Message 88181 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	billm
Recipients	billm
Date	2009-05-22.08:18:49
SpamBayes Score	5.551115e-17
Marked as misclassified	No
Message-id	<1242980336.93.0.332167282409.issue6083@psf.upfronthosting.co.za>
In-reply-to

Content
The code for resource_setrlimit in Modules/resource.c does not handle reference counting properly. The following Python code segfaults for me on Ubuntu 8.10 in Python 2.5.2 and also a custom-built 2.6.1. -- import resource l = [0, 0] class MyNum: def __int__(self): l[1] = 20 return 10 def __del__(self): print 'byebye', self l[0] = MyNum() l[1] = MyNum() resource.setrlimit(resource.RLIMIT_CPU, l) -- The problem is that setrlimit gets its arguments by calling: PyArg_ParseTuple(args, "i(OO):setrlimit", &resource, &curobj, &maxobj) The references curobj and maxobj are borrowed. The second argument can be passed as a mutable list rather than a tuple, so it's possible to update the list in the middle of setrlimit, causing maxobj to be destroyed before setrlimit is done with it. I've attached a patch that INCREFs both variables immediately after parsing them to avoid this problem. In my opinion it seems dangerous to allow format strings with the 'O' specifier appearing in parentheses. You normally expect that objects returned from PyArg_ParseTuple are pretty safe, but the fact that the inner sequence may be mutable violates this assumption. Might it make sense to ban this use case? I only found one other instance of it in the Python source tree, inside ctypes. This one may also be a crashing bug--I didn't look at it carefully enough.

The code for resource_setrlimit in Modules/resource.c does not handle
reference counting properly. The following Python code segfaults for me
on Ubuntu 8.10 in Python 2.5.2 and also a custom-built 2.6.1.

--
import resource

l = [0, 0]

class MyNum:
    def __int__(self):
        l[1] = 20
        return 10

    def __del__(self):
        print 'byebye', self

l[0] = MyNum()
l[1] = MyNum()
resource.setrlimit(resource.RLIMIT_CPU, l)
--

The problem is that setrlimit gets its arguments by calling:
   PyArg_ParseTuple(args, "i(OO):setrlimit", 
                    &resource, &curobj, &maxobj)
The references curobj and maxobj are borrowed. The second argument can
be passed as a mutable list rather than a tuple, so it's possible to
update the list in the middle of setrlimit, causing maxobj to be
destroyed before setrlimit is done with it.

I've attached a patch that INCREFs both variables immediately after
parsing them to avoid this problem.

In my opinion it seems dangerous to allow format strings with the 'O'
specifier appearing in parentheses. You normally expect that objects
returned from PyArg_ParseTuple are pretty safe, but the fact that the
inner sequence may be mutable violates this assumption. Might it make
sense to ban this use case? I only found one other instance of it in the
Python source tree, inside ctypes. This one may also be a crashing
bug--I didn't look at it carefully enough.

History
Date	User	Action	Args
2009-05-22 08:18:57	billm	set	recipients: + billm
2009-05-22 08:18:56	billm	set	messageid: <1242980336.93.0.332167282409.issue6083@psf.upfronthosting.co.za>
2009-05-22 08:18:54	billm	link	issue6083 messages
2009-05-22 08:18:51	billm	create