Bug 771303 - Perl crashes on double free in void context when deleting hash entry that destroys value before
Summary: Perl crashes on double free in void context when deleting hash entry that des...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: perl
Version: 16
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Petr Pisar
QA Contact: Fedora Extras Quality Assurance
URL: https://rt.perl.org/rt3/Public/Bug/Di...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-01-03 09:18 UTC by Petr Pisar
Modified: 2012-12-20 16:02 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-12-20 16:01:59 UTC


Attachments (Terms of Use)

Description Petr Pisar 2012-01-03 09:18:39 UTC
Running:

#!/usr/bin/env perl

*guard::DESTROY = sub {
   ${$_[0]}->();
};

*guard = sub (&) {
   my $callback = shift;
   return bless \$callback, "guard"
};

my %t; %t = (
    stash => {
        guard => guard(sub{
            print "Guard\n";
            delete $t{stash};
        }),
        foo => "bar",
        bar => "baz",
    },
);

delete $t{stash}{guard};


causes SIGABRT by glibc heap allocator:

$ ./perl-doublefree_on_delete_hash_entry 
Guard
*** glibc detected *** perl: munmap_chunk(): invalid pointer: 0x000000000222be38 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3f5ec7c2d6]
/usr/lib64/perl5/CORE/libperl.so(Perl_hv_free_ent+0x6c)[0x3f700a564c]
/usr/lib64/perl5/CORE/libperl.so(Perl_hv_common+0xae2)[0x3f700a7e92]
/usr/lib64/perl5/CORE/libperl.so(Perl_pp_delete+0x451)[0x3f700dcfb1]
/usr/lib64/perl5/CORE/libperl.so(Perl_runops_standard+0x16)[0x3f700ac796]
/usr/lib64/perl5/CORE/libperl.so(perl_run+0x3aa)[0x3f7004ddfa]
perl[0x400cd9]
/lib64/libc.so.6(__libc_start_main+0xed)[0x3f5ec2169d]
perl[0x400d11]

This issue has been reported to upstream as <https://rt.perl.org/rt3/Public/Bug/Display.html?id=100340> and fixed in development tree as commit:

commit 3b2cd8095a6fc52afccf519205a3c5a92669b0c3
Author: Father Chrysostomos <sprout@cpan.org>
Date:   Sat Dec 31 18:54:14 2011 -0800

    [perl #100340] Free hash entries before values on delete
    
    When a hash element is deleted in void context, if the value is freed
    before the hash entry, it is possible for a destructor to see the hash
    in an inconsistent state--inconsistent in that it contains entries
    that are about to be freed, with nothing to indicate that.  So the
    destructor itself could free the very same hash entry (e.g., by
    freeing the hash), resulting in a double free, panic, or other
    unpleasantness.

Comment 1 Petr Pisar 2012-09-11 12:24:32 UTC
F17 is affected. perl-5.16.1 is clean.

Comment 2 Fedora Update System 2012-09-11 16:53:46 UTC
perl-5.14.2-214.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/perl-5.14.2-214.fc17

Comment 3 Fedora Update System 2012-09-11 17:03:23 UTC
perl-5.14.2-200.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/perl-5.14.2-200.fc16

Comment 4 Fedora Update System 2012-09-12 00:27:37 UTC
Package perl-5.14.2-214.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing perl-5.14.2-214.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-13829/perl-5.14.2-214.fc17
then log in and leave karma (feedback).

Comment 5 Fedora Update System 2012-09-14 12:17:35 UTC
perl-5.14.2-215.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/perl-5.14.2-215.fc17

Comment 6 Fedora Update System 2012-09-14 12:18:51 UTC
perl-5.14.2-201.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/perl-5.14.2-201.fc16

Comment 7 Fedora Update System 2012-12-20 16:02:01 UTC
perl-5.14.2-214.fc17 has been pushed to the Fedora 17 obsolete repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.