FTBFS: segfaults in testsuite with perl 5.26.0-7

Bug #1717367 reported by Steve Langasek on 2017-09-14
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
glibc (Debian)
Fix Released
Unknown
glibc (Ubuntu)
Undecided
Unassigned
libanyevent-perl (Ubuntu)
Undecided
Unassigned
perl (Ubuntu)
Undecided
Unassigned

Bug Description

The autopkgtests segfault against perl 5.26.0-7 in Ubuntu, and the new version of the package also fails to build in -proposed because the tests are segfaulting at package build time.

$ perl ./t/02_signals.t
1..5
ok 1
Segmentation fault (core dumped)
$ gdb --args perl ./t/02_signals.t
GNU gdb (Ubuntu 8.0.1-0ubuntu1) 8.0.1
Copyright (C) 2017 Free Software Foundation, Inc.
[...]
(gdb) run
Starting program: /usr/bin/perl ./t/02_signals.t
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
1..5
ok 1

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff738811e in ?? () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x00007ffff738811e in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007ffff626591d in ?? ()
   from /usr/lib/x86_64-linux-gnu/perl5/5.26/auto/Async/Interrupt/Interrupt.so
#2 0x00007ffff62672a9 in ?? ()
   from /usr/lib/x86_64-linux-gnu/perl5/5.26/auto/Async/Interrupt/Interrupt.so
#3 0x000055555562fab1 in Perl_pp_entersub ()
#4 0x00005555556278e6 in Perl_runops_standard ()
#5 0x00005555555a8d87 in perl_run ()
#6 0x0000555555580332 in main ()
(gdb)

CVE References

Steve Langasek (vorlon) wrote :

Backtrace with debugging symbols:

(gdb) bt
#0 __strcmp_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/strcmp-sse2-unaligned.S:32
#1 0x00007ffff626591d in s_signum (sig=sig@entry=0x555555b8e5b8)
    at schmorp.h:127
#2 0x00007ffff62672a9 in s_signum_croak (sig=0x555555b8e5b8) at schmorp.h:141
#3 XS_Async__Interrupt__alloc (my_perl=<optimized out>, cv=<optimized out>)
    at Interrupt.xs:313
#4 0x0000555555698fed in Perl_pp_entersub (my_perl=0x555555a94010)
    at pp_hot.c:4231
#5 0x000055555565419a in Perl_runops_debug (my_perl=0x555555a94010)
    at dump.c:2451
#6 0x00005555555bd236 in S_run_body (oldscope=1, my_perl=0x555555a94010)
    at perl.c:2524
#7 perl_run (my_perl=0x555555a94010) at perl.c:2447
#8 0x0000555555583f0e in main (argc=<optimized out>, argv=<optimized out>,
    env=<optimized out>) at perlmain.c:123
(gdb)

Steve Langasek (vorlon) wrote :

In perl 5.26.0-5:

(gdb) print PL_sig_name
$2 = {0x2fdbfe "ZERO", 0x2fdc03 "HUP", 0x291cb1 "INT", 0x2fdc07 "QUIT",
  0x2fdc1f "ILL", 0x2fdc0c "TRAP", 0x2fdc11 "ABRT", 0x2fdc16 "BUS",
  0x2fdc1a "FPE", 0x2fdc1e "KILL", 0x2fdc23 "USR1", 0x2fdc28 "SEGV",
  0x2fdc2d "USR2", 0x2fdc32 "PIPE", 0x2fdc62 "ALRM", 0x294ac5 "TERM",
  0x2fdc37 "STKFLT", 0x2ba573 "CHLD", 0x2fdc3e "CONT", 0x2b81b8 "STOP",
  0x2fdc43 "TSTP", 0x2fdc48 "TTIN", 0x2fdc4d "TTOU", 0x2fdc52 "URG",
  0x2fdc56 "XCPU", 0x2fdc5b "XFSZ", 0x2fdc60 "VTALRM", 0x2fdc67 "PROF",
  0x2fdc6c "WINCH", 0x2fdef1 "IO", 0x2fdc72 "PWR", 0x2fdc76 "SYS",
  0x2fdc7a "NUM32", 0x2fdc80 "NUM33", 0x2fdc86 "RTMIN", 0x2fdc8c "NUM35",
  0x2fdc92 "NUM36", 0x2fdc98 "NUM37", 0x2fdc9e "NUM38", 0x2fdca4 "NUM39",
  0x2fdcaa "NUM40", 0x2fdcb0 "NUM41", 0x2fdcb6 "NUM42", 0x2fdcbc "NUM43",
  0x2fdcc2 "NUM44", 0x2fdcc8 "NUM45", 0x2fdcce "NUM46", 0x2fdcd4 "NUM47",
  0x2fdcda "NUM48", 0x2fdce0 "NUM49", 0x2fdce6 "NUM50", 0x2fdcec "NUM51",
  0x2fdcf2 "NUM52", 0x2fdcf8 "NUM53", 0x2fdcfe "NUM54", 0x2fdd04 "NUM55",
  0x2fdd0a "NUM56", 0x2fdd10 "NUM57", 0x2fdd16 "NUM58", 0x2fdd1c "NUM59",
  0x2fdd22 "NUM60", 0x2fdd28 "NUM61", 0x2fdd2e "NUM62", 0x2fdd34 "NUM63",
  0x2fdd3a "RTMAX", 0x2fdd40 "IOT", 0x2ba578 "CLD", 0x2fdd44 "POLL",
  0x2fdd49 "UNUSED", 0x0}
(gdb) quit

