classification
Title: Use after free during json encoding (PyType_IsSubtype)
Type: crash Stage: resolved
Components: Extension Modules Versions: Python 3.5, Python 3.4
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: Arfrever, christian.heimes, ezio.melotti, pitrou, pkt, python-dev, rhettinger, serhiy.storchaka
Priority: normal Keywords:

Created on 2015-05-01 14:00 by pkt, last changed 2015-05-03 06:45 by Arfrever. This issue is now closed.

Files
File name Uploaded Description Edit
poc_enc_dict1.py pkt, 2015-05-01 14:00
Messages (2)
msg242308 - (view) Author: paul (pkt) Date: 2015-05-01 14:00
# Breakpoint 1, encoder_listencode_dict (s=0x405b23fc, acc=0xbfc4038c, dct=<D at remote 0x405c8b34>, indent_level=0)
#     at /home/p/Python-3.4.1/Modules/_json.c:1540
# 1540            items = PyMapping_Keys(dct);
# (gdb) n
# 1541            if (items == NULL)
# (gdb) print *items
# $1 = {_ob_next = 0x405c8af4, _ob_prev = 0x4059006c, ob_refcnt = 2, ob_type = 0x830e1c0 <PyList_Type>}
# (gdb) n
# 1543            if (!PyList_Check(items)) {
# (gdb) n
# 1547            if (PyList_Sort(items) < 0)
# (gdb) n
# 1549            nitems = PyList_GET_SIZE(items);
# (gdb) n
# 1550            for (i = 0; i < nitems; i++) {
# (gdb) print nitems
# $2 = 1122
# (gdb) n
# 1552                key = PyList_GET_ITEM(items, i);
# (gdb) n
# 1553                value = PyDict_GetItem(dct, key);
# (gdb) print *key
# $3 = {_ob_next = 0x4058eedc, _ob_prev = 0x40590d1c, ob_refcnt = 1, ob_type = 0x405afd1c}
# (gdb) n
# 
# Program received signal SIGSEGV, Segmentation fault.
# 0x08108825 in PyType_IsSubtype (a=0xdbdbdbdb, b=0x830f1a0 <PyLong_Type>) at Objects/typeobject.c:1292
# 1292        mro = a->tp_mro;
# (gdb) bt
# #0  0x08108825 in PyType_IsSubtype (a=0xdbdbdbdb, b=0x830f1a0 <PyLong_Type>) at Objects/typeobject.c:1292
# #1  0x080f22d6 in do_richcompare (v=1337, w=<unknown at remote 0x4059006c>, op=2) at Objects/object.c:643
# #2  0x080f263d in PyObject_RichCompare (v=1337, w=<unknown at remote 0x4059006c>, op=2) at Objects/object.c:701
# #3  0x080f26ce in PyObject_RichCompareBool (v=1337, w=<unknown at remote 0x4059006c>, op=2) at Objects/object.c:723
# #4  0x080df7b5 in lookdict (mp=0x405c8b34, key=<unknown at remote 0x4059006c>, hash=1337, value_addr=0xbfc40200)
#     at Objects/dictobject.c:485
# #5  0x080e145d in PyDict_GetItem (op=<D at remote 0x405c8b34>, key=<unknown at remote 0x4059006c>) at Objects/dictobject.c:1095
# #6  0x405bf6f9 in encoder_listencode_dict (s=0x405b23fc, acc=0xbfc4038c, dct=<D at remote 0x405c8b34>, indent_level=0)
# 
# Deleting the object in __hash__() method triggers an use after free in PyType_IsSubtype.
msg242448 - (view) Author: Roundup Robot (python-dev) Date: 2015-05-03 02:37
New changeset 0e8c9cf1fede by Benjamin Peterson in branch '3.3':
just sort the items tuple directly (closes #24094)
https://hg.python.org/cpython/rev/0e8c9cf1fede

New changeset f9027b10b3c4 by Benjamin Peterson in branch '3.4':
merge 3.3 (#24094)
https://hg.python.org/cpython/rev/f9027b10b3c4

New changeset 3bdf1816f561 by Benjamin Peterson in branch 'default':
merge 3.4 (#24094)
https://hg.python.org/cpython/rev/3bdf1816f561
History
Date User Action Args
2015-05-03 14:34:58benjamin.petersonlinkissue24095 superseder
2015-05-03 14:34:31benjamin.petersonlinkissue24105 superseder
2015-05-03 06:45:58Arfreversetnosy: + Arfrever
2015-05-03 02:37:22python-devsetstatus: open -> closed

nosy: + python-dev
messages: + msg242448

resolution: fixed
stage: needs patch -> resolved
2015-05-02 04:47:20serhiy.storchakasetnosy: + rhettinger, pitrou, ezio.melotti, serhiy.storchaka
2015-05-01 14:12:33christian.heimessetnosy: + christian.heimes
stage: needs patch

components: + Extension Modules
versions: + Python 3.5
2015-05-01 14:00:58pktcreate