Issue 35993: incorrect use of released memory in Python/pystate.c line 284

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/80174

classification

Title:	incorrect use of released memory in Python/pystate.c line 284
Type:	security	Stage:	resolved
Components:	Interpreter Core	Versions:	Python 3.8

process

Status:	closed	Resolution:	fixed
Dependencies:		Superseder:
Assigned To:	matrixise	Nosy List:	eamanu, eric.snow, matrixise, vstinner, wjq-security
Priority:	normal	Keywords:	patch

Created on 2019-02-14 06:21 by wjq-security, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Pull Requests
URL	Status	Linked	Edit
PR 11852	merged	matrixise, 2019-02-14 08:16

Messages (6)
msg335501 - (view)	Author: wangjiangqiang (wjq-security)	Date: 2019-02-14 06:38
the code is trying to visit a link list in a loop, it tries to visit the next node in line 284 "interp = interp->next" while the current node is freed in line 296 "PyMem_RawFree(interp);"
msg335509 - (view)	Author: Stéphane Wirtel (matrixise) *	Date: 2019-02-14 08:16
What do you think of this solution?
msg335584 - (view)	Author: wangjiangqiang (wjq-security)	Date: 2019-02-15 05:24
Just create a temporary node points to the next node before release the current node. change the loop condition if necessary.
msg336083 - (view)	Author: Stéphane Wirtel (matrixise) *	Date: 2019-02-20 13:02
@eric Could you help me for the tests of my PR? Thank you
msg336088 - (view)	Author: STINNER Victor (vstinner) *	Date: 2019-02-20 14:27
New changeset b5409dacc4885146a27d06482b346e55fa12d2ec by Victor Stinner (Stéphane Wirtel) in branch 'master': bpo-35993: Fix _PyInterpreterState_DeleteExceptMain() (GH-11852) https://github.com/python/cpython/commit/b5409dacc4885146a27d06482b346e55fa12d2ec
msg336089 - (view)	Author: STINNER Victor (vstinner) *	Date: 2019-02-20 14:30
Thanks wangjiangqiang for the bug report and thanks Stéphane Wirtel for the fix!

History
Date	User	Action	Args
2022-04-11 14:59:11	admin	set	github: 80174
2019-02-20 14:30:15	vstinner	set	status: open -> closed versions: + Python 3.8 messages: + msg336089 components: + Interpreter Core resolution: fixed stage: resolved
2019-02-20 14:27:25	vstinner	set	messages: + msg336088
2019-02-20 13:02:38	matrixise	set	nosy: + eric.snow messages: + msg336083
2019-02-15 05:24:31	wjq-security	set	messages: + msg335584
2019-02-14 13:28:51	eamanu	set	nosy: + eamanu
2019-02-14 08:16:51	matrixise	set	nosy: + vstinner messages: + msg335509 stage: patch review -> (no value)
2019-02-14 08:16:01	matrixise	set	keywords: + patch stage: patch review pull_requests: + pull_request11884
2019-02-14 07:44:49	matrixise	set	assignee: matrixise nosy: + matrixise
2019-02-14 06:38:01	wjq-security	set	messages: + msg335501
2019-02-14 06:21:26	wjq-security	create