diff options
| author | David Mitchell <davem@iabyn.com> | 2017-03-14 09:19:15 +0000 |
|---|---|---|
| committer | Steve Hay <steve.m.hay@googlemail.com> | 2017-08-23 21:20:59 +0100 |
| commit | b632bcdee5b2a66cf1d36f758f89ef24e32a9168 (patch) | |
| tree | a3f357b2481c608a98ef3c13638fbd0ffe39cad2 /t | |
| parent | d3442404188ae957414c2cb25bbb315bfd880b71 (diff) | |
| download | perl-b632bcdee5b2a66cf1d36f758f89ef24e32a9168.tar.gz | |
S_require_tie_mod(): use a new stack
RT #130861
This function is used to load a module associated with various magic vars,
like $[ and %+. Since it can be called 'unexpectedly', it should use a new
stack. The issue in this ticket was equivalent to
my $var = '[';
$$var;
where the symbolic dereference triggered a run-time load of arybase.pm,
which grew the stack, invalidating the SP in pp_rv2sv.
Note that most of the stuff which S_require_tie_mod() calls, such as
load_module(), will do its own PUSHSTACK(); but S_require_tie_mod() also
does a bit of stack manipulation itself.
The test case includes a magic number, 125, which happens to be the exact
size necessary to trigger a stack realloc in S_require_tie_mod(). In later
perl versions this value may well change. But it seemed too expensive
to call fresh_perl_is() 100's of times with different values of $n.
This commit also adds a SPAGAIN to pp_rv2sv on the 'belt and braces'
principle.
This commit is based on an earlier effort by Aaron Crane.
(cherry picked from commit 655f5b268af8bf50c44ba4ae4803a33c9b792b8b)
Diffstat (limited to 't')
| -rw-r--r-- | t/op/ref.t | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/t/op/ref.t b/t/op/ref.t index 65d50b67a2..44047ae17b 100644 --- a/t/op/ref.t +++ b/t/op/ref.t @@ -8,7 +8,7 @@ BEGIN { use strict qw(refs subs); -plan(236); +plan(237); # Test this first before we extend the stack with other operations. # This caused an asan failure due to a bad write past the end of the stack. @@ -820,6 +820,24 @@ for ("4eounthouonth") { '[perl #109746] referential identity of \literal under threads+mad' } +# RT#130861: heap-use-after-free in pp_rv2sv, from asan fuzzing +SKIP: { + skip_if_miniperl("no dynamic loading on miniperl, so can't load arybase", 1); + # this value is critical - its just enough so that the stack gets + # grown which loading/calling arybase + my $n = 125; + + my $code = <<'EOF'; +$ary = '['; +my @a = map $$ary, 1..NNN; +print "@a\n"; +EOF + $code =~ s/NNN/$n/g; + my @exp = ("0") x $n; + fresh_perl_is($code, "@exp", { stderr => 1 }, + 'rt#130861: heap uaf in pp_rv2sv'); +} + # Bit of a hack to make test.pl happy. There are 3 more tests after it leaves. $test = curr_test(); curr_test($test + 3); |