Bug #68060 for Net-SSH2: Segfault when using return value from auth

Mon May 09 20:19:09 2011 mosquitopsu [...] gmail.com - Ticket created

Subject:

Segfault when using return value from auth_list()

I found a reproducible segmentation fault (attached). A quick guess is that the strings from the return value of auth_list() are being freed twice. I'm seeing this in Debian (sid), Ubuntu (natty), and Fedora 13, with perl v.5.10.1. $ perl ssh2-segfault.pl Done. *** glibc detected *** perl: double free or corruption (!prev): 0x08861d50 *** ======= Backtrace: ========= /lib/i686/cmov/libc.so.6(+0x6b281)[0xb77b7281] /lib/i686/cmov/libc.so.6(+0x6cad8)[0xb77b8ad8] /lib/i686/cmov/libc.so.6(cfree+0x6d)[0xb77bbbbd] /usr/lib/perl5/auto/Net/SSH2/SSH2.so(local_free+0x1d)[0xb757f80d] /usr/lib/libssh2.so.1(libssh2_session_free+0x27e)[0xb755d42e] /usr/lib/perl5/auto/Net/SSH2/SSH2.so(XS_Net__SSH2_DESTROY+0x1bf)[0xb759867f] perl(Perl_pp_entersub+0x50b)[0x80db94b] perl(Perl_call_sv+0x598)[0x8078cc8] perl(Perl_sv_clear+0xa0)[0x80e2f40] perl(Perl_sv_free2+0x4a)[0x80e367a] perl(Perl_leave_scope+0xc1b)[0x8103fbb] perl(Perl_pop_scope+0x2c)[0x810405c] perl(Perl_pp_leave+0xc9)[0x80d8d19] perl(Perl_runops_standard+0x22)[0x80d36d2] perl(perl_run+0x32e)[0x807ea9e] perl(main+0xed)[0x806432d] /lib/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0xb7762c76] perl[0x8064171] ======= Memory map: ======== 08048000-08175000 r-xp 00000000 08:01 643611 /usr/bin/perl 08175000-08177000 rw-p 0012d000 08:01 643611 /usr/bin/perl 08700000-088ef000 rw-p 00000000 00:00 0 [heap] b7300000-b7321000 rw-p 00000000 00:00 0 b7321000-b7400000 ---p 00000000 00:00 0 b748c000-b74a8000 r-xp 00000000 08:01 529405 /lib/libgcc_s.so.1 b74a8000-b74a9000 rw-p 0001b000 08:01 529405 /lib/libgcc_s.so.1 b74a9000-b74b3000 r-xp 00000000 08:01 538743 /lib/i686/cmov/libnss_files-2.11.2.so b74b3000-b74b4000 r--p 00009000 08:01 538743 /lib/i686/cmov/libnss_files-2.11.2.so b74b4000-b74b5000 rw-p 0000a000 08:01 538743 /lib/i686/cmov/libnss_files-2.11.2.so b74b5000-b74bf000 r-xp 00000000 08:01 669177 /usr/lib/perl/5.10.1/auto/threads/threads.so b74bf000-b74c0000 rw-p 00009000 08:01 669177 /usr/lib/perl/5.10.1/auto/threads/threads.so b74c0000-b74c3000 r-xp 00000000 08:01 529515 /lib/libgpg-error.so.0.8.0 b74c3000-b74c4000 rw-p 00002000 08:01 529515 /lib/libgpg-error.so.0.8.0 b74c4000-b74d7000 r-xp 00000000 08:01 648138 /usr/lib/libz.so.1.2.3.4 b74d7000-b74d8000 rw-p 00013000 08:01 648138 /usr/lib/libz.so.1.2.3.4 b74d8000-b7549000 r-xp 00000000 08:01 529699 /lib/libgcrypt.so.11.6.0 b7549000-b754c000 rw-p 00071000 08:01 529699 /lib/libgcrypt.so.11.6.0 b754c000-b756e000 r-xp 00000000 08:01 651066 /usr/lib/libssh2.so.1.0.1 b756e000-b756f000 rw-p 00021000 08:01 651066 /usr/lib/libssh2.so.1.0.1 b7578000-b759e000 r-xp 00000000 08:01 710067 /usr/lib/perl5/auto/Net/SSH2/SSH2.so b759e000-b759f000 