| CARVIEW |
Select Language
HTTP/2 200
cache-control: max-age=43200
server: Combust/Plack (Perl)
vary: Accept-Encoding
content-encoding: gzip
content-length: 4302
content-type: text/html; charset=utf-8
last-modified: Tue, 14 Oct 2025 10:27:32 GMT
traceparent: 43ecd0af7c569a28112187268e0296d7
strict-transport-security: max-age=15768000
[perl #123542] Segmentation fault in Perl5 while fuzzing Perl binary (possible stack overflow?) - nntp.perl.org
Front page | perl.perl5.porters |
Postings from January 2015
nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About
Front page | perl.perl5.porters |
Postings from January 2015
[perl #123542] Segmentation fault in Perl5 while fuzzing Perl binary (possible stack overflow?)
Thread PreviousFrom:
Brian CarpenterDate:
January 4, 2015 18:47Subject:
[perl #123542] Segmentation fault in Perl5 while fuzzing Perl binary (possible stack overflow?)Message ID:
rt-4.0.18-28305-1420397111-1975.123542-75-0@perl.org
# New Ticket Created by Brian Carpenter
# Please include the string: [perl #123542]
# in the subject line of all future correspondence about this issue.
# <URL: https://rt.perl.org/Ticket/Display.html?id=123542 >
I'm still fuzzing a Perl binary that I built from git source on 01/02/2015
using the afl-gcc compiler:
CC=/path/to/afl-gcc ./Configure
AFL_HARDEN=1 make
This is perl 5, version 21, subversion 8 (v5.21.8 (v5.21.7-209-g4e27940))
built for x86_64-linux
Besides the above information, this version of Perl was compiled using all
defaults (enter was pressed for every question).
While fuzzing the perl binary, I found another testcase which causes a
segfault (and possible stack overflow). I've attached the testcase and the
resulting core dump to this email.
geeknik@deb7fuzz:~/findings/perl/fuzzer02/crashes$ /home/geeknik/perl5/perl
id\:000023\,sig\:11\,src\:004555+020002\,op\:splice\,rep\:16
String found where operator expected at
id:000023,sig:11,src:004555+020002,op:splice,rep:16 line 8, near
"print3"Hello World.\n""
Backslash found where operator expected at
id:000023,sig:11,src:004555+020002,op:splice,rep:16 line 11, near "is\"
String found where operator expected at
id:000023,sig:11,src:004555+020002,op:splice,rep:16 line 11, near "Mnt ""
(Missing semicolon on previous line?)
Array found where operator expected at
id:000023,sig:11,src:004555+020002,op:splice,rep:16 line 11, at end of line
(Missing operator before ?)
Bareword found where operator expected at
id:000023,sig:11,src:004555+020002,op:splice,rep:16 line 11, near "<P>Note"
(Missing operator before Note?)
Bareword found where operator expected at
id:000023,sig:11,src:004555+020002,op:splice,rep:16 line 11, near "]g"
(Missing operator before g?)
String found where operator expected at
id:000023,sig:11,src:004555+020002,op:splice,rep:16 line 11, near "print ""
(Missing semicolon on previous line?)
Bareword found where operator expected at
id:000023,sig:11,src:004555+020002,op:splice,rep:16 line 12, near "print
"into"
(Might be a runaway multi-line "" string starting on line 11)
(Do you need to predeclare print?)
String found where operator expected at
id:000023,sig:11,src:004555+020002,op:splice,rep:16 line 15, near "n"
}
print ""
Segmentation fault (core dumped)
geeknik@deb7fuzz:~/findings/perl/fuzzer02/crashes$ valgrind -q
/home/geeknik/perl5/perl
id\:000023\,sig\:11\,src\:004555+020002\,op\:splice\,rep\:16
String found where operator expected at
id:000023,sig:11,src:004555+020002,op:splice,rep:16 line 8, near
"print3"Hello World.\n""
Backslash found where operator expected at
id:000023,sig:11,src:004555+020002,op:splice,rep:16 line 11, near "is\"
String found where operator expected at
id:000023,sig:11,src:004555+020002,op:splice,rep:16 line 11, near "Mnt ""
(Missing semicolon on previous line?)
