Bug#711206: [perl] double free in Digest::SHA
Dominic Hargreaves
dom at earth.li
Thu Jun 20 22:07:47 UTC 2013
Control: tags -1 +confirmed
Control: found -1 5.18.0-1
On Wed, Jun 05, 2013 at 03:37:55PM +0300, Török Edwin wrote:
> I noticed perl crashing when pressing Ctrl-C on the vanityhash script.
> It is hard to reproduce apparently it depends a lot timing, I managed
> to reproduce it only 3 times while writing this bugreport (out of ~30).
>
> $ ./vanityhash -b 32 -w 6 -d sha1 08b5124c447f </dev/null
>
> Eventually I get a crash like below.
> vanityhash is not Debian so I attached the script.
>
> Reading input data and adding to digest...done.
> Original data: 0 bytes, SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
> Searching for 08b5124c447f at position 0 in a 32-bit space.
> Spawning 6 workers... done.
> 0% searched, ~87:15 remaining...
> 0% searched, ~85:04 remaining...
> ^CUser interrupt, cleaning up.
> *** Error in `/usr/bin/perl': double free or corruption (!prev):
> 0x00000000019fbda0 ***
> ======= Backtrace: =========
> /lib/x86_64-linux-gnu/libc.so.6[0x3ee9c7aac6]
> /lib/x86_64-linux-gnu/libc.so.6[0x3ee9c7b843]
> /usr/lib/perl/5.14/auto/Digest/SHA/SHA.so(shaclose+0x55)[0x7f14e157a1e5]
> /usr/lib/perl/5.14/auto/Digest/SHA/SHA.so(XS_Digest__SHA_shaclose+0x110)[0x7f14e157a620]
> /usr/lib/libperl.so.5.14(Perl_pp_entersub+0x58c)[0x3eef0b864c]
> /usr/lib/libperl.so.5.14(Perl_runops_standard+0x16)[0x3eef0afc26]
> /usr/lib/libperl.so.5.14(Perl_call_sv+0x45b)[0x3eef04b91b]
> /usr/lib/libperl.so.5.14(Perl_sv_clear+0x559)[0x3eef0beb19]
> /usr/lib/libperl.so.5.14(Perl_sv_free2+0x52)[0x3eef0bf1d2]
> /usr/lib/libperl.so.5.14[0x3eef0b9b17]
> /usr/lib/libperl.so.5.14(Perl_sv_clean_objs+0x26)[0x3eef0bf946]
> /usr/lib/libperl.so.5.14(perl_destruct+0x15f7)[0x3eef04d807]
> /usr/bin/perl(main+0x111)[0x400f51]
> /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x3ee9c21a55]
> /usr/bin/perl[0x400fc1]
This appears on the face of it to be the same issue as #698174,
or at least a variation of it.
I also managed to reproduce this with perl 5.18, a few times:
dom at perltest2:~/vanityhash-1.1$ ./vanityhash -b 32 -w 6 -d sha1 08b5124c447f </dev/null
Reading input data and adding to digest...done.
Original data: 0 bytes, SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
Searching for 08b5124c447f at position 0 in a 32-bit space.
Spawning 6 workers... done.
^CUser interrupt, cleaning up.
