Bug#825378: perl: freeze on parsing (broken) code
On Sun, May 29, 2016 at 12:09:17AM +0300, Yuriy M. Kaminskiy wrote:
> On 28.05.2016 17:50, Dominic Hargreaves wrote:
> >On Thu, May 26, 2016 at 04:47:07PM +0100, Dominic Hargreaves wrote:
> >>Just to note that I can confirm that it we get a syntax error on
> >>wheezy (so this is a regression for jessie).
> >>I bisected this using something like:
> >>
> >>cat ../test_prog.sh
> >>#!/bin/sh
> >>
> >>./perl -e 's{foo}{$h->X({->aaa=>"b"},$d)}ge;'
> >>
> >>if [ $? = 255 ]; then
> >> exit 0
> >>fi
> >>
> >>../perl/Porting/bisect.pl --expect-fail --start v5.20.0 --end v5.22.0
> >>--timeout 2 -- ../test_prog.sh
> >>
> >>This was fixed upstream by f8a7ccebba5637bf0cf5a23cea563b2ccd62312d[1],
> >>which as you observed was first included in 5.22.0. It may be a candidate
> >>for backporting to jessie / maint-5.20 upstream, but the patch doesn't
> >>apply as-is.
> >
> >Just to add to this: since perl 5.20 is out of support upstream, and
> >this isn't a critical issue, I suspect not much more will happen on
> >this bug from me. If someone else wants to backport the patch, I'd
> >happily consider it for inclusion in a future stable update.
>
> Something like attached? (only complication: lack of op_sibling_splice in
> 5.20).
> Compiled with pbuilder (BTW, needed USENETWORK=yes; otherwise it failed two
> tests for IO::Socket::IP; looks like #759799?), minimally tested, seems
> work.
> Disclaimer: use with care/review carefully/IANAPH.
Thanks for the backporting! I've forwarded this upstream for review.
Best wishes,
Dominic.
Bug#825378: perl: freeze on parsing (broken) code
Control: tags -1 patch
thanks
On 28.05.2016 17:50, Dominic Hargreaves wrote:
On Thu, May 26, 2016 at 04:47:07PM +0100, Dominic Hargreaves wrote:
On Thu, May 26, 2016 at 04:22:45PM +0300, Yuriy M. Kaminskiy wrote:
Dear Maintainer,
I've made typo in code, and found that it freezes perl on attempt to parse:
perl -ce 's{foo}{$h->X({->aaa=>"b"},$d)}ge'
( it was meant to be 's{foo}{$h->X({-aaa=>"b"},$d)}ge' )
Thanks for the report!
[snip backtrace]
(Theoretically, this can be called "potential DoS on parsing untrusted
code", but I'm pretty sure parsing untrusted perl code is not safe anyway).
It seems only jessie version affected, perl binaries extracted from
perl-base packages from wheezy and squeeze seems correctly report error:
Just to note that I can confirm that it we get a syntax error on
wheezy (so this is a regression for jessie).
$ ./perl5.22.2 -ce 's{foo}{$h->X({->aaa=>"b"},$d)}ge'
syntax error at -e line 1, near "{->aaa"
syntax error at -e line 1, near ")}"
-e had compilation errors.
It seems no changes in 5.20.2-3+deb8u5 (from jessie-proposed-updates) (also
freezes).
Thanks for the report!
I bisected this using something like:
cat ../test_prog.sh
#!/bin/sh
./perl -e 's{foo}{$h->X({->aaa=>"b"},$d)}ge;'
if [ $? = 255 ]; then
exit 0
fi
../perl/Porting/bisect.pl --expect-fail --start v5.20.0 --end v5.22.0 --timeout
2 -- ../test_prog.sh
This was fixed upstream by f8a7ccebba5637bf0cf5a23cea563b2ccd62312d[1],
which as you observed was first included in 5.22.0. It may be a candidate
for backporting to jessie / maint-5.20 upstream, but the patch doesn't
apply as-is.
Just to add to this: since perl 5.20 is out of support upstream, and
this isn't a critical issue, I suspect not much more will happen on
this bug from me. If someone else wants to backport the patch, I'd
happily consider it for inclusion in a future stable update.
Something like attached? (only complication: lack of op_sibling_splice
in 5.20).
Compiled with pbuilder (BTW, needed USENETWORK=yes; otherwise it failed
two tests for IO::Socket::IP; looks like #759799?), minimally tested,
seems work.
Disclaimer: use with care/review carefully/IANAPH.
diff -Nru perl-5.20.2/debian/changelog perl-5.20.2/debian/changelog
--- perl-5.20.2/debian/changelog2016-05-24 01:42:25.0 +0300
+++ perl-5.20.2/debian/changelog2016-05-28 18:04:59.0 +0300
@@ -1,3 +1,10 @@
+perl (5.20.2-3+deb8u5.1) UNRELEASED; urgency=medium
+
+ * Non-maintainer upload.
+ * Backported fix for freeze on parsing invalid code (Closes: #825378)
+
+ -- Yuriy M. Kaminskiy Sat, 28 May 2016 18:04:02
+0300
+
perl (5.20.2-3+deb8u5) jessie; urgency=medium
* Apply patch from Niko Tyni fixing debugperl crashes with XS
diff -Nru
perl-5.20.2/debian/patches/fixes/perl.git-f8a7ccebba5637bf0cf5a23cea563b2ccd62312d.patch
perl-5.20.2/debian/patches/fixes/perl.git-f8a7ccebba5637bf0cf5a23cea563b2ccd62312d.patch
---
perl-5.20.2/debian/patches/fixes/perl.git-f8a7ccebba5637bf0cf5a23cea563b2ccd62312d.patch
1970-01-01 03:00:00.0 +0300
+++
perl-5.20.2/debian/patches/fixes/perl.git-f8a7ccebba5637bf0cf5a23cea563b2ccd62312d.patch
2016-05-28 18:33:37.0 +0300
@@ -0,0 +1,70 @@
+From f8a7ccebba5637bf0cf5a23cea563b2ccd62312d Mon Sep 17 00:00:00 2001
+From: Father Chrysostomos
+Date: Fri, 3 Oct 2014 22:40:36 -0700
+Subject: [PATCH] Fix assertion failure/hang with / (?{(^{})/
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+When this invalid construct is parsed, the resulting op tree for the
+pattern has a code block with no constant item following it, breaking
+the assumptions made by pmruntime.
+
+Fixing this was not so easy.
+
+You canât just adjust the assertions, because the hang that non-debug-
+ging builds exhibited is still there.
+
+You canât just return NULL from pmruntime when encounting the bad op
+tree, because the parser will crash on the null pointer.
+
+You canât just return the empty pmop, because the wrong pad is
+active, and other functions in op.c will try to access nonexistent
+pad entries.
+
+You canât just LEAVE_SCOPE and return the pmop, because then PL_parser
+will be null in yyerror. Changing yyerror to account is not suffi-
+cient, because then you get double-freed SVs. At that point I gave up
+with that approach.
+
+The easiest solution turned out to be to fake up the op that we were
+expecting to see.
+---
+ op.c | 10 +-
+ t/re/re_tests | 1 +
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+Bug-Debian: https://bugs.debian.org/825378
+
+Index: perl-5.20.2/op.c
+===
+--- perl-5.20.2.orig/op.c
perl-5.20.2/op.c
+@@ -4846,7 +4846,14 @@ Perl_pmruntime(pTHX_ OP *o, OP *expr, bo
+ for (o = cLISTOPx(expr)->op_first; o; o = o->op_sibling) {
+ if (o->op_type == OP_NULL && (o->op_flags
Bug#825378: perl: freeze on parsing (broken) code
On Thu, May 26, 2016 at 04:47:07PM +0100, Dominic Hargreaves wrote:
> On Thu, May 26, 2016 at 04:22:45PM +0300, Yuriy M. Kaminskiy wrote:
> > Dear Maintainer,
> >
> > I've made typo in code, and found that it freezes perl on attempt to parse:
> > perl -ce 's{foo}{$h->X({->aaa=>"b"},$d)}ge'
> > ( it was meant to be 's{foo}{$h->X({-aaa=>"b"},$d)}ge' )
>
> Thanks for the report!
>
> [snip backtrace]
>
> > (Theoretically, this can be called "potential DoS on parsing untrusted
> > code", but I'm pretty sure parsing untrusted perl code is not safe anyway).
> >
> > It seems only jessie version affected, perl binaries extracted from
> > perl-base packages from wheezy and squeeze seems correctly report error:
>
> Just to note that I can confirm that it we get a syntax error on
> wheezy (so this is a regression for jessie).
>
> > $ ./perl5.22.2 -ce 's{foo}{$h->X({->aaa=>"b"},$d)}ge'
> > syntax error at -e line 1, near "{->aaa"
> > syntax error at -e line 1, near ")}"
> > -e had compilation errors.
> >
> > It seems no changes in 5.20.2-3+deb8u5 (from jessie-proposed-updates) (also
> > freezes).
>
> Thanks for the report!
>
> I bisected this using something like:
>
> cat ../test_prog.sh
> #!/bin/sh
>
> ./perl -e 's{foo}{$h->X({->aaa=>"b"},$d)}ge;'
>
> if [ $? = 255 ]; then
> exit 0
> fi
>
> ../perl/Porting/bisect.pl --expect-fail --start v5.20.0 --end v5.22.0
> --timeout 2 -- ../test_prog.sh
>
> This was fixed upstream by f8a7ccebba5637bf0cf5a23cea563b2ccd62312d[1],
> which as you observed was first included in 5.22.0. It may be a candidate
> for backporting to jessie / maint-5.20 upstream, but the patch doesn't
> apply as-is.
Just to add to this: since perl 5.20 is out of support upstream, and
this isn't a critical issue, I suspect not much more will happen on
this bug from me. If someone else wants to backport the patch, I'd
happily consider it for inclusion in a future stable update.
Cheers,
Dominic.
Bug#825378: perl: freeze on parsing (broken) code
Control: fixed -1 5.22.0~rc2-1
Control: tags -1 + confirmed upstream patch fixed-upstream
On Thu, May 26, 2016 at 04:22:45PM +0300, Yuriy M. Kaminskiy wrote:
> Dear Maintainer,
>
> I've made typo in code, and found that it freezes perl on attempt to parse:
> perl -ce 's{foo}{$h->X({->aaa=>"b"},$d)}ge'
> ( it was meant to be 's{foo}{$h->X({-aaa=>"b"},$d)}ge' )
Thanks for the report!
[snip backtrace]
> (Theoretically, this can be called "potential DoS on parsing untrusted
> code", but I'm pretty sure parsing untrusted perl code is not safe anyway).
>
> It seems only jessie version affected, perl binaries extracted from
> perl-base packages from wheezy and squeeze seems correctly report error:
Just to note that I can confirm that it we get a syntax error on
wheezy (so this is a regression for jessie).
> $ ./perl5.22.2 -ce 's{foo}{$h->X({->aaa=>"b"},$d)}ge'
> syntax error at -e line 1, near "{->aaa"
> syntax error at -e line 1, near ")}"
> -e had compilation errors.
>
> It seems no changes in 5.20.2-3+deb8u5 (from jessie-proposed-updates) (also
> freezes).
Thanks for the report!
I bisected this using something like:
cat ../test_prog.sh
#!/bin/sh
./perl -e 's{foo}{$h->X({->aaa=>"b"},$d)}ge;'
if [ $? = 255 ]; then
exit 0
fi
../perl/Porting/bisect.pl --expect-fail --start v5.20.0 --end v5.22.0 --timeout
2 -- ../test_prog.sh
This was fixed upstream by f8a7ccebba5637bf0cf5a23cea563b2ccd62312d[1],
which as you observed was first included in 5.22.0. It may be a candidate
for backporting to jessie / maint-5.20 upstream, but the patch doesn't
apply as-is.
Cheers,
Dominic.
[1]
Bug#825378: perl: freeze on parsing (broken) code
Package: perl
Version: 5.20.2-3+deb8u4
Severity: normal
Tags: jessie
Dear Maintainer,
I've made typo in code, and found that it freezes perl on attempt to parse:
perl -ce 's{foo}{$h->X({->aaa=>"b"},$d)}ge'
( it was meant to be 's{foo}{$h->X({-aaa=>"b"},$d)}ge' )
gdb backtrace (manually interrupted with ^C):
Program received signal SIGINT, Interrupt.
0x0806c60a in Perl_rpeep (my_perl=0x8215008, o=0x8238074) at op.c:11333
11333 op.c: No such file or directory.
(gdb) bt
#0 0x0806c60a in Perl_rpeep (my_perl=0x8215008, o=0x8238074) at op.c:11333
#1 0x08073509 in Perl_pmruntime (my_perl=0x8215008, o=0x82380f4,
expr=0x8238474, isreg=true, floor=0) at op.c:4903
#2 0x080a3ae8 in Perl_yyparse (my_perl=0x8215008, gramtype=1536)
at perly.y:1385
#3 0x0807e836 in S_parse_body (xsinit=, env=out>, my_perl=) at perl.c:2298
#4 perl_parse (my_perl=0x8215008, xsinit=0x805ef80 ,
argc=136400904, argv=0x8215008, env=0x0) at perl.c:1607
#5 0x0805ede8 in main (argc=3, argv=0xd674, env=0xd684)
at perlmain.c:112
(Theoretically, this can be called "potential DoS on parsing untrusted
code", but I'm pretty sure parsing untrusted perl code is not safe anyway).
It seems only jessie version affected, perl binaries extracted from
perl-base packages from wheezy and squeeze seems correctly report error:
$ ./perl5.22.2 -ce 's{foo}{$h->X({->aaa=>"b"},$d)}ge'
syntax error at -e line 1, near "{->aaa"
syntax error at -e line 1, near ")}"
-e had compilation errors.
It seems no changes in 5.20.2-3+deb8u5 (from jessie-proposed-updates)
(also freezes).
-- System Information:
Debian Release: 8.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable'), (100,
'proposed-updates')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages perl depends on:
ii dpkg 1.17.26
ii libbz2-1.01.0.6-7+b3
ii libc6 2.19-18+deb8u4
ii libdb5.3 5.3.28-9
ii libgdbm3 1.8.3-13.1
ii perl-base 5.20.2-3+deb8u4
ii perl-modules 5.20.2-3+deb8u4
ii zlib1g1:1.2.8.dfsg-2+b1
Versions of packages perl recommends:
ii netbase 5.3
ii rename 0.20-3
Versions of packages perl suggests:
ii libterm-readline-gnu-perl 1.24-2+b1
ii libterm-readline-perl-perl 1.0303-1
ii make4.0-8.1
ii perl-doc5.20.2-3+deb8u4
-- no debconf information