Array found where operator expected at
id:000023,sig:11,src:004555+020002,op:splice,rep:16 line 11, at end of line
(Missing operator before ?)
Bareword found where operator expected at
id:000023,sig:11,src:004555+020002,op:splice,rep:16 line 11, near "<P>Note"
(Missing operator before Note?)
Bareword found where operator expected at
id:000023,sig:11,src:004555+020002,op:splice,rep:16 line 11, near "]g"
(Missing operator before g?)
String found where operator expected at
id:000023,sig:11,src:004555+020002,op:splice,rep:16 line 11, near "print ""
(Missing semicolon on previous line?)
Bareword found where operator expected at
id:000023,sig:11,src:004555+020002,op:splice,rep:16 line 12, near "print
"into"
(Might be a runaway multi-line "" string starting on line 11)
(Do you need to predeclare print?)
String found where operator expected at
id:000023,sig:11,src:004555+020002,op:splice,rep:16 line 15, near "n"
}
print ""
==55834== Invalid read of size 8
==55834== at 0x4C0100: Perl_pmruntime (op.c:5481)
==55834== by 0x5CBEBC: Perl_yyparse (perly.y:1000)
==55834== by 0x4F3114: perl_parse (perl.c:2273)
==55834== by 0x42A92B: main (perlmain.c:114)
==55834== Address 0x8 is not stack'd, malloc'd or (recently) free'd
==55834==
==55834==
==55834== Process terminating with default action of signal 11 (SIGSEGV):
dumping core
==55834== Access not within mapped region at address 0x8
==55834== at 0x4C0100: Perl_pmruntime (op.c:5481)
==55834== by 0x5CBEBC: Perl_yyparse (perly.y:1000)
==55834== by 0x4F3114: perl_parse (perl.c:2273)
==55834== by 0x42A92B: main (perlmain.c:114)
==55834== If you believe this happened as a result of a stack
==55834== overflow in your program's main thread (unlikely but
==55834== possible), you can try to increase the size of the
==55834== main thread stack using the --main-stacksize= flag.
==55834== The main thread stack size used in this run was 8388608.
Segmentation fault
geeknik@deb7fuzz:~/findings/perl/fuzzer02/crashes$ gdb
/home/geeknik/perl5/perl core
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html
>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/geeknik/perl5/perl...done.
[New LWP 46515]
warning: Can't read pathname for load map: Input/output error.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/home/geeknik/perl5/perl
id:000023,sig:11,src:004555+020002,op:splice,rep:16'.
Program terminated with signal 11, Segmentation fault.
#0 Perl_pmruntime (o=0x2c6b550, expr=0x2c6b290, isreg=true, floor=0) at
op.c:5481
5481 while (OpSIBLING(kid) != repl)
(gdb) bt
#0 Perl_pmruntime (o=0x2c6b550, expr=0x2c6b290, isreg=true, floor=0) at
op.c:5481
#1 0x00000000005cbebd in Perl_yyparse (gramtype=<optimized out>) at
perly.y:1000
#2 0x00000000004f3115 in S_parse_body (xsinit=0x42ad20 <xs_init>, env=0x0)
at perl.c:2273
#3 perl_parse (my_perl=<optimized out>, xsinit=0x42ad20 <xs_init>,
argc=<optimized out>, argv=<optimized out>, env=0x0) at perl.c:1607
#4 0x000000000042a92c in main (argc=2, argv=0x7fff492c7348,
env=0x7fff492c7360) at perlmain.c:114
#5 0x00007fc0bf96dead in __libc_start_main (main=<optimized out>,
argc=<optimized out>, ubp_av=<optimized out>, init=<optimized out>,
fini=<optimized out>, rtld_fini=<optimized out>,
stack_end=0x7fff492c7338) at libc-start.c:244
#6 0x000000000042ac45 in _start ()
(gdb)
./perlbug -d
---
Flags:
category=core
severity=low
---
This perlbug was built using Perl 5.21.8 - Fri Jan 2 19:02:59 CST 2015
It is being executed now by Perl 5.21.7 - Thu Dec 18 14:34:01 CST 2014.
