classification
Title: Refcounting mistake in _ssl.c
Type: crash Stage: resolved
Components: SSL Versions: Python 3.7, Python 3.6, Python 3.5
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: Jim.Jewett, alex, christian.heimes, dstufft, janssen, njs, serhiy.storchaka
Priority: normal Keywords:

Created on 2017-06-08 06:13 by njs, last changed 2017-06-09 20:53 by serhiy.storchaka. This issue is now closed.

Files
File name Uploaded Description Edit
demo.py njs, 2017-06-08 06:13
Pull Requests
URL Status Linked Edit
PR 1992 merged njs, 2017-06-08 06:13
PR 1993 merged njs, 2017-06-08 09:50
PR 1994 merged njs, 2017-06-08 09:50
PR 1997 merged njs, 2017-06-08 11:14
Messages (8)
msg295380 - (view) Author: Nathaniel Smith (njs) * (Python committer) Date: 2017-06-08 06:13
If you pass a server_hostname= that fails IDNA decoding to SSLContext.wrap_socket or SSLContext.wrap_bio, then the SSLContext object has a spurious Py_DECREF called on it, eventually leading to segfaults.

Demo attached.
msg295381 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2017-06-08 06:30
New changeset 65ece7ca2366308fa91a39a8dfa255e6bdce3cca by Serhiy Storchaka (Nathaniel J. Smith) in branch 'master':
bpo-30594: Fixed refcounting in newPySSLSocket (#1992)
https://github.com/python/cpython/commit/65ece7ca2366308fa91a39a8dfa255e6bdce3cca
msg295382 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2017-06-08 06:33
Thank you for your report and patch Nathaniel.

Do you mind to create backporting PRs?
msg295388 - (view) Author: Nathaniel Smith (njs) * (Python committer) Date: 2017-06-08 09:51
posted backports for 3.5 and 3.6. It looks like 2.7 is actually unaffected, because it doesn't have IDNA support, so there's no failure path in between when the reference is stored and when its INCREFed.
msg295408 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2017-06-08 11:14
New changeset 854f7ba1d5cbb6a42511beae66c8dbe34f2cbcd3 by Serhiy Storchaka (Nathaniel J. Smith) in branch '3.6':
[3.6] bpo-30594: Fixed refcounting in newPySSLSocket (GH-1992) (#1994)
https://github.com/python/cpython/commit/854f7ba1d5cbb6a42511beae66c8dbe34f2cbcd3
msg295409 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2017-06-08 11:14
New changeset 54ba41ecc5711f89841342c5f9dd555ee13404b5 by Serhiy Storchaka (Nathaniel J. Smith) in branch '3.5':
[3.5] bpo-30594: Fixed refcounting in newPySSLSocket (GH-1992) (#1993)
https://github.com/python/cpython/commit/54ba41ecc5711f89841342c5f9dd555ee13404b5
msg295573 - (view) Author: Jim Jewett (Jim.Jewett) * (Python triager) Date: 2017-06-09 20:49
Serhiy -- do your last two messages mean that this is now resolved?
msg295574 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2017-06-09 20:53
Yes, this is now resolved, thanks to Nathaniel.
History
Date User Action Args
2019-06-11 06:25:50gregory.p.smithlinkissue37217 superseder
2017-06-09 20:53:34serhiy.storchakasetstatus: open -> closed
resolution: fixed
messages: + msg295574

stage: backport needed -> resolved
2017-06-09 20:49:31Jim.Jewettsetnosy: + Jim.Jewett
messages: + msg295573
2017-06-08 11:14:46serhiy.storchakasetmessages: + msg295409
2017-06-08 11:14:42serhiy.storchakasetmessages: + msg295408
2017-06-08 11:14:07njssetpull_requests: + pull_request2065
2017-06-08 09:51:35njssetmessages: + msg295388
versions: - Python 2.7
2017-06-08 09:50:18njssetpull_requests: + pull_request2058
2017-06-08 09:50:17njssetpull_requests: + pull_request2057
2017-06-08 06:33:17serhiy.storchakasetmessages: + msg295382
stage: backport needed
2017-06-08 06:30:45serhiy.storchakasetnosy: + serhiy.storchaka
messages: + msg295381
2017-06-08 06:13:45njssetpull_requests: + pull_request2056
2017-06-08 06:13:35njscreate