You might have seen posts from Reini Urban about "huge security risks"
in perl and some of the modules from CPAN.
Personally I think he overreacts, but he *is* pointing at possible
problem areas.
One of his tools is perl compiled with clang and sanitizer options.
In order to verify a report of his on Text::CSV_XS, I installed clang
on my laptop and built a perl with it:
$ Configure -des -Duse64bitint -Duselongdouble -Dcc=clang \
-Accflags=-faddress-sanitizer -Aldflags=-faddress-sanitizer \
-Alddlflags=-shared
And used that to verify my changes in Text::CSV_XS: fixed and verified.
I thought I might as wel try it on DBI
$ make
⋮
clang -c -fsanitize=address -fno-strict-aliasing -pipe
-fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64 -O2 -DVERSION=\"1.622\" -DXS_VERSION=\"1.622\"
-fPIC "-I/media/Tux/perls-c/lib/5.17.6/i686-linux-64int-ld/CORE" -W
-Wall -Wpointer-arith -Wbad-function-cast -Wno-comment
-Wno-sign-compare -Wno-cast-qual -Wmissing-noreturn
-Wno-unused-parameter -DDBI_NO_THREADS DBI.c DBI.xs:1822:17: warning:
explicitly assigning a variable of type 'SV *' (aka 'struct sv *') to
itself [-Wself-assign] attribs = attribs; /* avoid 'unused
variable' warning */ ~~~~~~~ ^ ~~~~~~~ DBI.xs:4668:11: warning:
explicitly assigning a variable of type 'I32' (aka 'long') to itself
[-Wself-assign] ix=ix; /* avoid 'unused variable' warnings
*/ ~~^~~ DBI.xs:5136:12: warning: explicitly assigning a variable of
type 'I32' (aka 'long') to itself [-Wself-assign] ix = ix; /*
avoid 'unused variable' warning' */ ~~ ^ ~~ 3 warnings
generated.
not bad at all, but then …
$ make test
PERL_DL_NONLAZY=1 /media/Tux/perls-c/bin/perl5.17.6
"-MExtUtils::Command::MM" "-e" "test_harness(0, 'blib/lib',
'blib/arch')" t/*.t t/01basics.t .................... ok
t/02dbidrv.t .................... ok t/03handle.t ....................
ok t/04mods.t ...................... ok
t/05concathash.t ................ ok
t/06attrs.t ..................... ok
t/07kids.t ...................... ok
t/08keeperr.t ................... ok
t/09trace.t ..................... ok
t/10examp.t ..................... ok
t/11fetch.t ..................... 1/24
=================================================================
==22361== ERROR: AddressSanitizer: heap-use-after-free on address
0xb61f7744 at pc 0xb6c53264 bp 0xbf9df7f8 sp 0xbf9df7f0 READ of size 4
at 0xb61f7744 thread T0 #0 0xb6c53263
(/media/Tux/perls/cpan/build/DBI-1.622-KlpQfc/blib/arch/auto/DBI/DBI.so+0xa263)
#1 0x822607e (/media/Tux/perls-c/bin/perl5.17.6+0x822607e) #2 0x80ba70e
(/media/Tux/perls-c/bin/perl5.17.6+0x80ba70e) #3 0x824b9a8
(/media/Tux/perls-c/bin/perl5.17.6+0x824b9a8) 0xb61f7744 is located 4
bytes inside of 124-byte region [0xb61f7740,0xb61f77bc) freed by thread
T0 here: #0 0x83b5193 (/media/Tux/perls-c/bin/perl5.17.6+0x83b5193) #1
0x8249cc8 (/media/Tux/perls-c/bin/perl5.17.6+0x8249cc8) #2 0x824c7a7
(/media/Tux/perls-c/bin/perl5.17.6+0x824c7a7) previously allocated by
thread T0 here: #0 0x83b5253
(/media/Tux/perls-c/bin/perl5.17.6+0x83b5253) #1 0x81bc567
(/media/Tux/perls-c/bin/perl5.17.6+0x81bc567) Shadow byte and word:
0x36c3eee8: fd
0x36c3eee8: fd fd fd fd
More shadow bytes:
0x36c3eed8: fa fa fa fa
0x36c3eedc: fa fa fa fa
0x36c3eee0: fa fa fa fa
0x36c3eee4: fa fa fa fa
=>0x36c3eee8: fd fd fd fd
0x36c3eeec: fd fd fd fd
0x36c3eef0: fd fd fd fd
0x36c3eef4: fd fd fd fd
0x36c3eef8: fa fa fa fa
