Date: Mon, 29 Dec 2008 19:38:15 GMT From: kevin brintnall <kbrint@rufus.net> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/130033: ports/lang/perl5.8: sv_dup() bug causes memory corruption in threaded perl Message-ID: <200812291938.mBTJcFh0021342@www.freebsd.org> Resent-Message-ID: <200812291940.mBTJe1dU084478@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 130033 >Category: ports >Synopsis: ports/lang/perl5.8: sv_dup() bug causes memory corruption in threaded perl >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Dec 29 19:40:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: kevin brintnall >Release: 7.0-RELEASE >Organization: >Environment: FreeBSD hamachi.rufus.net 7.0-RELEASE-p6 FreeBSD 7.0-RELEASE-p6 #6: Mon Nov 24 14:35:54 CST 2008 root@hamachi.rufus.net:/usr/obj/usr/src/sys/RUFUS i386 >Description: A bug in Perl's sv_dup() causes potential memory corruption when new threads are spawned. The nature of the bug is exacerbated by FreeBSD 7's malloc() implementation, which packs like-sized allocations tightly together. A full description of the bug can be found at: http://marc.info/?l=perl5-porters&m=123018610517259&w=2 >How-To-Repeat: >Fix: The fix has already been intetgrated into Perl's official development branch ("blead"): http://perl5.git.perl.org/perl.git/commitdiff/2779b694b3fbb69a13c300a6e239e050151abf6d?hp=f08e0584288c021de71ecd212ba86a45c8f96a5b That patch does not apply cleanly to Perl 5.8 due to some context changes. Please consider adding the attached patch to ports/lang/perl5.8 until a version of Perl 5.8 is released with the fix. Patch attached with submission follows: --- sv.c.orig +++ sv.c @@ -10233,7 +10233,8 @@ Perl_sv_dup(pTHX_ SV *sstr, CLONE_PARAMS* param) SvSTASH_set(dstr, hv_dup_inc(SvSTASH(sstr), param)); AvARYLEN((AV*)dstr) = sv_dup_inc(AvARYLEN((AV*)sstr), param); AvFLAGS((AV*)dstr) = AvFLAGS((AV*)sstr); - if (AvARRAY((AV*)sstr)) { + /* avoid cloning an empty array */ + if (AvARRAY((AV*)sstr) && AvFILLp((AV*)sstr) >= 0) { SV **dst_ary, **src_ary; SSize_t items = AvFILLp((AV*)sstr) + 1; @@ -10258,6 +10259,8 @@ Perl_sv_dup(pTHX_ SV *sstr, CLONE_PARAMS* param) else { SvPV_set(dstr, Nullch); AvALLOC((AV*)dstr) = (SV**)NULL; + AvMAX( (AV*)dstr) = -1; + AvFILLp((AV*)dstr) = -1; } break; case SVt_PVHV: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200812291938.mBTJcFh0021342>