This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: incorrect use of released memory in Python/pystate.c line 284
Type: security Stage: resolved
Components: Interpreter Core Versions: Python 3.8
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: matrixise Nosy List: eamanu, eric.snow, matrixise, vstinner, wjq-security
Priority: normal Keywords: patch

Created on 2019-02-14 06:21 by wjq-security, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 11852 merged matrixise, 2019-02-14 08:16
Messages (6)
msg335501 - (view) Author: wangjiangqiang (wjq-security) Date: 2019-02-14 06:38
the code is trying to visit a link list in a loop, it tries to visit the next node in line 284 "interp = interp->next" while the current node is freed in line 296 "PyMem_RawFree(interp);"
msg335509 - (view) Author: Stéphane Wirtel (matrixise) * (Python committer) Date: 2019-02-14 08:16
What do you think of this solution?
msg335584 - (view) Author: wangjiangqiang (wjq-security) Date: 2019-02-15 05:24
Just create a temporary node points to the next node before release the current node. change the loop condition if necessary.
msg336083 - (view) Author: Stéphane Wirtel (matrixise) * (Python committer) Date: 2019-02-20 13:02
@eric Could you help me for the tests of my PR?

Thank you
msg336088 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2019-02-20 14:27
New changeset b5409dacc4885146a27d06482b346e55fa12d2ec by Victor Stinner (Stéphane Wirtel) in branch 'master':
bpo-35993: Fix _PyInterpreterState_DeleteExceptMain() (GH-11852)
msg336089 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2019-02-20 14:30
Thanks wangjiangqiang for the bug report and thanks Stéphane Wirtel for the fix!
Date User Action Args
2022-04-11 14:59:11adminsetgithub: 80174
2019-02-20 14:30:15vstinnersetstatus: open -> closed
versions: + Python 3.8
messages: + msg336089

components: + Interpreter Core
resolution: fixed
stage: resolved
2019-02-20 14:27:25vstinnersetmessages: + msg336088
2019-02-20 13:02:38matrixisesetnosy: + eric.snow
messages: + msg336083
2019-02-15 05:24:31wjq-securitysetmessages: + msg335584
2019-02-14 13:28:51eamanusetnosy: + eamanu
2019-02-14 08:16:51matrixisesetnosy: + vstinner

messages: + msg335509
stage: patch review -> (no value)
2019-02-14 08:16:01matrixisesetkeywords: + patch
stage: patch review
pull_requests: + pull_request11884
2019-02-14 07:44:49matrixisesetassignee: matrixise

nosy: + matrixise
2019-02-14 06:38:01wjq-securitysetmessages: + msg335501
2019-02-14 06:21:26wjq-securitycreate