Bug 771303

Summary: Perl crashes on double free in void context when deleting hash entry that destroys value before
Product: [Fedora] Fedora Reporter: Petr Pisar <ppisar>
Component: perlAssignee: Petr Pisar <ppisar>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: cweyl, iarnell, kasal, lkundrak, mmaslano, ppisar, psabata, rc040203, tcallawa
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: https://rt.perl.org/rt3/Public/Bug/Display.html?id=100340
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-20 16:01:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Petr Pisar 2012-01-03 09:18:39 UTC

#!/usr/bin/env perl

*guard::DESTROY = sub {

*guard = sub (&) {
   my $callback = shift;
   return bless \$callback, "guard"

my %t; %t = (
    stash => {
        guard => guard(sub{
            print "Guard\n";
            delete $t{stash};
        foo => "bar",
        bar => "baz",

delete $t{stash}{guard};

causes SIGABRT by glibc heap allocator:

$ ./perl-doublefree_on_delete_hash_entry 
*** glibc detected *** perl: munmap_chunk(): invalid pointer: 0x000000000222be38 ***
======= Backtrace: =========

This issue has been reported to upstream as <https://rt.perl.org/rt3/Public/Bug/Display.html?id=100340> and fixed in development tree as commit:

commit 3b2cd8095a6fc52afccf519205a3c5a92669b0c3
Author: Father Chrysostomos <sprout@cpan.org>
Date:   Sat Dec 31 18:54:14 2011 -0800

    [perl #100340] Free hash entries before values on delete
    When a hash element is deleted in void context, if the value is freed
    before the hash entry, it is possible for a destructor to see the hash
    in an inconsistent state--inconsistent in that it contains entries
    that are about to be freed, with nothing to indicate that.  So the
    destructor itself could free the very same hash entry (e.g., by
    freeing the hash), resulting in a double free, panic, or other

Comment 1 Petr Pisar 2012-09-11 12:24:32 UTC
F17 is affected. perl-5.16.1 is clean.

Comment 2 Fedora Update System 2012-09-11 16:53:46 UTC
perl-5.14.2-214.fc17 has been submitted as an update for Fedora 17.

Comment 3 Fedora Update System 2012-09-11 17:03:23 UTC
perl-5.14.2-200.fc16 has been submitted as an update for Fedora 16.

Comment 4 Fedora Update System 2012-09-12 00:27:37 UTC
Package perl-5.14.2-214.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing perl-5.14.2-214.fc17'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 5 Fedora Update System 2012-09-14 12:17:35 UTC
perl-5.14.2-215.fc17 has been submitted as an update for Fedora 17.

Comment 6 Fedora Update System 2012-09-14 12:18:51 UTC
perl-5.14.2-201.fc16 has been submitted as an update for Fedora 16.

Comment 7 Fedora Update System 2012-12-20 16:02:01 UTC
perl-5.14.2-214.fc17 has been pushed to the Fedora 17 obsolete repository.  If problems still persist, please make note of it in this bug report.