classification
Title: incorrect use of released memory in Python/pystate.c line 284
Type: security Stage: resolved
Components: Interpreter Core Versions: Python 3.8
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: matrixise Nosy List: eamanu, eric.snow, matrixise, vstinner, wjq-security
Priority: normal Keywords: patch

Created on 2019-02-14 06:21 by wjq-security, last changed 2019-02-20 14:30 by vstinner. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 11852 merged matrixise, 2019-02-14 08:16
Messages (6)
msg335501 - (view) Author: wangjiangqiang (wjq-security) Date: 2019-02-14 06:38
the code is trying to visit a link list in a loop, it tries to visit the next node in line 284 "interp = interp->next" while the current node is freed in line 296 "PyMem_RawFree(interp);"
msg335509 - (view) Author: Stéphane Wirtel (matrixise) * (Python triager) Date: 2019-02-14 08:16
What do you think of this solution?
msg335584 - (view) Author: wangjiangqiang (wjq-security) Date: 2019-02-15 05:24
Just create a temporary node points to the next node before release the current node. change the loop condition if necessary.
msg336083 - (view) Author: Stéphane Wirtel (matrixise) * (Python triager) Date: 2019-02-20 13:02
@eric Could you help me for the tests of my PR?

Thank you
msg336088 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2019-02-20 14:27
New changeset b5409dacc4885146a27d06482b346e55fa12d2ec by Victor Stinner (Stéphane Wirtel) in branch 'master':
bpo-35993: Fix _PyInterpreterState_DeleteExceptMain() (GH-11852)
https://github.com/python/cpython/commit/b5409dacc4885146a27d06482b346e55fa12d2ec
msg336089 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2019-02-20 14:30
Thanks wangjiangqiang for the bug report and thanks Stéphane Wirtel for the fix!
History
Date User Action Args
2019-02-20 14:30:15vstinnersetstatus: open -> closed
versions: + Python 3.8
messages: + msg336089

components: + Interpreter Core
resolution: fixed
stage: resolved
2019-02-20 14:27:25vstinnersetmessages: + msg336088
2019-02-20 13:02:38matrixisesetnosy: + eric.snow
messages: + msg336083
2019-02-15 05:24:31wjq-securitysetmessages: + msg335584
2019-02-14 13:28:51eamanusetnosy: + eamanu
2019-02-14 08:16:51matrixisesetnosy: + vstinner

messages: + msg335509
stage: patch review -> (no value)
2019-02-14 08:16:01matrixisesetkeywords: + patch
stage: patch review
pull_requests: + pull_request11884
2019-02-14 07:44:49matrixisesetassignee: matrixise

nosy: + matrixise
2019-02-14 06:38:01wjq-securitysetmessages: + msg335501
2019-02-14 06:21:26wjq-securitycreate