Bug#711206: [perl] double free in Digest::SHA
Dominic Hargreaves
dom at earth.li
Fri Jun 21 20:36:27 UTC 2013
Control: tags -1 +patch
On Thu, Jun 20, 2013 at 11:07:47PM +0100, Dominic Hargreaves wrote:
> This appears on the face of it to be the same issue as #698174,
> or at least a variation of it.
>
> I also managed to reproduce this with perl 5.18, a few times:
>
> dom at perltest2:~/vanityhash-1.1$ ./vanityhash -b 32 -w 6 -d sha1 08b5124c447f </dev/null
> Reading input data and adding to digest...done.
> Original data: 0 bytes, SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
> Searching for 08b5124c447f at position 0 in a 32-bit space.
> Spawning 6 workers... done.
> ^CUser interrupt, cleaning up.
> *** Error in `/usr/bin/perl': double free or corruption (!prev): 0x09967830 ***
> ======= Backtrace: =========
> /lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x75e42)[0xb7569e42]
> /lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x76b80)[0xb756ab80]
> /usr/lib/perl/5.18/auto/Digest/SHA/SHA.so(+0x62bd)[0xb72802bd]
> /usr/lib/perl/5.18/auto/Digest/SHA/SHA.so(+0x7e2d)[0xb7281e2d]
> /usr/bin/perl(Perl_pp_entersub+0x5eb)[0x80f6e8b]
> /usr/bin/perl(Perl_runops_standard+0x18)[0x80ef0f8]
> /usr/bin/perl(Perl_call_sv+0x46c)[0x8078f0c]
> /usr/bin/perl[0x81005a0]
> /usr/bin/perl(Perl_sv_clear+0x41e)[0x8100b2e]
> /usr/bin/perl(Perl_sv_free2+0xe7)[0x8101177]
> /usr/bin/perl[0x81015d4]
> /usr/bin/perl[0x80f8164]
> /usr/bin/perl(Perl_sv_clean_objs+0x30)[0x8101860]
> /usr/bin/perl(perl_destruct+0x138)[0x807b598]
> /usr/bin/perl(main+0xfb)[0x805ed6b]
> /lib/i386-linux-gnu/i686/cmov/libc.so.6(__libc_start_main+0xf5)[0xb750d8c5]
> /usr/bin/perl[0x805ede1]
...
> Search finished in 00:00, 0 matches found in 0% of a 32-bit space.
>
> The next thing to do is to reduce the test case, but it's not clear
> what to yet.
>
> This is also reproducible with libdigest-sha-perl 5.84-1, so I'll forward
> this upstream in any case.
And there is a tentative fix upstream already[1], so tagging this +patch.
I guess we should commit this to a wheezy branch once released, but not sure
that we will want to make a point release just for this.
Dominic.
[1] <https://rt.cpan.org/Public/Bug/Display.html?id=86295#txn-1226433>
More information about the Perl-maintainers
mailing list