From d76f7a7ba835789a1ca93e3c0db2fc17a9f11907 Mon Sep 17 00:00:00 2001 From: Petr Písař Date: Feb 06 2017 14:28:42 +0000 Subject: Fix a memory leak of a class name from retrieve_hook() on an exception --- diff --git a/Storable-2.56-prevent-leak-of-class-name-from-retrieve_hook-on-an-.patch b/Storable-2.56-prevent-leak-of-class-name-from-retrieve_hook-on-an-.patch new file mode 100644 index 0000000..bcd9c65 --- /dev/null +++ b/Storable-2.56-prevent-leak-of-class-name-from-retrieve_hook-on-an-.patch @@ -0,0 +1,81 @@ +From 979ae704ddc9e6f19d8dbf7a83bea155065ef3cc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Mon, 6 Feb 2017 15:26:09 +0100 +Subject: [PATCH] prevent leak of class name from retrieve_hook() on an + exception +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Ported from perl: + +commit da1ec2b1b9abdfd956d9c539abf39d908d046304 +Author: Tony Cook +Date: Mon Feb 6 11:38:10 2017 +1100 + + prevent leak of class name from retrieve_hook() on an exception + + If supplied with a large class name, retrieve_hook() allocates + buffer for the class name and Safefree()s it on exit path. + + Unfortunately this memory leaks if load_module() (or a couple of other + code paths) throw an exception. + + So use SAVEFREEPV() to release the memory instead. + + ==20183== 193 bytes in 1 blocks are definitely lost in loss record 4 of 6 + ==20183== at 0x4C28C20: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) + ==20183== by 0x55F85D: Perl_safesysmalloc (util.c:153) + ==20183== by 0x6ACA046: retrieve_hook (Storable.xs:4265) + ==20183== by 0x6AD6D19: retrieve (Storable.xs:6217) + ==20183== by 0x6AD8144: do_retrieve (Storable.xs:6401) + ==20183== by 0x6AD85B7: pretrieve (Storable.xs:6506) + ==20183== by 0x6AD8E14: XS_Storable_pretrieve (Storable.xs:6718) + ==20183== by 0x5C176D: Perl_pp_entersub (pp_hot.c:4227) + ==20183== by 0x55E1C6: Perl_runops_debug (dump.c:2450) + ==20183== by 0x461B79: S_run_body (perl.c:2528) + ==20183== by 0x46115C: perl_run (perl.c:2451) + ==20183== by 0x41F1CD: main (perlmain.c:123) + +Signed-off-by: Petr Písař +--- + Storable.xs | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/Storable.xs b/Storable.xs +index 3cce3ed..75ce3df 100644 +--- a/Storable.xs ++++ b/Storable.xs +@@ -4249,6 +4249,11 @@ static SV *retrieve_hook(pTHX_ stcxt_t *cxt, const char *cname) + + TRACEME(("class name: %s", classname)); + ++ if (!(flags & SHF_IDX_CLASSNAME) && classname != buf) { ++ /* some execution paths can throw an exception */ ++ SAVEFREEPV(classname); ++ } ++ + /* + * Decode user-frozen string length and read it in an SV. + * +@@ -4367,8 +4372,6 @@ static SV *retrieve_hook(pTHX_ stcxt_t *cxt, const char *cname) + SEEN0(sv, 0); + SvRV_set(attached, NULL); + SvREFCNT_dec(attached); +- if (!(flags & SHF_IDX_CLASSNAME) && classname != buf) +- Safefree(classname); + return sv; + } + CROAK(("STORABLE_attach did not return a %s object", classname)); +@@ -4449,8 +4452,6 @@ static SV *retrieve_hook(pTHX_ stcxt_t *cxt, const char *cname) + SvREFCNT_dec(frozen); + av_undef(av); + sv_free((SV *) av); +- if (!(flags & SHF_IDX_CLASSNAME) && classname != buf) +- Safefree(classname); + + /* + * If we had an type, then the object was not as simple, and +-- +2.7.4 + diff --git a/perl-Storable.spec b/perl-Storable.spec index cc30228..2f12e0d 100644 --- a/perl-Storable.spec +++ b/perl-Storable.spec @@ -21,6 +21,9 @@ Patch3: perl-5.25.7-Fix-Storable-segfaults.patch # Fix a stack buffer overflow in deserialization of hooks, RT#130635, # fixed in perl after 5.25.9 Patch4: Storable-2.56-Fix-stack-buffer-overflow-in-deserialization-of-hook.patch +# Fix a memory leak of a class name from retrieve_hook() on an exception, +# RT#130635, fixed in perl after 5.25.9 +Patch5: Storable-2.56-prevent-leak-of-class-name-from-retrieve_hook-on-an-.patch BuildRequires: coreutils BuildRequires: gcc BuildRequires: make @@ -81,6 +84,7 @@ can be conveniently stored to disk and retrieved at a later time. %patch2 -p1 %patch3 -p3 %patch4 -p1 +%patch5 -p1 # Remove bundled modules rm -rf t/compat sed -i -e '/^t\/compat\//d' MANIFEST @@ -109,6 +113,8 @@ make test %changelog * Mon Feb 06 2017 Petr Pisar - 1:2.56-368 - Fix a stack buffer overflow in deserialization of hooks (RT#130635) +- Fix a memory leak of a class name from retrieve_hook() on an exception + (RT#130635) * Tue Dec 20 2016 Petr Pisar - 1:2.56-367 - Fix crash in Storable when deserializing malformed code reference