Bug 493497

Summary: Perl segfaults in S_regmatch after many recursions
Product: Red Hat Enterprise Linux 5 Reporter: Bryan Mason <bmason>
Component: perlAssignee: perl-maint-list
Status: CLOSED WONTFIX QA Contact: BaseOS QE <qe-baseos-auto>
Severity: medium Docs Contact:
Priority: low    
Version: 5.3CC: cww, tao
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-10-05 18:01:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Test script that segfaults none

Description Bryan Mason 2009-04-01 23:54:01 UTC 
Created attachment 337691 [details]
Test script that segfaults

Description of problem:

    Perl segfaults when processing very long strings.  The root
    problem is that S_regmatch is recursive and will eventually
    exhaust stack space after many recursions.

    The stack trace after the segfault looks like:

    Program received signal SIGSEGV, Segmentation fault.
    [Switching to Thread 48002166805024 (LWP 32224)]
    0x0000003957cde875 in S_regmatch (my_perl=0xdf97010, prog=0xfeae84)
       at regexec.c:2305
    2305   {

    (gdb) bt
    #0  0x0000003957cde875 in S_regmatch (my_perl=0xdf97010, prog=0xfeae84)
        at regexec.c:2305
    #1  0x0000003957cdea87 in S_regmatch (my_perl=0xdf97010,
        prog=<value optimized out>) at regexec.c:3908
    #2  0x0000003957ce16ce in S_regmatch (my_perl=0xdf97010,
        prog=<value optimized out>) at regexec.c:3332
    #3  0x0000003957ce16ce in S_regmatch (my_perl=0xdf97010,
        prog=<value optimized out>) at regexec.c:3332
    #4  0x0000003957ce16ce in S_regmatch (my_perl=0xdf97010,
        prog=<value optimized out>) at regexec.c:3332

    [...]

    #22456 0x0000003957cdfe41 in S_regmatch (my_perl=0xdf97010,
        prog=<value optimized out>) at regexec.c:3160
    #22457 0x0000003957cdfe41 in S_regmatch (my_perl=0xdf97010,
        prog=<value optimized out>) at regexec.c:3160
    #22458 0x0000003957cdfe41 in S_regmatch (my_perl=0xdf97010,
        prog=<value optimized out>) at regexec.c:3160
    #22459 0x0000003957ce2908 in S_regtry (my_perl=0xdf97010,
        prog=0xdfbfdb0, startpos=0xe033b09 "\" word word word word
        word word word word word word word word word word word word
        word word word word word word word word word word word word
        word word word word word word word word word word word
        wor"...) at regexec.c:2204
    #22460 0x0000003957ce6c20 in Perl_regexec_flags (my_perl=0xdf97010,
       prog=0xdfbfdb0, stringarg=<value optimized out>, strend=0xe039cb3 "",
       strbeg=0xe033b09 "\" word word word word word word word word
       word word word word word word word word word word word word
       word word word word word word word word word word word word
       word word word word word word word wor"...,
       minend=<value optimized out>, sv=0xdfe2da0, data=0x0,
       flags=<value optimized out>) at regexec.c:2031
    #22461 0x0000003957c91fdc in Perl_pp_subst (my_perl=0xdf97010) at 
       pp_hot.c:2107
    #22462 0x0000003957c8a0ae in Perl_runops_standard (my_perl=0xdf97010) at
       run.c:37
    #22463 0x0000003957c37f1a in perl_run (my_perl=0xdf97010) at perl.c:2372
    #22464 0x000000000040179c in main (argc=3, argv=0x7fff7927aca8,
       env=<value optimized out>) at perlmain.c:99

Version-Release number of selected component (if applicable):

    perl-5.8.8-40

How reproducible:

    100%

Steps to Reproduce:

    1. run attached sample script: "perl test-it281146.pl 5000"
  
Actual results:

    Segfault

Expected results:

    No segfault

Additional info:

    This issue has been documented in Debian bug 320727[1], and has
    been fixed upstream[2].  This problem does not occur with
    perl-5.10.0-56 in Fedora 10.

    I've been attempting to backport the upstream patch, but would
    like some guidance on whether or not this would be considered too
    invasive a change for a RHEL update.

[1]http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=320727
[2]http://perl5.git.perl.org/perl.git/commit/95b244405438253236d34c3edcbd0892a86c2dd1
Comment 1 Marcela Mašláňová 2009-04-14 14:36:08 UTC 
I'm sorry for so long response time.

Does it impact our customers or our servers?

This is invasive change because you can easily overlook some consequence. I didn't look at the differences between upstream version and our version of this file yet, but there would be probably many. The main problem is that you usually need backport also other preceding patches and you can easily miss something important or change something else unintentionally.
Comment 2 Bryan Mason 2009-04-14 20:28:12 UTC 
This is impacting one of our customers.  I've requested additional details.
Comment 7 RHEL Program Management 2010-08-09 19:07:52 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.