This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: Use after free in Element.remove
Type: crash Stage: resolved
Components: Extension Modules Versions: Python 3.4, Python 3.5
process
Status: closed Resolution: duplicate
Dependencies: Superseder: Use after free in Element.extend (1)
View: 24091
Assigned To: Nosy List: Arfrever, christian.heimes, eli.bendersky, pkt, scoder, serhiy.storchaka
Priority: normal Keywords:

Created on 2015-05-01 13:58 by pkt, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Files
File name Uploaded Description Edit
poc_elt_remove.py pkt, 2015-05-01 13:58
Messages (2)
msg242307 - (view) Author: paul (pkt) Date: 2015-05-01 13:58 
# Program received signal SIGABRT, Aborted.
# 0x40022424 in __kernel_vsyscall ()
# (gdb) bt
# #0  0x40022424 in __kernel_vsyscall ()
# #1  0x400bb1df in raise () from /lib/i386-linux-gnu/libc.so.6
# #2  0x400be825 in abort () from /lib/i386-linux-gnu/libc.so.6
# #3  0x08067030 in Py_FatalError (
#     msg=0xbfed7a20 "/home/p/Python-3.4.1/Modules/_elementtree.c:1436 object at 0x405743ec has negative ref count -606348326")
#     at Python/pythonrun.c:2633
# #4  0x080f1374 in _Py_NegativeRefcount (fname=0x40646100 "/home/p/Python-3.4.1/Modules/_elementtree.c", lineno=1436, 
#     op=<unknown at remote 0x405743ec>) at Objects/object.c:203
# #5  0x4063dfa6 in element_remove (self=0x40583c34, args=(<xml.etree.ElementTree.Element at remote 0x40583bb4>,))
#     at /home/p/Python-3.4.1/Modules/_elementtree.c:1436
# (gdb) frame 5
# #5  0x4063dfa6 in element_remove (self=0x40583c34, args=(<xml.etree.ElementTree.Element at remote 0x40583bb4>,))
#     at /home/p/Python-3.4.1/Modules/_elementtree.c:1436
# 1436        Py_DECREF(self->extra->children[i]);
# (gdb) print i
# $1 = 1
# (gdb) print *(PyObject*)self->extra->children
# $3 = {_ob_next = 0x4057437c, _ob_prev = 0x405743ec, ob_refcnt = 1079461180, ob_type = 0x4057461c}
# 
# Fatal Python error: /home/p/Python-3.4.1/Modules/_elementtree.c:1436 object at 0x405743ec has negative ref count -606348326
# 
# "self->extra->children" is cleared in custom __eq__ method. Py_DECREF handles
# stale pointer. Use after free.
#
msg242432 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2015-05-02 20:36 
The patch for issue24091 fixes this issue.
History
Date User Action Args
2022-04-11 14:58:16adminsetgithub: 68281
2015-05-03 06:44:43Arfreversetnosy: + Arfrever
2015-05-02 20:36:29serhiy.storchakasetstatus: open -> closed
superseder: Use after free in Element.extend (1)
messages: + msg242432

resolution: duplicate
stage: resolved
2015-05-02 04:46:44serhiy.storchakasetnosy: + scoder, eli.bendersky, serhiy.storchaka
2015-05-01 14:11:38christian.heimessetnosy: + christian.heimes

components: + Extension Modules
versions: + Python 3.5
2015-05-01 13:58:08pktcreate