In perl 5.26.0-7:

(gdb) print PL_sig_name
$6 = {0x55555585d37e "ZERO", 0x55555585d383 "HUP", 0x5555557e6da8 "INT",
  0x55555585d387 "QUIT", 0x55555585d39f "ILL", 0x55555585d38c "TRAP",
  0x55555585d391 "ABRT", 0x55555585d396 "BUS", 0x55555585d39a "FPE",
  0x55555585d39e "KILL", 0x55555585d3a3 "USR1", 0x55555585d3a8 "SEGV",
  0x55555585d3ad "USR2", 0x55555585d3b2 "PIPE", 0x55555585d3e7 "ALRM",
  0x5555557eb48a "TERM", 0x55555585d3b7 "STKFLT", 0x55555585d3be "CHLD",
  0x55555585d3c3 "CONT", 0x555555813492 "STOP", 0x55555585d3c8 "TSTP",
  0x55555585d3cd "TTIN", 0x55555585d3d2 "TTOU", 0x55555585d3d7 "URG",
  0x55555585d3db "XCPU", 0x55555585d3e0 "XFSZ", 0x55555585d3e5 "VTALRM",
  0x55555585d3ec "PROF", 0x55555585d3f1 "WINCH", 0x55555585d671 "IO",
  0x55555585d3f7 "PWR", 0x55555585d3fb "SYS", 0x55555585d3ff "NUM32",
  0x55555585d405 "NUM33", 0x55555585d40b "RTMIN", 0x55555585d411 "NUM35",
  0x55555585d417 "NUM36", 0x55555585d41d "NUM37", 0x55555585d423 "NUM38",
  0x55555585d429 "NUM39", 0x55555585d42f "NUM40", 0x55555585d435 "NUM41",
  0x55555585d43b "NUM42", 0x55555585d441 "NUM43", 0x55555585d447 "NUM44",
  0x55555585d44d "NUM45", 0x55555585d453 "NUM46", 0x55555585d459 "NUM47",
  0x55555585d45f "NUM48", 0x55555585d465 "NUM49", 0x55555585d46b "NUM50",
  0x55555585d471 "NUM51", 0x55555585d477 "NUM52", 0x55555585d47d "NUM53",
  0x55555585d483 "NUM54", 0x55555585d489 "NUM55", 0x55555585d48f "NUM56",
  0x55555585d495 "NUM57", 0x55555585d49b "NUM58", 0x55555585d4a1 "NUM59",
  0x55555585d4a7 "NUM60", 0x55555585d4ad "NUM61", 0x55555585d4b3 "NUM62",
  0x55555585d4b9 "NUM63", 0x55555585d4bf "RTMAX", 0x55555585d4c5 "IOT",
  0x5555558158a0 "CLD", 0x55555585d4c9 "POLL", 0x0}
(gdb)

I don't know why the table got one shorter, but since this wasn't a sourceful change in perl, I suspect it was a change induced by glibc 2.26.

Steve Langasek (vorlon) wrote :

I can confirm that rebuilding perl against libc6-dev from 2.26 is enough to trigger this change in the SIG_NAME list; and this is an ABI-breaking change in perl.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package perl - 5.26.0-8ubuntu1

---------------
perl (5.26.0-8ubuntu1) artful; urgency=medium

  * Build-depend on libc6-dev (>= 2.26).
  * Restore the SIGUNUSED signal. LP: #1717367.
  * Changes can be dropped with the next perl ABI bump, or with a perl
    upstream fix to restore ABI compatibility with glibc-2.26.

perl (5.26.0-8) unstable; urgency=high

  * [SECURITY] CVE-2017-12837: Fix a heap buffer overflow in regular
    expression compiler. (Closes: #875596)
  * [SECURITY] CVE-2017-12883: Fix a buffer over-read in regular
    expression parser. (Closes: #875597)

 -- Matthias Klose <email address hidden> Fri, 15 Sep 2017 18:13:42 +0200

Changed in perl (Ubuntu):
status: New → Fix Released
Matthias Klose (doko) on 2017-09-17
Changed in libanyevent-perl (Ubuntu):
status: New → Invalid
Changed in glibc (Ubuntu):
status: New → Invalid
Changed in glibc (Debian):
status: Unknown → Confirmed
Changed in glibc (Debian):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.