Fix leaking tied hashes

2013-04-10 14:55:00 +02:00 · 2013-04-10 14:55:00 +02:00 · c367bfcf00
commit c367bfcf00
parent b177230d9a
4 changed files with 262 additions and 1 deletions
--- a/perl-5.16.3-Don-t-leak-deleted-iterator-when-tying-hash.patch
+++ b/perl-5.16.3-Don-t-leak-deleted-iterator-when-tying-hash.patch
@ -0,0 +1,60 @@
+From 677ffc8fe97148750054b11e7fbd21c98f860ee1 Mon Sep 17 00:00:00 2001
+From: Father Chrysostomos <sprout@cpan.org>
+Date: Fri, 21 Sep 2012 18:23:20 -0700
+Subject: [PATCH] =?UTF-8?q?Don=E2=80=99t=20leak=20deleted=20iterator=20whe?=
+ =?UTF-8?q?n=20tying=20hash?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Petr Pisar: ported to 5.16.3
+---
+ pp_sys.c   |  7 +++++++
+ t/op/tie.t | 13 +++++++++++++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/pp_sys.c b/pp_sys.c
+index 034a2d0..0e35d59 100644
+--- a/pp_sys.c
+++ b/pp_sys.c
+@@ -852,9 +852,16 @@ PP(pp_tie)
+ 
+     switch(SvTYPE(varsv)) {
+ 	case SVt_PVHV:
+	{
+	    HE *entry;
+ 	    methname = "TIEHASH";
+	    if (HvLAZYDEL(varsv) && (entry = HvEITER((HV *)varsv))) {
+		HvLAZYDEL_off(varsv);
+		hv_free_ent((HV *)varsv, entry);
+	    }
+ 	    HvEITER_set(MUTABLE_HV(varsv), 0);
+ 	    break;
+	}
+ 	case SVt_PVAV:
+ 	    methname = "TIEARRAY";
+ 	    if (!AvREAL(varsv)) {
+diff --git a/t/op/tie.t b/t/op/tie.t
+index 9301bb3..5a536b8 100644
+--- a/t/op/tie.t
+++ b/t/op/tie.t
+@@ -1259,3 +1259,16 @@ $h{i}{j} = 'k';
+ print $h{i}{j}, "\n";
+ EXPECT
+ k
+########
+
+# NAME Test that tying a hash does not leak a deleted iterator
+# This produced unbalanced string table warnings under
+# PERL_DESTRUCT_LEVEL=2.
+package l {
+    sub TIEHASH{bless[]}
+}
+$h = {foo=>0};
+each %$h;
+delete $$h{foo};
+tie %$h, 'l';
+EXPECT
+-- 
+1.8.1.4
+
--- a/perl-5.16.3-Don-t-leak-if-hh-copying-dies.patch
+++ b/perl-5.16.3-Don-t-leak-if-hh-copying-dies.patch
@ -0,0 +1,109 @@
+From f5488561bdaab57380bf07e8e66778503a41aca3 Mon Sep 17 00:00:00 2001
+From: Father Chrysostomos <sprout@cpan.org>
+Date: Sun, 23 Sep 2012 12:42:15 -0700
+Subject: [PATCH] =?UTF-8?q?Don=E2=80=99t=20leak=20if=20hh=20copying=20dies?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When %^H is copied on entering a new scope, if it happens to have been
+tied it can die.  This was resulting in leaks, because no protections
+were added to handle that case.
+
+The two things that were leaking were the new hash in hv_copy_hints_hv
+and the new value (for an element) in newSVsv.
+
+By fixing newSVsv itself, this also fixes any potential leaks when
+other pieces of code call newSVsv on explosive values.
+
+Petr Pisar: Ported to 5.16.3
+---
+ hv.c          |  6 ++++++
+ sv.c          |  7 ++++---
+ t/op/svleak.t | 22 +++++++++++++++++++++-
+ 3 files changed, 31 insertions(+), 4 deletions(-)
+
+diff --git a/hv.c b/hv.c
+index 3c35341..29d6352 100644
+--- a/hv.c
+++ b/hv.c
+@@ -1440,6 +1440,9 @@ Perl_hv_copy_hints_hv(pTHX_ HV *const ohv)
+ 	const I32 riter = HvRITER_get(ohv);
+ 	HE * const eiter = HvEITER_get(ohv);
+ 
+	ENTER;
+	SAVEFREESV(hv);
+
+ 	while (hv_max && hv_max + 1 >= hv_fill * 2)
+ 	    hv_max = hv_max / 2;
+ 	HvMAX(hv) = hv_max;
+@@ -1461,6 +1464,9 @@ Perl_hv_copy_hints_hv(pTHX_ HV *const ohv)
+ 	}
+ 	HvRITER_set(ohv, riter);
+ 	HvEITER_set(ohv, eiter);
+
+	SvREFCNT_inc_simple_void_NN(hv);
+	LEAVE;
+     }
+     hv_magic(hv, NULL, PERL_MAGIC_hints);
+     return hv;
+diff --git a/sv.c b/sv.c
+index a43feac..597d71b 100644
+--- a/sv.c
+++ b/sv.c
+@@ -8764,11 +8764,12 @@ Perl_newSVsv(pTHX_ register SV *const old)
+ 	Perl_ck_warner_d(aTHX_ packWARN(WARN_INTERNAL), "semi-panic: attempt to dup freed string");
+ 	return NULL;
+     }
+    /* Do this here, otherwise we leak the new SV if this croaks. */
+    SvGETMAGIC(old);
+     new_SV(sv);
+-    /* SV_GMAGIC is the default for sv_setv()
+-       SV_NOSTEAL prevents TEMP buffers being, well, stolen, and saves games
+    /* SV_NOSTEAL prevents TEMP buffers being, well, stolen, and saves games
+        with SvTEMP_off and SvTEMP_on round a call to sv_setsv.  */
+-    sv_setsv_flags(sv, old, SV_GMAGIC | SV_NOSTEAL);
+    sv_setsv_flags(sv, old, SV_NOSTEAL);
+     return sv;
+ }
+ 
+diff --git a/t/op/svleak.t b/t/op/svleak.t
+index 2f09af3..011c184 100644