rw-p 00025000 08:01 710067 /usr/lib/perl5/auto/Net/SSH2/SSH2.so b759f000-b75a3000 r-xp 00000000 08:01 695702 /usr/lib/perl/5.10.1/auto/IO/IO.so b75a3000-b75a4000 rw-p 00003000 08:01 695702 /usr/lib/perl/5.10.1/auto/IO/IO.so b75a4000-b7719000 r--p 00000000 08:01 659844 /usr/lib/locale/locale-archive b7719000-b771a000 rw-p 00000000 00:00 0 b771a000-b7723000 r-xp 00000000 08:01 537986 /lib/i686/cmov/libcrypt-2.11.2.so b7723000-b7724000 r--p 00008000 08:01 537986 /lib/i686/cmov/libcrypt-2.11.2.so b7724000-b7725000 rw-p 00009000 08:01 537986 /lib/i686/cmov/libcrypt-2.11.2.so b7725000-b774c000 rw-p 00000000 00:00 0 b774c000-b788c000 r-xp 00000000 08:01 538745 /lib/i686/cmov/libc-2.11.2.so b788c000-b788e000 r--p 0013f000 08:01 538745 /lib/i686/cmov/libc-2.11.2.so b788e000-b788f000 rw-p 00141000 08:01 538745 /lib/i686/cmov/libc-2.11.2.so b788f000-b7892000 rw-p 00000000 00:00 0 b7892000-b78a7000 r-xp 00000000 08:01 538734 /lib/i686/cmov/libpthread-2.11.2.so b78a7000-b78a8000 r--p 00014000 08:01 538734 /lib/i686/cmov/libpthread-2.11.2.so b78a8000-b78a9000 rw-p 00015000 08:01 538734 /lib/i686/cmov/libpthread-2.11.2.so b78a9000-b78ac000 rw-p 00000000 00:00 0 b78ac000-b78d0000 r-xp 00000000 08:01 537988 /lib/i686/cmov/libm-2.11.2.so b78d0000-b78d1000 r--p 00023000 08:01 537988 /lib/i686/cmov/libm-2.11.2.so b78d1000-b78d2000 rw-p 00024000 08:01 537988 /lib/i686/cmov/libm-2.11.2.so b78d2000-b78d4000 r-xp 00000000 08:01 538737 /lib/i686/cmov/libdl-2.11.2.so b78d4000-b78d5000 r--p 00001000 08:01 538737 /lib/i686/cmov/libdl-2.11.2.so b78d5000-b78d6000 rw-p 00002000 08:01 538737 /lib/i686/cmov/libdl-2.11.2.so b78d6000-b78d9000 r-xp 00000000 08:01 695697 /usr/lib/perl/5.10.1/auto/Fcntl/Fcntl.so b78d9000-b78da000 rw-p 00002000 08:01 695697 /usr/lib/perl/5.10.1/auto/Fcntl/Fcntl.so b78da000-b78de000 r-xp 00000000 08:01 695700 /usr/lib/perl/5.10.1/auto/Socket/Socket.so b78de000-b78df000 rw-p 00004000 08:01 695700 /usr/lib/perl/5.10.1/auto/Socket/Socket.so b78df000-b78e1000 rw-p 00000000 00:00 0 b78e1000-b78e2000 r-xp 00000000 00:00 0 [vdso] b78e2000-b78fd000 r-xp 00000000 08:01 529599 /lib/ld-2.11.2.so b78fd000-b78fe000 r--p 0001a000 08:01 529599 /lib/ld-2.11.2.so b78fe000-b78ff000 rw-p 0001b000 08:01 529599 /lib/ld-2.11.2.so bfbcb000-bfbec000 rw-p 00000000 00:00 0 [stack] Aborted

Subject:

ssh2-segfault.pl

#!/usr/bin/perl use Net::SSH2; use Readonly; use threads; my $ssh = Net::SSH2->new(); $ssh->connect("localhost"); my %allowed = map {$_ => 1} $ssh->auth_list(); # causes a segfault print "Done.\n";

Tue May 10 13:46:27 2011 rkitover [...] cpan.org - Correspondence added

Fixed in 0.35.

Tue May 10 13:46:29 2011 The RT System itself - Status changed from 'new' to 'open'

Tue May 10 13:46:29 2011 rkitover [...] cpan.org - Status changed from 'open' to 'resolved'

Bug #68060 for Net-SSH2: Segfault when using return value from auth_list()