Stats: 6M malloced (12M for red zones) by 70039 calls
Stats: 0M realloced by 12315 calls
Stats: 3M freed by 47587 calls
Stats: 0M really freed by 0 calls
Stats: 22M (5651 full pages) mmaped in 44 calls
mmaps by size class: 7:57330; 8:12282; 9:1023; 10:1022; 11:510;
12:384; 13:448; 14:192; 15:16; 16:8; 17:4; mallocs by size class:
7:55142; 8:12095; 9:876; 10:658; 11:360; 12:323; 13:401; 14:170; 15:8;
16:5; 17:1; frees by size class: 7:35065; 8:11668; 9:311; 10:220;
11:56; 12:99; 13:45; 14:114; 15:7; 16:2; rfrees by size class: Stats:
malloc large: 14 small slow: 596 ==22361== ABORTING
t/11fetch.t ..................... Dubious, test returned 1 (wstat 256,
0x100) All 24 subtests passed
t/12quote.t ..................... 1/10
=================================================================
==22362== ERROR: AddressSanitizer: heap-use-after-free on address
0xb6ac7c44 at pc 0xb6bc2264 bp 0xbf9d2918 sp 0xbf9d2910 READ of size 4
at 0xb6ac7c44 thread T0 #0 0xb6bc2263
(/media/Tux/perls/cpan/build/DBI-1.622-KlpQfc/blib/arch/auto/DBI/DBI.so+0xa263)
#1 0x822607e (/media/Tux/perls-c/bin/perl5.17.6+0x822607e) #2 0x80ba70e
(/media/Tux/perls-c/bin/perl5.17.6+0x80ba70e) #3 0x824b9a8
(/media/Tux/perls-c/bin/perl5.17.6+0x824b9a8) 0xb6ac7c44 is located 4
bytes inside of 124-byte region [0xb6ac7c40,0xb6ac7cbc) freed by thread
T0 here: #0 0x83b5193 (/media/Tux/perls-c/bin/perl5.17.6+0x83b5193) #1
0x8249cc8 (/media/Tux/perls-c/bin/perl5.17.6+0x8249cc8) #2 0x824c7a7
(/media/Tux/perls-c/bin/perl5.17.6+0x824c7a7) previously allocated by
thread T0 here: #0 0x83b5253
(/media/Tux/perls-c/bin/perl5.17.6+0x83b5253) #1 0x81bc567
(/media/Tux/perls-c/bin/perl5.17.6+0x81bc567) Shadow byte and word:
0x36d58f88: fd
0x36d58f88: fd fd fd fd
More shadow bytes:
0x36d58f78: fa fa fa fa
0x36d58f7c: fa fa fa fa
0x36d58f80: fa fa fa fa
0x36d58f84: fa fa fa fa
=>0x36d58f88: fd fd fd fd
0x36d58f8c: fd fd fd fd
0x36d58f90: fd fd fd fd
0x36d58f94: fd fd fd fd
0x36d58f98: fa fa fa fa
Stats: 4M malloced (6M for red zones) by 33775 calls
Stats: 0M realloced by 3815 calls
Stats: 1M freed by 19953 calls
Stats: 0M really freed by 0 calls
Stats: 12M (3211 full pages) mmaped in 25 calls
mmaps by size class: 7:28665; 8:4094; 9:1023; 10:1022; 11:510;
12:384; 13:256; 14:128; mallocs by size class: 7:27507; 8:3876; 9:794;
10:613; 11:338; 12:289; 13:250; 14:108; frees by size class: 7:15807;
8:3508; 9:239; 10:192; 11:41; 12:77; 13:23; 14:66; rfrees by size
class: Stats: malloc large: 0 small slow: 348
==22362== ABORTING
t/12quote.t ..................... Dubious, test returned 1 (wstat 256,
0x100) All 10 subtests passed
t/13taint.t ..................... ok
t/14utf8.t ...................... 1/16
=================================================================
==22364== ERROR: AddressSanitizer: heap-use-after-free on address
0xb61cae44 at pc 0xb6b96264 bp 0xbfb4a7d8 sp 0xbfb4a7d0 READ of size 4
at 0xb61cae44 thread T0 #0 0xb6b96263
(/media/Tux/perls/cpan/build/DBI-1.622-KlpQfc/blib/arch/auto/DBI/DBI.so+0xa263)
#1 0x822607e (/media/Tux/perls-c/bin/perl5.17.6+0x822607e) #2 0x80ba70e
(/media/Tux/perls-c/bin/perl5.17.6+0x80ba70e) #3 0x824b9a8
(/media/Tux/perls-c/bin/perl5.17.6+0x824b9a8) 0xb61cae44 is located 4
bytes inside of 124-byte region [0xb61cae40,0xb61caebc) freed by thread
T0 here: #0 0x83b5193 (/media/Tux/perls-c/bin/perl5.17.6+0x83b5193) #1