*** Error in `/usr/bin/perl': double free or corruption (!prev): 0x09967830 ***
======= Backtrace: =========
/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x75e42)[0xb7569e42]
/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x76b80)[0xb756ab80]
/usr/lib/perl/5.18/auto/Digest/SHA/SHA.so(+0x62bd)[0xb72802bd]
/usr/lib/perl/5.18/auto/Digest/SHA/SHA.so(+0x7e2d)[0xb7281e2d]
/usr/bin/perl(Perl_pp_entersub+0x5eb)[0x80f6e8b]
/usr/bin/perl(Perl_runops_standard+0x18)[0x80ef0f8]
/usr/bin/perl(Perl_call_sv+0x46c)[0x8078f0c]
/usr/bin/perl[0x81005a0]
/usr/bin/perl(Perl_sv_clear+0x41e)[0x8100b2e]
/usr/bin/perl(Perl_sv_free2+0xe7)[0x8101177]
/usr/bin/perl[0x81015d4]
/usr/bin/perl[0x80f8164]
/usr/bin/perl(Perl_sv_clean_objs+0x30)[0x8101860]
/usr/bin/perl(perl_destruct+0x138)[0x807b598]
/usr/bin/perl(main+0xfb)[0x805ed6b]
/lib/i386-linux-gnu/i686/cmov/libc.so.6(__libc_start_main+0xf5)[0xb750d8c5]
/usr/bin/perl[0x805ede1]
======= Memory map: ========
08048000-081c1000 r-xp 00000000 fe:01 161742 /usr/bin/perl
081c1000-081c2000 r--p 00179000 fe:01 161742 /usr/bin/perl
081c2000-081c5000 rw-p 0017a000 fe:01 161742 /usr/bin/perl
09947000-09dd0000 rw-p 00000000 00:00 0 [heap]
b7252000-b726d000 r-xp 00000000 fe:01 464 /lib/i386-linux-gnu/libgcc_s.so.1
b726d000-b726e000 rw-p 0001a000 fe:01 464 /lib/i386-linux-gnu/libgcc_s.so.1
b727a000-b7285000 r-xp 00000000 fe:01 263216 /usr/lib/perl/5.18.0/auto/Digest/SHA/SHA.so
b7285000-b7286000 r--p 0000a000 fe:01 263216 /usr/lib/perl/5.18.0/auto/Digest/SHA/SHA.so
b7286000-b7287000 rw-p 0000b000 fe:01 263216 /usr/lib/perl/5.18.0/auto/Digest/SHA/SHA.so
b7287000-b7297000 r-xp 00000000 fe:01 262588 /usr/lib/perl/5.18.0/auto/POSIX/POSIX.so
b7297000-b7299000 r--p 00010000 fe:01 262588 /usr/lib/perl/5.18.0/auto/POSIX/POSIX.so
b7299000-b729a000 rw-p 00012000 fe:01 262588 /usr/lib/perl/5.18.0/auto/POSIX/POSIX.so
b729a000-b729d000 r-xp 00000000 fe:01 262513 /usr/lib/perl/5.18.0/auto/Fcntl/Fcntl.so
b729d000-b729e000 r--p 00002000 fe:01 262513 /usr/lib/perl/5.18.0/auto/Fcntl/Fcntl.so
b729e000-b729f000 rw-p 00003000 fe:01 262513 /usr/lib/perl/5.18.0/auto/Fcntl/Fcntl.so
b729f000-b72a3000 r-xp 00000000 fe:01 262927 /usr/lib/perl/5.18.0/auto/IO/IO.so
b72a3000-b72a4000 r--p 00003000 fe:01 262927 /usr/lib/perl/5.18.0/auto/IO/IO.so
b72a4000-b72a5000 rw-p 00004000 fe:01 262927 /usr/lib/perl/5.18.0/auto/IO/IO.so
b72a5000-b72ac000 r-xp 00000000 fe:01 957 /lib/i386-linux-gnu/i686/cmov/librt-2.17.so
b72ac000-b72ad000 r--p 00006000 fe:01 957 /lib/i386-linux-gnu/i686/cmov/librt-2.17.so
b72ad000-b72ae000 rw-p 00007000 fe:01 957 /lib/i386-linux-gnu/i686/cmov/librt-2.17.so
b72b0000-b72b7000 r-xp 00000000 fe:01 262744 /usr/lib/perl/5.18.0/auto/Socket/Socket.so
b72b7000-b72b8000 ---p 00007000 fe:01 262744 /usr/lib/perl/5.18.0/auto/Socket/Socket.so
b72b8000-b72b9000 r--p 00007000 fe:01 262744 /usr/lib/perl/5.18.0/auto/Socket/Socket.so
