This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: Use after free in siftdown (1)
Type: crash Stage: needs patch
Components: Extension Modules Versions: Python 3.4, Python 3.5
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: rhettinger Nosy List: Arfrever, christian.heimes, pkt, python-dev, rhettinger, serhiy.storchaka
Priority: normal Keywords:

Created on 2015-05-01 14:11 by pkt, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Files
File name Uploaded Description Edit
poc_siftdown1.py pkt, 2015-05-01 14:11
Messages (3)
msg242316 - (view) Author: paul (pkt) Date: 2015-05-01 14:11 
# _siftdown(PyListObject *heap, Py_ssize_t startpos, Py_ssize_t pos)
#     ...
#     newitem = PyList_GET_ITEM(heap, pos);
#     Py_INCREF(newitem);
#     /* Follow the path to the root, moving parents down until finding
#        a place newitem fits. */
#     while (pos > startpos){
#         parentpos = (pos - 1) >> 1;
# 1       parent = PyList_GET_ITEM(heap, parentpos);
# 2       cmp = PyObject_RichCompareBool(newitem, parent, Py_LT);
#         if (cmp == -1) {
#             Py_DECREF(newitem);
#             return -1;
#         }
# 3       if (size != PyList_GET_SIZE(heap)) {
#             Py_DECREF(newitem);
#             PyErr_SetString(PyExc_RuntimeError,
#                             "list changed size during iteration");
#             return -1;
#         }
#         if (cmp == 0)
#             break;
# 4       Py_INCREF(parent);
#         ...
# 
# 1. parent isn't protected (refcnt==1)
# 2. custom compare function deletes all objects in "heap" and repopulates it with
#    fresh instances. "parent" is freed
# 3. check is ineffective. Heap was mutated while preserving its size
# 4. use after free. Crash will manifest itself later.
msg242408 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2015-05-02 17:07 
New changeset 813854f49f9d by Raymond Hettinger in branch '3.4':
Issues #24099, #24100, and #24101: Fix free-after-use bug in heapq.
https://hg.python.org/cpython/rev/813854f49f9d
msg242416 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2015-05-02 17:27 
New changeset d356e68de236 by Raymond Hettinger in branch '2.7':
Issues #24099, #24100, and #24101: Fix free-after-use bug in heapq.
https://hg.python.org/cpython/rev/d356e68de236
History
Date User Action Args
2022-04-11 14:58:16adminsetgithub: 68287
2015-05-04 11:21:46rhettingersetstatus: open -> closed
resolution: fixed
2015-05-03 06:50:22Arfreversetnosy: + Arfrever
2015-05-02 17:27:07python-devsetmessages: + msg242416
2015-05-02 17:07:44python-devsetnosy: + python-dev
messages: + msg242408
2015-05-02 04:50:28serhiy.storchakasetnosy: + serhiy.storchaka
2015-05-01 17:02:18rhettingersetassignee: rhettinger

nosy: + rhettinger
2015-05-01 14:13:30christian.heimessetnosy: + christian.heimes
2015-05-01 14:13:14christian.heimessetstage: needs patch
components: + Extension Modules
versions: + Python 3.5
2015-05-01 14:11:20pktcreate