This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: Instance of _multiprocessing.PipeConnection-subtype crash on deletion
Type: crash Stage: resolved
Components: Library (Lib), Windows Versions: Python 2.7
process
Status: closed Resolution: out of date
Dependencies: Superseder:
Assigned To: Nosy List: hakril, iritkatriel, matrixise, paul.moore, steve.dower, tim.golden, zach.ware
Priority: normal Keywords:

Created on 2018-01-30 10:13 by hakril, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Files
File name Uploaded Description Edit
poc.py hakril, 2018-01-30 10:13 simple proof of crash
Messages (4)
msg311260 - (view) Author: Clement Rouault (hakril) * Date: 2018-01-30 10:13 
While playing with '_multiprocessing.PipeConnection' I found out that instancing an object with a subtype of '_multiprocessing.PipeConnection' will crash the interpreter when the object is deleted.

My guess is that some connection methods does not check/handle the fact that the object is a subtype and not a 'pure' PipeConnection.

I don't know if the exploitability aspect of this crash is important but it allows to rewrite an arbitrary address easily with some heap-pointer (leading to CPython trying to execute the heap).

I attached a simple program that crash CPython using this bug.
msg311269 - (view) Author: Stéphane Wirtel (matrixise) * (Python committer) Date: 2018-01-30 12:22 
The test is executed under Windows.
msg376266 - (view) Author: Irit Katriel (iritkatriel) * (Python committer) Date: 2020-09-02 22:50 
I was able to reproduce the crash in python 2.7, but in Python 3.10 (after I changed to import PipeConnection from multiprocessing.connection instead of _multiprocessing), it doesn't crash but raises an exception that makes sense when the handle is 0:

Running Release|Win32 interpreter...
Exception ignored in: <function _ConnectionBase.__del__ at 0x0228CC40>
Traceback (most recent call last):
  File "C:\Users\User\src\cpython\lib\multiprocessing\connection.py", line 137, in __del__
    self._close()
  File "C:\Users\User\src\cpython\lib\multiprocessing\connection.py", line 282, in _close
    _CloseHandle(self._handle)
OSError: [WinError 6] The handle is invalid
msg393271 - (view) Author: Irit Katriel (iritkatriel) * (Python committer) Date: 2021-05-08 17:46 
2.7 is past EOL.
History
Date User Action Args
2022-04-11 14:58:57adminsetgithub: 76906
2021-05-08 17:46:14iritkatrielsetstatus: open -> closed
resolution: out of date
messages: + msg393271

stage: resolved
2020-09-02 22:50:10iritkatrielsetnosy: + iritkatriel
messages: + msg376266
2018-01-30 12:22:46matrixisesetnosy: + paul.moore, tim.golden, matrixise, zach.ware, steve.dower
messages: + msg311269
components: + Windows
2018-01-30 10:13:55hakrilcreate