This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: Use after free during json encoding a dict (3)
Type: crash Stage: patch review
Components: Extension Modules Versions: Python 3.4, Python 3.5
process
Status: closed Resolution: duplicate
Dependencies: Superseder: Use after free during json encoding (PyType_IsSubtype)
View: 24094
Assigned To: serhiy.storchaka Nosy List: Arfrever, benjamin.peterson, ezio.melotti, pitrou, pkt, rhettinger, serhiy.storchaka
Priority: normal Keywords: patch

Created on 2015-05-01 14:19 by pkt, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Files
File name Uploaded Description Edit
poc_enc_dict3.py pkt, 2015-05-01 14:19
json_encode_mutated_dict.patch serhiy.storchaka, 2015-05-02 10:19 review
Messages (8)
msg242322 - (view) Author: paul (pkt) Date: 2015-05-01 14:19 
# Program received signal SIGSEGV, Segmentation fault.
# 0x40036740 in encoder_listencode_dict (s=0x405b43fc, acc=0xbf86438c, dct=<D at remote 0x405b2fb4>, indent_level=0)
#     at /home/p/Python-3.4.1/Modules/_json.c:1557
# 1557                PyList_SET_ITEM(items, i, item);
# (gdb)  print *(PyListObject*)items
# $1 = {ob_base = {ob_base = {_ob_next = 0x405bcab4, _ob_prev = 0x40591184, ob_refcnt = 2, ob_type = 0x830e1c0 <PyList_Type>}, 
#     ob_size = 0}, ob_item = 0x0, allocated = 0}
# (gdb) print i
# $2 = 112233
# 
# "items" was cleared in __hash__, so we get a wild write at a controlled address.
msg242377 - (view) Author: Raymond Hettinger (rhettinger) * (Python committer) Date: 2015-05-02 05:08 
Please don't file a multiple tracker items for the same module.
msg242378 - (view) Author: paul (pkt) Date: 2015-05-02 05:16 
You want multiple bugs in the same module grouped in one issue?
msg242380 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2015-05-02 05:35 
Yes, if they are related. I didn't look at the code close, but at first glance 
all your recently opened issues look related (may be I wrong).
msg242384 - (view) Author: paul (pkt) Date: 2015-05-02 08:07 
@Serhiy:
Not all of my bugs are in the same module. 

Sure, I will group them by module in the future.
msg242387 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2015-05-02 10:19 
Proposed patch fixes three related issues: issue24094, issue24095 and issue24105.
msg242480 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2015-05-03 14:34 
I applied a very similar patch for #24094.
msg242484 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2015-05-03 14:41 
Here is a disadvantage of opening several issues for similar bugs.
History
Date User Action Args
2022-04-11 14:58:16adminsetgithub: 68293
2015-05-03 14:41:33serhiy.storchakasetmessages: + msg242484
2015-05-03 14:34:31benjamin.petersonsetstatus: open -> closed

nosy: + benjamin.peterson
messages: + msg242480

superseder: Use after free during json encoding (PyType_IsSubtype)
resolution: duplicate
2015-05-03 06:56:24Arfreversetnosy: + Arfrever
2015-05-02 10:19:43serhiy.storchakasetfiles: + json_encode_mutated_dict.patch
versions: + Python 3.5
messages: + msg242387

assignee: serhiy.storchaka
keywords: + patch
stage: patch review
2015-05-02 08:07:58pktsetmessages: + msg242384
2015-05-02 05:35:39serhiy.storchakasetmessages: + msg242380
2015-05-02 05:16:58pktsetmessages: + msg242378
2015-05-02 05:08:06rhettingersetmessages: + msg242377
2015-05-02 04:54:02serhiy.storchakasetnosy: + rhettinger, pitrou, ezio.melotti, serhiy.storchaka
components: + Extension Modules
2015-05-01 14:19:50pktcreate