b72b9000-b72ba000 rw-p 00008000 fe:01 262744 /usr/lib/perl/5.18.0/auto/Socket/Socket.so
b72ba000-b72bf000 r-xp 00000000 fe:01 263464 /usr/lib/perl/5.18.0/auto/Time/HiRes/HiRes.so
b72bf000-b72c0000 r--p 00004000 fe:01 263464 /usr/lib/perl/5.18.0/auto/Time/HiRes/HiRes.so
b72c0000-b72c1000 rw-p 00005000 fe:01 263464 /usr/lib/perl/5.18.0/auto/Time/HiRes/HiRes.so
b72c1000-b74c1000 r--p 00000000 fe:01 133484 /usr/lib/locale/locale-archive
b74c1000-b74c2000 rw-p 00000000 00:00 0
b74c2000-b74cb000 r-xp 00000000 fe:01 822 /lib/i386-linux-gnu/i686/cmov/libcrypt-2.17.so
b74cb000-b74cc000 r--p 00008000 fe:01 822 /lib/i386-linux-gnu/i686/cmov/libcrypt-2.17.so
b74cc000-b74cd000 rw-p 00009000 fe:01 822 /lib/i386-linux-gnu/i686/cmov/libcrypt-2.17.so
b74cd000-b74f4000 rw-p 00000000 00:00 0
b74f4000-b769d000 r-xp 00000000 fe:01 438 /lib/i386-linux-gnu/i686/cmov/libc-2.17.so
b769d000-b769f000 r--p 001a9000 fe:01 438 /lib/i386-linux-gnu/i686/cmov/libc-2.17.so
b769f000-b76a0000 rw-p 001ab000 fe:01 438 /lib/i386-linux-gnu/i686/cmov/libc-2.17.so
b76a0000-b76a3000 rw-p 00000000 00:00 0
b76a3000-b76ba000 r-xp 00000000 fe:01 754 /lib/i386-linux-gnu/i686/cmov/libpthread-2.17.so
b76ba000-b76bb000 r--p 00016000 fe:01 754 /lib/i386-linux-gnu/i686/cmov/libpthread-2.17.so
b76bb000-b76bc000 rw-p 00017000 fe:01 754 /lib/i386-linux-gnu/i686/cmov/libpthread-2.17.so
b76bc000-b76bf000 rw-p 00000000 00:00 0
b76bf000-b7700000 r-xp 00000000 fe:01 169 /lib/i386-linux-gnu/i686/cmov/libm-2.17.so
b7700000-b7701000 r--p 00040000 fe:01 169 /lib/i386-linux-gnu/i686/cmov/libm-2.17.so
b7701000-b7702000 rw-p 00041000 fe:01 169 /lib/i386-linux-gnu/i686/cmov/libm-2.17.so
b7702000-b7705000 r-xp 00000000 fe:01 386 /lib/i386-linux-gnu/i686/cmov/libdl-2.17.so
b7705000-b7706000 r--p 00002000 fe:01 386 /lib/i386-linux-gnu/i686/cmov/libdl-2.17.so
b7706000-b7707000 rw-p 00003000 fe:01 386 /lib/i386-linux-gnu/i686/cmov/libdl-2.17.so
b7708000-b7709000 rw-p 00000000 00:00 0
b7709000-b7711000 r-xp 00000000 fe:01 264041 /usr/lib/perl/5.18.0/auto/Encode/Encode.so
b7711000-b7712000 r--p 00007000 fe:01 264041 /usr/lib/perl/5.18.0/auto/Encode/Encode.so
b7712000-b7713000 rw-p 00008000 fe:01 264041 /usr/lib/perl/5.18.0/auto/Encode/Encode.so
b7713000-b7715000 rw-p 00000000 00:00 0
b7715000-b7716000 r-xp 00000000 00:00 0 [vdso]
b7716000-b7735000 r-xp 00000000 fe:01 703 /lib/i386-linux-gnu/ld-2.17.so
b7735000-b7736000 r--p 0001f000 fe:01 703 /lib/i386-linux-gnu/ld-2.17.so
b7736000-b7737000 rw-p 00020000 fe:01 703 /lib/i386-linux-gnu/ld-2.17.so
bfbbf000-bfbe0000 rw-p 00000000 00:00 0 [stack]
Search finished in 00:00, 0 matches found in 0% of a 32-bit space.
The next thing to do is to reduce the test case, but it's not clear
what to yet.
This is also reproducible with libdigest-sha-perl 5.84-1, so I'll forward
this upstream in any case.
More information about the Perl-maintainers
mailing list