+--- a/t/op/svleak.t
+++ b/t/op/svleak.t
+@@ -13,7 +13,7 @@ BEGIN {
+ 	or skip_all("XS::APItest not available");
+ }
+ 
+-plan tests => 23;
+plan tests => 24;
+ 
+ # run some code N times. If the number of SVs at the end of loop N is
+ # greater than (N-1)*delta at the end of loop 1, we've got a leak
+@@ -176,3 +176,23 @@ leak(2, 0, sub {
+     each %$h;
+     undef $h;
+ }, 'tied hash iteration does not leak');
+
+# [perl #107000]
+package hhtie {
+    sub TIEHASH { bless [] }
+    sub STORE    { $_[0][0]{$_[1]} = $_[2] }
+    sub FETCH    { die if $explosive; $_[0][0]{$_[1]} }
+    sub FIRSTKEY { keys %{$_[0][0]}; each %{$_[0][0]} }
+    sub NEXTKEY  { each %{$_[0][0]} }
+}
+leak(2,!!$Config{mad}, sub {
+    eval q`
+    	BEGIN {
+	    $hhtie::explosive = 0;
+	    tie %^H, hhtie;
+	    $^H{foo} = bar;
+	    $hhtie::explosive = 1;
+    	}
+	{ 1; }
+    `;
+}, 'hint-hash copying does not leak');
+-- 
+1.8.1.4
+
--- a/perl-5.16.3-Free-iterator-when-freeing-tied-hash.patch
+++ b/perl-5.16.3-Free-iterator-when-freeing-tied-hash.patch
@ -0,0 +1,78 @@
+From 316518b545904d368d703005f1622fde03349567 Mon Sep 17 00:00:00 2001
+From: Father Chrysostomos <sprout@cpan.org>
+Date: Fri, 21 Sep 2012 22:01:19 -0700
+Subject: [PATCH] Free iterator when freeing tied hash
+
+The current iterator was leaking when a tied hash was freed or
+undefined.
+
+Since we already have a mechanism, namely HvLAZYDEL, for freeing
+HvEITER when not referenced elsewhere, we can use that.
+
+Petr Pisar: Ported to 5.16.3.
+---
+ hv.c          |  3 +++
+ t/op/svleak.t | 15 ++++++++++++++-
+ 2 files changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/hv.c b/hv.c
+index a031703..3c35341 100644
+--- a/hv.c
+++ b/hv.c
+@@ -2346,6 +2346,7 @@ Perl_hv_iternext_flags(pTHX_ HV *hv, I32 flags)
+             if (entry) {
+                 sv_setsv(key, HeSVKEY_force(entry));
+                 SvREFCNT_dec(HeSVKEY(entry));       /* get rid of previous key */
+		HeSVKEY_set(entry, NULL);
+             }
+             else {
+                 char *k;
+@@ -2353,6 +2354,7 @@ Perl_hv_iternext_flags(pTHX_ HV *hv, I32 flags)
+ 
+                 /* one HE per MAGICAL hash */
+                 iter->xhv_eiter = entry = new_HE(); /* HvEITER(hv) = new_HE() */
+		HvLAZYDEL_on(hv); /* make sure entry gets freed */
+                 Zero(entry, 1, HE);
+                 Newxz(k, HEK_BASESIZE + sizeof(const SV *), char);
+                 hek = (HEK*)k;
+@@ -2369,6 +2371,7 @@ Perl_hv_iternext_flags(pTHX_ HV *hv, I32 flags)
+             Safefree(HeKEY_hek(entry));
+             del_HE(entry);
+             iter->xhv_eiter = NULL; /* HvEITER(hv) = NULL */
+	    HvLAZYDEL_off(hv);
+             return NULL;
+         }
+     }
+diff --git a/t/op/svleak.t b/t/op/svleak.t
+index 6cfee2e..2f09af3 100644
+--- a/t/op/svleak.t
+++ b/t/op/svleak.t
+@@ -13,7 +13,7 @@ BEGIN {
+ 	or skip_all("XS::APItest not available");
+ }
+ 
+-plan tests => 22;
+plan tests => 23;
+ 
+ # run some code N times. If the number of SVs at the end of loop N is
+ # greater than (N-1)*delta at the end of loop 1, we've got a leak
+@@ -163,3 +163,16 @@ leak(2,0,sub { !$^V }, '[perl #109762] version object in boolean context');
+ 
+ # [perl #114764] Attributes leak scalars
+ leak(2, 0, sub { eval 'my $x : shared' }, 'my $x :shared used to leak');
+
+# Tied hash iteration was leaking if the hash was freed before itera-
+# tion was over.
+package t {
+    sub TIEHASH { bless [] }
+    sub FIRSTKEY { 0 }
+}
+leak(2, 0, sub {
+    my $h = {};
+    tie %$h, t;
+    each %$h;
+    undef $h;
+}, 'tied hash iteration does not leak');
+-- 
+1.8.1.4
+
--- a/perl.spec
+++ b/perl.spec
@ -31,7 +31,7 @@
 Name:           perl
 Version:        %{perl_version}
 # release number must be even higher, because dual-lived modules will be broken otherwise
-Release:        269%{?dist}
+Release:        270%{?dist}
 Epoch:          %{perl_epoch}
 Summary:        Practical Extraction and Report Language
 Group:          Development/Languages
@ -114,6 +114,11 @@ Patch20:        perl-5.17.6-Fix-misparsing-of-maketext-strings.patch
 # Add NAME heading into CPAN PODs, rhbz#908113, CPANRT#73396
 Patch21:        perl-5.16.2-cpan-CPAN-add-NAME-headings-in-modules-with-POD.patch

