This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: Segfault with nonsensical random state
Type: crash Stage: resolved
Components: Extension Modules Versions: Python 3.6, Python 3.4, Python 3.5, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: serhiy.storchaka Nosy List: mark.dickinson, python-dev, rhettinger, serhiy.storchaka, skrah
Priority: normal Keywords: patch

Created on 2015-07-12 19:19 by skrah, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Files
File name Uploaded Description Edit
random_setstate_index.patch serhiy.storchaka, 2015-07-12 20:03 review
Messages (6)
msg246661 - (view) Author: Stefan Krah (skrah) * (Python committer) Date: 2015-07-12 19:19 
While trying to find a possible cause for #24546, I came across this
glitch:

Python 3.6.0a0 (default:02b81a82a57d, Jul 12 2015, 20:33:44) 
[GCC 4.8.4] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import random
>>> s = (3, (999999999999999,)*625, None)
>>> random.setstate(s)
>>> random.choice([1,2,3,4,5])
Segmentation fault (core dumped)
msg246666 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2015-07-12 19:44 
Can't reproduce on 32-bit.
msg246667 - (view) Author: Stefan Krah (skrah) * (Python committer) Date: 2015-07-12 19:48 
I think it's just a matter of checking for self->index <= N in setstate().
msg246669 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2015-07-12 20:03 
But I can reproduce the crash with other example.

import random
random.setstate((3, (1,)*624+(-10**9,), None))
random.random()

The index attribute can be set to negative value and this causes reading out of the buffer.

Here is a patch that fixes this.
msg247259 - (view) Author: Raymond Hettinger (rhettinger) * (Python committer) Date: 2015-07-24 05:31 
This is ready to apply.
msg247261 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2015-07-24 06:10 
New changeset 0933c00c2765 by Serhiy Storchaka in branch '3.4':
Issue #24620: Random.setstate() now validates the value of state last element.
https://hg.python.org/cpython/rev/0933c00c2765

New changeset 84070c1225c5 by Serhiy Storchaka in branch '2.7':
Issue #24620: Random.setstate() now validates the value of state last element.
https://hg.python.org/cpython/rev/84070c1225c5

New changeset d8229c26dd92 by Serhiy Storchaka in branch '3.5':
Issue #24620: Random.setstate() now validates the value of state last element.
https://hg.python.org/cpython/rev/d8229c26dd92

New changeset f6e399ae670f by Serhiy Storchaka in branch 'default':
Issue #24620: Random.setstate() now validates the value of state last element.
https://hg.python.org/cpython/rev/f6e399ae670f
History
Date User Action Args
2022-04-11 14:58:18adminsetgithub: 68808
2015-07-24 06:12:27serhiy.storchakasetstatus: open -> closed
resolution: fixed
stage: patch review -> resolved
2015-07-24 06:10:28python-devsetnosy: + python-dev
messages: + msg247261
2015-07-24 05:31:45rhettingersetassignee: rhettinger -> serhiy.storchaka
messages: + msg247259
2015-07-13 05:11:10rhettingersetassignee: rhettinger
2015-07-12 20:03:39serhiy.storchakasetfiles: + random_setstate_index.patch
versions: + Python 2.7, Python 3.4, Python 3.5, Python 3.6
messages: + msg246669

keywords: + patch
stage: needs patch -> patch review
2015-07-12 19:48:18skrahsetmessages: + msg246667
2015-07-12 19:44:09serhiy.storchakasetnosy: + serhiy.storchaka
messages: + msg246666

components: + Extension Modules
type: crash
stage: needs patch
2015-07-12 19:19:24skrahcreate