Bug 771303
| Summary: | Perl crashes on double free in void context when deleting hash entry that destroys value before | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Petr Pisar <ppisar> |
| Component: | perl | Assignee: | Petr Pisar <ppisar> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 16 | CC: | cweyl, iarnell, kasal, lkundrak, mmaslano, ppisar, psabata, rc040203, tcallawa |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| URL: | https://rt.perl.org/rt3/Public/Bug/Display.html?id=100340 | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-12-20 16:01:59 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
F17 is affected. perl-5.16.1 is clean. perl-5.14.2-214.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/perl-5.14.2-214.fc17 perl-5.14.2-200.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/perl-5.14.2-200.fc16 Package perl-5.14.2-214.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing perl-5.14.2-214.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-13829/perl-5.14.2-214.fc17 then log in and leave karma (feedback). perl-5.14.2-215.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/perl-5.14.2-215.fc17 perl-5.14.2-201.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/perl-5.14.2-201.fc16 perl-5.14.2-214.fc17 has been pushed to the Fedora 17 obsolete repository. If problems still persist, please make note of it in this bug report. |
Running: #!/usr/bin/env perl *guard::DESTROY = sub { ${$_[0]}->(); }; *guard = sub (&) { my $callback = shift; return bless \$callback, "guard" }; my %t; %t = ( stash => { guard => guard(sub{ print "Guard\n"; delete $t{stash}; }), foo => "bar", bar => "baz", }, ); delete $t{stash}{guard}; causes SIGABRT by glibc heap allocator: $ ./perl-doublefree_on_delete_hash_entry Guard *** glibc detected *** perl: munmap_chunk(): invalid pointer: 0x000000000222be38 *** ======= Backtrace: ========= /lib64/libc.so.6[0x3f5ec7c2d6] /usr/lib64/perl5/CORE/libperl.so(Perl_hv_free_ent+0x6c)[0x3f700a564c] /usr/lib64/perl5/CORE/libperl.so(Perl_hv_common+0xae2)[0x3f700a7e92] /usr/lib64/perl5/CORE/libperl.so(Perl_pp_delete+0x451)[0x3f700dcfb1] /usr/lib64/perl5/CORE/libperl.so(Perl_runops_standard+0x16)[0x3f700ac796] /usr/lib64/perl5/CORE/libperl.so(perl_run+0x3aa)[0x3f7004ddfa] perl[0x400cd9] /lib64/libc.so.6(__libc_start_main+0xed)[0x3f5ec2169d] perl[0x400d11] This issue has been reported to upstream as <https://rt.perl.org/rt3/Public/Bug/Display.html?id=100340> and fixed in development tree as commit: commit 3b2cd8095a6fc52afccf519205a3c5a92669b0c3 Author: Father Chrysostomos <sprout> Date: Sat Dec 31 18:54:14 2011 -0800 [perl #100340] Free hash entries before values on delete When a hash element is deleted in void context, if the value is freed before the hash entry, it is possible for a destructor to see the hash in an inconsistent state--inconsistent in that it contains entries that are about to be freed, with nothing to indicate that. So the destructor itself could free the very same hash entry (e.g., by freeing the hash), resulting in a double free, panic, or other unpleasantness.