+# Fix leaking tied hashes, rhbz#859910, RT#107000, fixed after 5.17.4
+Patch22:        perl-5.16.3-Don-t-leak-deleted-iterator-when-tying-hash.patch
+Patch23:        perl-5.16.3-Free-iterator-when-freeing-tied-hash.patch
+Patch24:        perl-5.16.3-Don-t-leak-if-hh-copying-dies.patch
+
 # Update some of the bundled modules
 # see http://fedoraproject.org/wiki/Perl/perl.spec for instructions

@ -1822,6 +1827,9 @@ tarball from perl.org.
 %patch19 -p1
 %patch20 -p1
 %patch21 -p1
+%patch22 -p1
+%patch23 -p1
+%patch24 -p1

 #copy the example script
 cp -a %{SOURCE5} .
@ -2033,6 +2041,9 @@ pushd %{build_archlib}/CORE/
    'Fedora Patch19: Do not crash when vivifying $|' \
    'Fedora Patch20: Fix misparsing of maketext strings (CVE-2012-6329)' \
    'Fedora Patch21: Add NAME headings to CPAN modules (CPANRT#73396)' \
+    'Fedora Patch22: Fix leaking tied hashes (RT#107000) [1]' \
+    'Fedora Patch23: Fix leaking tied hashes (RT#107000) [2]' \
+    'Fedora Patch24: Fix leaking tied hashes (RT#107000) [3]' \
    %{nil}

 rm patchlevel.bak
@ -3472,6 +3483,9 @@ sed \

 # Old changelog entries are preserved in CVS.
 %changelog
+* Wed Apr 10 2013 Petr Pisar <ppisar@redhat.com> - 4:5.16.3-270
+- Fix leaking tied hashes (bug #859910)
+
 * Tue Apr 09 2013 Petr Pisar <ppisar@redhat.com> - 4:5.16.3-269
 - Sub-package Sys-Syslog (bug #950057)