Ubuntu
python-cdb package

python-cdb double free

Bug #157251 reported by Evan Klitzke
4
Affects Status Importance Assigned to Milestone
python-cdb (Ubuntu)
Won't Fix
Medium
Daniel T Chen

Bug Description

Binary package hint: python-cdb

python 2.5.1-1ubuntu2
python-cdb 0.32-5.2ubuntu2

Python-cdb dies on a double free when looking up a key in a dictionary. Attaching a simple test case.

Tags: testcase
Revision history for this message
Evan Klitzke (eklitzke2) wrote :

I've attached a very minimal test case exhibiting the problem. The output when running the test case is as follows:

evan@thinkpad ~/Desktop $ python fail_cdb.py
bar
*** glibc detected *** python: free(): invalid pointer: 0xb7d847b8 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0xb7e6cd65]
/lib/tls/i686/cmov/libc.so.6(cfree+0x90)[0xb7e70800]
/usr/lib/python2.5/site-packages/cdbmodule.so[0xb7d361cd]
python[0x80855f9]
python(PyDict_SetItem+0x6e)[0x8086f5e]
python(_PyModule_Clear+0x158)[0x8088bb8]
python(PyImport_Cleanup+0x153)[0x80dd0e3]
python(Py_Finalize+0xbf)[0x80e931f]
python(Py_Main+0x4d1)[0x8058ea1]
python(main+0x22)[0x80588c2]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0)[0xb7e19050]
python[0x8058831]
======= Memory map: ========
08048000-0813f000 r-xp 00000000 08:06 295700 /usr/bin/python2.5
0813f000-08164000 rwxp 000f6000 08:06 295700 /usr/bin/python2.5
08164000-081dd000 rwxp 08164000 00:00 0 [heap]
b7c00000-b7c21000 rwxp b7c00000 00:00 0
b7c21000-b7d00000 ---p b7c21000 00:00 0
b7d33000-b7d38000 r-xp 00000000 08:06 427539 /usr/lib/python2.5/site-packages/cdbmodule.so
b7d38000-b7d3a000 rwxp 00004000 08:06 427539 /usr/lib/python2.5/site-packages/cdbmodule.so
b7d3a000-b7d41000 r-xs 00000000 08:06 293822 /usr/lib/gconv/gconv-modules.cache
b7d41000-b7d80000 r-xp 00000000 08:06 359861 /usr/lib/locale/en_US.utf8/LC_CTYPE
b7d80000-b7e03000 rwxp b7d80000 00:00 0
b7e03000-b7f47000 r-xp 00000000 08:06 555518 /lib/tls/i686/cmov/libc-2.6.1.so
b7f47000-b7f48000 r-xp 00143000 08:06 555518 /lib/tls/i686/cmov/libc-2.6.1.so
b7f48000-b7f4a000 rwxp 00144000 08:06 555518 /lib/tls/i686/cmov/libc-2.6.1.so
b7f4a000-b7f4d000 rwxp b7f4a000 00:00 0
b7f4d000-b7f70000 r-xp 00000000 08:06 555522 /lib/tls/i686/cmov/libm-2.6.1.so
b7f70000-b7f72000 rwxp 00023000 08:06 555522 /lib/tls/i686/cmov/libm-2.6.1.so
b7f72000-b7f74000 r-xp 00000000 08:06 557627 /lib/tls/i686/cmov/libutil-2.6.1.so
b7f74000-b7f76000 rwxp 00001000 08:06 557627 /lib/tls/i686/cmov/libutil-2.6.1.so
b7f76000-b7f77000 rwxp b7f76000 00:00 0
b7f77000-b7f79000 r-xp 00000000 08:06 555521 /lib/tls/i686/cmov/libdl-2.6.1.so
b7f79000-b7f7b000 rwxp 00001000 08:06 555521 /lib/tls/i686/cmov/libdl-2.6.1.so
b7f7b000-b7f8f000 r-xp 00000000 08:06 557611 /lib/tls/i686/cmov/libpthread-2.6.1.so
b7f8f000-b7f91000 rwxp 00013000 08:06 557611 /lib/tls/i686/cmov/libpthread-2.6.1.so
b7f91000-b7f93000 rwxp b7f91000 00:00 0
b7f96000-b7fa0000 r-xp 00000000 08:06 555306 /lib/libgcc_s.so.1
b7fa0000-b7fa1000 rwxp 0000a000 08:06 555306 /lib/libgcc_s.so.1
b7fa1000-b7fa2000 rwxp b7fa1000 00:00 0
b7fa3000-b7fa5000 rwxp b7fa3000 00:00 0
b7fa5000-b7fbf000 r-xp 00000000 08:06 555076 /lib/ld-2.6.1.so
b7fbf000-b7fc1000 rwxp 00019000 08:06 555076 /lib/ld-2.6.1.so
bf825000-bf83b000 rw-p bf825000 00:00 0 [stack]
ffffe000-fffff000 r-xp 00000000 00:00 0 [vdso]
Aborted (core dumped)

Revision history for this message
Evan Klitzke (eklitzke2) wrote :

I am also seeing this bug on Feisty, using the previously attached test case.

Revision history for this message
Pulu Anau (panau) wrote :

Still occurs on Hardy, 64bit.

Found this link: http://www.notes.xythian.net/2007/10/24/python-cdb-032-52ubuntu2-with-python-25-causes-double-free-corruption-crash-on-dealloc/

His suggestion:
    Some other searching suggests that python-cdb’s use of PyMem_DEL is no longer recommended. I haven’t verified that this doesn’t cause other problems, but replacing cdbmodule.c’s use of PyMem_DEL with PyObject_Del (and the PyObject_NEW with _New, to use consistent naming) [seems to work].

I've done this with the source from upstream, fixes it perfectly, for me. Just FYI.

Revision history for this message
Chad Skeeters (goobsoft) wrote :

Occurs on Gutsy/32bit. Pulu's solution worked for me too.

Daniel T Chen (crimsun)
Changed in python-cdb:
assignee: nobody → crimsun
importance: Undecided → Medium
status: New → Confirmed
Revision history for this message
pilcrow (mjp) wrote :

python-cdb-0.34 addresses this issue: http://pilcrow.madison.wi.us/python-cdb/python-cdb-0.34.tar.gz

Revision history for this message
Jackson Doak (noskcaj) wrote :

This package has been removed, therefore, won't fix

Changed in python-cdb (Ubuntu):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.