[pcre-dev] [Bug 1749] PCRE-JITted code should be executed fr…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M 
Madmin at ->
Delete this message
Author: admin
Date:  
To: pcre-dev
Old-Topics: [pcre-dev] [Bug 1749] New: PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction
Subject: [pcre-dev] [Bug 1749] PCRE-JITted code should be executed from non-writable memory to obey execmem SELinux restriction
https://bugs.exim.org/show_bug.cgi?id=1749

--- Comment #45 from Petr Pisar <ppisar@???> ---
This code is now in PCRE2-10.30-RC1 and I found following bug in the
deallocator when an application does a fork after some JIT operation. I have
only a Perl reproducer using re-engine-PCRE2 PCRE2 binding
<http://search.cpan.org/dist/re-engine-PCRE2/> now:

If I configure PCRE2 with --enable-jit-sealloc and run re-engine-PCRE2 PCRE2
tests, t/1-basic.t test segfaults at the end of its run: 

#0  0xb7f336fb in sljit_free_exec (ptr=0xb775fca0)
    at src/sljit/sljitProtExecAllocator.c:367
#1  0xb7f33b0d in sljit_free_code (code=0xb775fca0) at src/sljit/sljitLir.c:486
#2  0xb7f5973c in _pcre2_jit_free_8 (executable_jit=0x80030540,
memctl=0x80293b90)
    at src/pcre2_jit_misc.c:92
#3  0xb7f199f8 in pcre2_code_free_8 (code=0x80293b90) at
src/pcre2_compile.c:1183
#4  0xb7771609 in PCRE2_free (my_perl=0x80004160, rx=0x80024e64) at
PCRE2.xs:520
#5  0xb7d84e95 in Perl_pregfree2 () from /lib/libperl.so.5.26
#6  0xb7de4640 in Perl_sv_clear () from /lib/libperl.so.5.26
#7  0xb7de4d40 in Perl_sv_free2 () from /lib/libperl.so.5.26
#8  0xb7d149e4 in Perl_op_clear () from /lib/libperl.so.5.26
#9  0xb7d14b20 in Perl_op_free () from /lib/libperl.so.5.26
#10 0xb7d3adb8 in perl_destruct () from /lib/libperl.so.5.26
#11 0x800009ce in main ()


This is because sljit_free_exec() does this assignment: 

    if (SLJIT_UNLIKELY(!free_block->header.size)) {
        free_block->size += header->size;
        header = AS_BLOCK_HEADER(free_block, free_block->size);
→       header->prev_size = free_block->size;
    }


and the memory pointed by header is read-only at that moment.

A minimal reproducer is saving this code into t/test.t file and executing "perl
-Iblib/{lib,arch} t/test.t" from the directory with built re-engine-PCRE2
sources (perl Makefile.PL && make):

use Test::More tests => 1;
use re::engine::PCRE2;

"Hello, world" !~ /(?<=Moose|Mo), (world)/;
"Hello, world" =~ /(?<=Hello|Hi), (world)/;
fork;

ok(1);

Removing any line (fork(), use Test::More; etc.) mitigates the crash. It's
probably some kind of a race condition when the two processes deallocates the
memory regions backed by the same file. But I don't understand how that could
be possible.

I reported it also to the re-engine-PCRE2 author
<https://github.com/rurban/re-engine-PCRE2/issues/29>.

--
You are receiving this mail because:
You are on the CC list for the bug.
This message was posted to the following mailing lists:
Pcre-dev
Mailing List Info | Nearby Messages		<-[pcre-dev] [Bug 2154] sljitNativeMIPS_common.c:506:3: error: a label can only be part of a statement and a declaration is not a statement[pcre-dev] [Bug 2155] New: link without mkostemp, secure_getenv->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)