Site configuration information for perl 5.21.7:
Configured by geeknik at Thu Dec 18 14:34:01 CST 2014.
Summary of my perl5 (revision 5 version 21 subversion 7) configuration:
Commit id: e9d2bd8a490981edfc4ddabb5889ca0e86f29e29
Platform:
osname=linux, osvers=3.2.0-4-amd64, archname=x86_64-linux
uname='linux deb7fuzz 3.2.0-4-amd64 #1 smp debian 3.2.63-2+deb7u2
x86_64 gnulinux '
config_args=''
hint=recommended, useposix=true, d_sigaction=define
useithreads=undef, usemultiplicity=undef
use64bitint=define, use64bitall=define, uselongdouble=undef
usemymalloc=n, bincompat5005=undef
Compiler:
cc='/home/geeknik/afl/afl-gcc', ccflags ='-fwrapv -fno-strict-aliasing
-pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2',
optimize='-O2',
cppflags='-fwrapv -fno-strict-aliasing -pipe -fstack-protector
-I/usr/local/include'
ccversion='', gccversion='4.7.2', gccosandvers=''
intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678,
doublekind=3
d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16,
longdblkind=3
ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t',
lseeksize=8
alignbytes=8, prototype=define
Linker and Libraries:
ld='/home/geeknik/afl/afl-gcc', ldflags =' -fstack-protector
-L/usr/local/lib'
libpth=/usr/local/lib /usr/lib/gcc/x86_64-linux-gnu/4.7/include-fixed
/usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib
/usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
libs=-lnsl -ldl -lm -lcrypt -lutil -lc -lpthread
perllibs=-lnsl -ldl -lm -lcrypt -lutil -lc -lpthread
libc=libc-2.13.so, so=so, useshrplib=false, libperl=libperl.a
gnulibc_version='2.13'
Dynamic Linking:
dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
cccdlflags='-fPIC', lddlflags='-shared -O2 -L/usr/local/lib
-fstack-protector'
---
@INC for perl 5.21.7:
/usr/local/lib/perl5/site_perl/5.21.7/x86_64-linux
/usr/local/lib/perl5/site_perl/5.21.7
/usr/local/lib/perl5/5.21.7/x86_64-linux
/usr/local/lib/perl5/5.21.7
.
---
Environment for perl 5.21.7:
HOME=/home/geeknik
LANG=en_US.UTF-8
LANGUAGE (unset)
LD_LIBRARY_PATH (unset)
LOGDIR (unset)
PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
PERL_BADLANG (unset)
SHELL=/bin/bash
Details on AFL can be found here: https://lcamtuf.coredump.cx/afl/
Thread Previous
- [perl #123542] Segmentation fault in Perl5 while fuzzing Perl binary (possible stack overflow?) by Father Chrysostomos via RT
- Re: [perl #123542] Segmentation fault in Perl5 while fuzzing Perl binary (possible stack overflow?) by Andreas Koenig
- [perl #123542] Segmentation fault in Perl5 while fuzzing Perl binary (possible stack overflow?) by Father Chrysostomos via RT
- [perl #123542] Segmentation fault in Perl5 while fuzzing Perl binary (possible stack overflow?) by Tony Cook via RT
- [perl #123542] Segmentation fault in Perl5 while fuzzing Perl binary (possible stack overflow?) by Tony Cook via RT
- [perl #123542] Segmentation fault in Perl5 while fuzzing Perl binary (possible stack overflow?) by James E Keenan via RT
- [perl #123542] Segmentation fault in Perl5 while fuzzing Perl binary (possible stack overflow?) by Brian Carpenter
nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About