0x8249cc8 (/media/Tux/perls-c/bin/perl5.17.6+0x8249cc8) #2 0x824c7a7
(/media/Tux/perls-c/bin/perl5.17.6+0x824c7a7) previously allocated by
thread T0 here: #0 0x83b5253
(/media/Tux/perls-c/bin/perl5.17.6+0x83b5253) #1 0x81bc567
(/media/Tux/perls-c/bin/perl5.17.6+0x81bc567) Shadow byte and word:
0x36c395c8: fd
0x36c395c8: fd fd fd fd
More shadow bytes:
0x36c395b8: fa fa fa fa
0x36c395bc: fa fa fa fa
0x36c395c0: fa fa fa fa
0x36c395c4: fa fa fa fa
=>0x36c395c8: fd fd fd fd
0x36c395cc: fd fd fd fd
0x36c395d0: fd fd fd fd
0x36c395d4: fd fd fd fd
0x36c395d8: fa fa fa fa
Stats: 6M malloced (11M for red zones) by 69528 calls
Stats: 0M realloced by 12003 calls
Stats: 3M freed by 46075 calls
Stats: 0M really freed by 0 calls
Stats: 21M (5393 full pages) mmaped in 42 calls
mmaps by size class: 7:57330; 8:12282; 9:1023; 10:1022; 11:510;
12:384; 13:384; 14:192; 15:16; 16:8; mallocs by size class: 7:54565;
8:12138; 9:932; 10:682; 11:367; 12:332; 13:339; 14:167; 15:4; 16:2;
frees by size class: 7:33510; 8:11660; 9:347; 10:238; 11:57; 12:98;
13:45; 14:117; 15:3; rfrees by size class: Stats: malloc large: 6
small slow: 580 ==22364== ABORTING
t/14utf8.t ...................... Dubious, test returned 1 (wstat 256,
0x100) All 16 subtests passed
t/15array.t ..................... ok
t/16destroy.t ................... ok
t/19fhtrace.t ................... ok
t/20meta.t ...................... ok
t/30subclass.t .................. ok
t/31methcache.t ................. ok
t/35thrclone.t .................. skipped: this linux perl 5.017006 not
supported for DBI iThreads t/40profile.t ................... ok
t/41prof_dump.t ................. ok
t/42prof_data.t ................. ok
t/43prof_env.t .................. ok
t/48dbi_dbd_sqlengine.t ......... ok
t/49dbd_file.t .................. ok
t/50dbm_simple.t ................ ok
t/51dbm_file.t .................. 1/? DBD::DBM::db selectall_arrayref
failed: Execution ERROR: Cannot
open /media/Tux/perls/cpan/build/DBI-1.622-KlpQfc/fred.lck: No such
file or directory (2)
at /media/Tux/perls/cpan/build/DBI-1.622-KlpQfc/blib/lib/DBD/File.pm
line 730. called from t/51dbm_file.t at 122.
[for Statement "select * from Fred"] at t/51dbm_file.t line 122.
Can't use an undefined value as an ARRAY reference at t/51dbm_file.t
line 123. # Tests were run but no plan was declared and done_testing()
was not seen. t/51dbm_file.t .................. Dubious, test returned
2 (wstat 512, 0x200) All 11 subtests passed
t/52dbm_complex.t ............... skipped: Not running with MLDBM
t/60preparse.t .................. ok
t/65transact.t .................. ok
t/70callbacks.t ................. ok
t/72childhandles.t .............. ok
t/80proxy.t ..................... skipped: modules required for proxy
are probably not installed (e.g., RPC/PlClient.pm)
t/85gofer.t ..................... ok t/86gofer_fail.t ................
ok t/87gofer_cache.t ............... ok
t/90sql_type_cast.t ............. ok
t/pod-coverage.t ................ skipped: Test::Pod::Coverage 1.04
required for testing POD coverage t/pod.t .........................
skipped: Test::Pod 1.00 required for testing POD
-- skip the z tests
--
H.Merijn Brand http://tux.nl Perl Monger http://amsterdam.pm.org/
using perl5.00307 .. 5.17 porting perl5 on HP-UX, AIX, and openSUSE
http://mirrors.develooper.com/hpux/ http://www.test-smoke.org/
http://qa.perl.org http://www.goldmark.org/jeff/stupid-disclaimers/
