e line 1.

$ ./miniperl -e 'sub f {} goto X; f(do { X​: })' Use of "goto" to jump into a construct is deprecated at -e line 1. ASAN​:SIGSEGV

$ ./miniperl -e 'goto X; meth {X:}'
Use of "goto" to jump into a construct is deprecated at -e line 1.
ASAN:SIGSEGV

$ ./miniperl -e 'goto X; map { X: } ()'
Use of "goto" to jump into a construct is deprecated at -e line 1.

$ ./miniperl -e 'sub f {} goto X; f(do { X: })'
Use of "goto" to jump into a construct is deprecated at -e line 1.
ASAN:SIGSEGV

AddressSanitizer: SEGV on unknown address 0x618df5f5f678 in S_opmethod_stash #15914

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions