panic: sv_setpvn called with negative strlen

[p5pRT]

Migrated from rt.perl.org#134050 (status was 'open')

Searchable as RT134050$

[p5pRT]

From @dur-randir

Created by @dur-randir

While fuzzing perl v5.29.9-63-g2496d8f3f7 built with afl and run
under libdislocator, I found the following program

split(/00|0\G/, "000")

to emit 'panic​: sv_setpvn called with negative strlen -1' diagnostics.
This is a regression between 5.18 and 5.20, bisect points to

commit 03c83e2
Author​: David Mitchell <davem@​iabyn.com>
Date​: Sun Jun 23 13​:30​:59 2013 +0100

  regexec​: handle \G ourself, rather than in callers

  Normally a /g match starts its processing at the previous pos() (or at
  char 0 if pos is not set); however in the case of something like /abc\G/
  we actually need to start 3 characters before pos. This has been handled
  by the *callers* of regexec() subtracting prog->gofs from the stringarg
  arg before calling it, or by setting stringarg to strbeg for floating,
  such as /\w+\G/.

  This is clearly wrong​: the callers of regexec() shouldn't need to worry
  about the details of getting \G right​: move this code into regexec()
  itself.

Perl Info

Flags:
    category=core
    severity=medium

Site configuration information for perl 5.29.9:

Configured by dur-randir at Wed Feb 27 14:51:01 MSK 2019.

Summary of my perl5 (revision 5 version 29 subversion 9) configuration:
  Commit id: c1e47bad34ce1d9c84ed57c9b8978bcbd5a02e98
  Platform:
    osname=darwin
    osvers=13.4.0
    archname=darwin-thread-multi-2level
    uname='darwin isengard.local 13.4.0 darwin kernel version 13.4.0:
mon jan 11 18:17:34 pst 2016; root:xnu-2422.115.15~1release_x86_64
x86_64 '
    config_args='-de -Dusedevel -DDEBUGGING -Dusethreads'
    hint=recommended
    useposix=true
    d_sigaction=define
    useithreads=define
    usemultiplicity=define
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    default_inc_excludes_dot=define
    bincompat5005=undef
  Compiler:
    cc='cc'
    ccflags ='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9
-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector
-I/usr/local/include -DPERL_USE_SAFE_PUTENV'
    optimize='-O3 -g'
    cppflags='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9
-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector
-I/usr/local/include'
    ccversion=''
    gccversion='4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.56)'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='cc'
    ldflags =' -mmacosx-version-min=10.9 -fstack-protector -L/usr/local/lib'
    libpth=/usr/local/lib
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/../lib/clang/6.0/lib
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib
/usr/lib
    libs=-lpthread -lgdbm -ldbm -ldl -lm -lutil -lc
    perllibs=-lpthread -ldl -lm -lutil -lc
    libc=
    so=dylib
    useshrplib=false
    libperl=libperl.a
    gnulibc_version=''
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=bundle
    d_dlsymun=undef
    ccdlflags=' '
    cccdlflags=' '
    lddlflags=' -mmacosx-version-min=10.9 -bundle -undefined
dynamic_lookup -L/usr/local/lib -fstack-protector'



@INC for perl 5.29.9:
    lib
    /usr/local/lib/perl5/site_perl/5.29.9/darwin-thread-multi-2level
    /usr/local/lib/perl5/site_perl/5.29.9
    /usr/local/lib/perl5/5.29.9/darwin-thread-multi-2level
    /usr/local/lib/perl5/5.29.9


Environment for perl 5.29.9:
    DYLD_LIBRARY_PATH (unset)
    HOME=/Users/dur-randir
    LANG=en_US.UTF-8
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.22.1/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/texbin
    PERLBREW_HOME=/Users/dur-randir/.perlbrew
    PERLBREW_MANPATH=/Users/dur-randir/perlbrew/perls/perl-5.22.1/man
    PERLBREW_PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.22.1/bin
    PERLBREW_PERL=perl-5.22.1
    PERLBREW_ROOT=/Users/dur-randir/perlbrew
    PERLBREW_SHELLRC_VERSION=0.84
    PERLBREW_VERSION=0.84
    PERL_BADLANG (unset)
    SHELL=/usr/local/bin/zsh

[p5pRT]

From @tonycoz

On Sat, 20 Apr 2019 02​:22​:54 -0700, randir wrote​:

While fuzzing perl v5.29.9-63-g2496d8f3f7 built with afl and run
under libdislocator, I found the following program

split(/00|0\G/, "000")

to emit 'panic​: sv_setpvn called with negative strlen -1' diagnostics.
This is a regression between 5.18 and 5.20, bisect points to

commit 03c83e2
Author​: David Mitchell <davem@​iabyn.com>
Date​: Sun Jun 23 13​:30​:59 2013 +0100

regexec​: handle \G ourself, rather than in callers

Normally a /g match starts its processing at the previous pos() (or at
char 0 if pos is not set); however in the case of something like
/abc\G/
we actually need to start 3 characters before pos. This has been
handled
by the *callers* of regexec() subtracting prog->gofs from the
stringarg
arg before calling it, or by setting stringarg to strbeg for floating,
such as /\w+\G/.

This is clearly wrong​: the callers of regexec() shouldn't need to
worry
about the details of getting \G right​: move this code into regexec()
itself.

I'm not sure if this is a problem in pp_split or regular expression matching.

I don't expect the 00 to match after the first match, and I don't expect the 0\G to match at all (pos() isn't modified by split, and is 0 for the second match)

Breakpoint 1, Perl_regexec_flags (rx=0x555555d74cd8,
  stringarg=0x555555d78a62 "0", strend=0x555555d78a63 "",
  strbeg=0x555555d78a60 "000", minend=1, sv=0x555555d74e58, data=0x0,
  flags=0) at regexec.c​:3267
3267 if (prog->intflags & PREGf_GPOS_SEEN) {
(gdb) n
3273 (flags & REXEC_IGNOREPOS)
(gdb)
3275 : ((mg = mg_find_mglob(sv)) && mg->mg_len >= 0)
(gdb)
3278 : strbeg; /* pos() not defined; use start of string */
(gdb)
3272 reginfo->ganch =
(gdb)
3280 DEBUG_GPOS_r(Perl_re_printf( aTHX_
(gdb) p mg
$1 = (MAGIC *) 0x0
(gdb) p reginfo->ganch
$2 = 0x555555d78a60 "000"
(gdb) watch -l reginfo->ganch
Hardware watchpoint 2​: -location reginfo->ganch
(gdb) c
Continuing.
Matching stclass AHOCORASICK-EXACT[0] against "00" (2 bytes)
  0 <> <00> | 0| Charid​: 1 CP​: 30 State​: 1, word=0 - legal
  1 <0> <0> | 0| Charid​: 1 CP​: 30 State​: 2, word=2 - legal
State​: 3, word=1 - accepting
Matches word #2 at position 0. Trying full pattern...
  1 <0> <00> | 0| 1​:TRIE-EXACT[0](8)
  1 <0> <00> | 0| TRIE​: State​: 1 Accepted​: N TRIE​: Charid​: 1 CP​: 30 After State​: 2
  2 <00> <0> | 0| TRIE​: State​: 2 Accepted​: Y TRIE​: Charid​: 1 CP​: 30 After State​: 3
  3 <000> <> | 0| TRIE​: State​: 3 Accepted​: Y TRIE​: Charid​: 0 CP​: 0 After State​: 0
  | 0| TRIE​: got 2 possible matches
  | 0| TRIE matched word #1, continuing
  3 <000> <> | 1| 8​:END(0)
Match successful!
panic​: sv_setpvn called with negative strlen -1 at -e line 1.

Hardware watchpoint 2​: -location reginfo->ganch

Old value = 0x555555d78a60 "000"
New value = 0x555555d67b60 "\200i\326UUU"
Perl_PerlIO_flush (f=0x555555d67b60) at perlio.c​:1615
1615 if (f) {

The other issue is whether pp_split needs to handle a match that starts before stringarg.

Tony

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'