➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2020-05-21 05:22 by ammar2, last changed 2022-04-11 14:59 by admin. This issue is now closed.
| Pull Requests | |||
|---|---|---|---|
| URL | Status | Linked | Edit |
| PR 20280 | merged | ammar2, 2020-05-21 05:37 | |
| PR 20319 | merged | miss-islington, 2020-05-22 16:11 | |
| Messages (3) | |||
|---|---|---|---|
| msg369494 - (view) | Author: Ammar Askar (ammar2) *  |
Date: 2020-05-21 05:22 | |
This was caught on oss-fuzz's ASAN builder: Step #4: ==7656==ERROR: AddressSanitizer: heap-use-after-free on address 0x604001568ea0 at pc 0x7f603e4b974b bp 0x7ffe4f7e8f90 sp 0x7ffe4f7e8f88 Step #4: READ of size 8 at 0x604001568ea0 thread T0 Step #4: #0 0x7f603e4b974a in module_free /src/cpython3/Modules/_zoneinfo.c:2610:10 Step #4: #1 0x570311 in module_dealloc /src/cpython3/Objects/moduleobject.c:675:9 Step #4: #2 0x57b7fc in _Py_Dealloc /src/cpython3/Objects/object.c:2209:5 Step #4: #3 0x54ce60 in _Py_DECREF /src/cpython3/./Include/object.h:430:9 Step #4: #4 0x551cdc in _Py_XDECREF /src/cpython3/./Include/object.h:497:9 Step #4: #5 0x54e1b2 in insertdict /src/cpython3/Objects/dictobject.c:1129:5 Step #4: #6 0x54d2fe in PyDict_SetItem /src/cpython3/Objects/dictobject.c:1579:12 Step #4: #7 0x55b5dc in dict_ass_sub /src/cpython3/Objects/dictobject.c:2179:16 Step #4: #8 0x87520f in PyObject_SetItem /src/cpython3/Objects/abstract.c:210:16 Step #4: #9 0x6c1e89 in _PyImport_Cleanup /src/cpython3/Python/import.c:523:13 Step #4: #10 0x6fc40a in Py_FinalizeEx /src/cpython3/Python/pylifecycle.c:1422:5 Step #4: #11 0x4dd17a in Py_RunMain /src/cpython3/Modules/main.c:634:9 Step #4: #12 0x4ddbea in pymain_main /src/cpython3/Modules/main.c:662:12 Step #4: #13 0x4dde34 in Py_BytesMain /src/cpython3/Modules/main.c:686:12 Step #4: #14 0x4dd030 in main /src/cpython3/./Programs/python.c:15:12 Step #4: #15 0x7f60440bc82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) Step #4: #16 0x434ce8 in _start (/src/cpython3/python+0x434ce8) Step #4: Step #4: 0x604001568ea0 is located 16 bytes inside of 48-byte region [0x604001568e90,0x604001568ec0) Step #4: freed by thread T0 here: Step #4: #0 0x4ad20d in free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3 Step #4: #1 0x57c493 in _PyMem_RawFree /src/cpython3/Objects/obmalloc.c:127:5 Step #4: #2 0x57dbc2 in PyObject_Free /src/cpython3/Objects/obmalloc.c:709:5 Step #4: #3 0x75e81a in PyObject_GC_Del /src/cpython3/Modules/gcmodule.c:2325:5 Step #4: #4 0x5a12cd in object_dealloc /src/cpython3/Objects/typeobject.c:4008:5 Step #4: #5 0x59abbb in subtype_dealloc /src/cpython3/Objects/typeobject.c:1371:5 Step #4: #6 0x57b7fc in _Py_Dealloc /src/cpython3/Objects/object.c:2209:5 Step #4: #7 0x7f603e4b0700 in _Py_DECREF /src/cpython3/./Include/object.h:430:9 Step #4: #8 0x7f603e4b05dc in _Py_XDECREF /src/cpython3/./Include/object.h:497:9 Step #4: #9 0x7f603e4b96de in module_free /src/cpython3/Modules/_zoneinfo.c:2609:5 Step #4: #10 0x570311 in module_dealloc /src/cpython3/Objects/moduleobject.c:675:9 Step #4: #11 0x57b7fc in _Py_Dealloc /src/cpython3/Objects/object.c:2209:5 Step #4: #12 0x54ce60 in _Py_DECREF /src/cpython3/./Include/object.h:430:9 Step #4: #13 0x551cdc in _Py_XDECREF /src/cpython3/./Include/object.h:497:9 Step #4: #14 0x54e1b2 in insertdict /src/cpython3/Objects/dictobject.c:1129:5 Step #4: #15 0x54d2fe in PyDict_SetItem /src/cpython3/Objects/dictobject.c:1579:12 Step #4: #16 0x55b5dc in dict_ass_sub /src/cpython3/Objects/dictobject.c:2179:16 Step #4: #17 0x87520f in PyObject_SetItem /src/cpython3/Objects/abstract.c:210:16 Step #4: #18 0x6c1e89 in _PyImport_Cleanup /src/cpython3/Python/import.c:523:13 Step #4: #19 0x6fc40a in Py_FinalizeEx /src/cpython3/Python/pylifecycle.c:1422:5 Step #4: #20 0x4dd17a in Py_RunMain /src/cpython3/Modules/main.c:634:9 Step #4: #21 0x4ddbea in pymain_main /src/cpython3/Modules/main.c:662:12 Step #4: #22 0x4dde34 in Py_BytesMain /src/cpython3/Modules/main.c:686:12 Step #4: #23 0x4dd030 in main /src/cpython3/./Programs/python.c:15:12 Step #4: #24 0x7f60440bc82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) Step #4: Step #4: previously allocated by thread T0 here: Step #4: #0 0x4ad48d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 Step #4: #1 0x57c37c in _PyMem_RawMalloc /src/cpython3/Objects/obmalloc.c:99:12 Step #4: #2 0x57da49 in PyObject_Malloc /src/cpython3/Objects/obmalloc.c:685:12 Step #4: #3 0x75e17c in _PyObject_GC_Alloc /src/cpython3/Modules/gcmodule.c:2233:26 Step #4: #4 0x75e0c5 in _PyObject_GC_Malloc /src/cpython3/Modules/gcmodule.c:2260:12 Step #4: #5 0x598619 in PyType_GenericAlloc /src/cpython3/Objects/typeobject.c:1086:15 Step #4: #6 0x5a1922 in object_new /src/cpython3/Objects/typeobject.c:4002:12 Step #4: #7 0x59d2c7 in type_call /src/cpython3/Objects/typeobject.c:1017:11 Step #4: #8 0x4fbb0b in _PyObject_MakeTpCall /src/cpython3/Objects/call.c:191:18 Step #4: #9 0x4feefa in _PyObject_VectorcallTstate /src/cpython3/./Include/cpython/abstract.h:116:16 Step #4: #10 0x4fb5e7 in _PyObject_CallNoArgTstate /src/cpython3/./Include/internal/pycore_call.h:33:12 Step #4: #11 0x4fdaa6 in _PyObject_CallFunctionVa /src/cpython3/Objects/call.c:515:16 Step #4: #12 0x4fe32a in callmethod /src/cpython3/Objects/call.c:614:12 Step #4: #13 0x4fe193 in PyObject_CallMethod /src/cpython3/Objects/call.c:634:24 Step #4: #14 0x7f603e4b91b1 in new_weak_cache /src/cpython3/Modules/_zoneinfo.c:2483:9 Step #4: #15 0x7f603e4b95ec in initialize_caches /src/cpython3/Modules/_zoneinfo.c:2503:31 Step #4: #16 0x7f603e4b0905 in zoneinfomodule_exec /src/cpython3/Modules/_zoneinfo.c:2669:9 Step #4: #17 0x56ea8a in PyModule_ExecDef /src/cpython3/Objects/moduleobject.c:399:23 Step #4: #18 0x6c8e0d in exec_builtin_or_dynamic /src/cpython3/Python/import.c:2242:12 Step #4: #19 0x6c8d30 in _imp_exec_dynamic_impl /src/cpython3/Python/import.c:2316:12 Step #4: #20 0x6c7c15 in _imp_exec_dynamic /src/cpython3/Python/clinic/import.c.h:358:21 Step #4: #21 0x8cca28 in cfunction_vectorcall_O /src/cpython3/Objects/methodobject.c:510:24 Step #4: #22 0x4fc8b4 in PyVectorcall_Call /src/cpython3/Objects/call.c:230:16 Step #4: #23 0x4fc9b3 in _PyObject_Call /src/cpython3/Objects/call.c:265:16 Step #4: #24 0x4fcb20 in PyObject_Call /src/cpython3/Objects/call.c:292:12 Step #4: #25 0x679ff0 in do_call_core /src/cpython3/Python/ceval.c Step #4: #26 0x66942a in _PyEval_EvalFrameDefault /src/cpython3/Python/ceval.c:3607:22 Step #4: #27 0x661fce in _PyEval_EvalFrame /src/cpython3/./Include/internal/pycore_ceval.h:40:12 Step #4: #28 0x67b5a7 in _PyEval_EvalCode /src/cpython3/Python/ceval.c:4354:14 Step #4: #29 0x4fce97 in _PyFunction_Vectorcall /src/cpython3/Objects/call.c:395:12 https://oss-fuzz-build-logs.storage.googleapis.com/log-42158c8c-476d-482a-ab04-75ea905e483c.txt Sending out a patch shortly. |
|||
| msg369615 - (view) | Author: Paul Ganssle (p-ganssle) * |
Date: 2020-05-22 16:11 | |
New changeset 06a1b8915d6674e40f0dccc422ca2c06212392d8 by Ammar Askar in branch 'master': bpo-40705: Fix use-after-free in _zoneinfo's module_free (GH-20280) https://github.com/python/cpython/commit/06a1b8915d6674e40f0dccc422ca2c06212392d8 |
|||
| msg369806 - (view) | Author: miss-islington (miss-islington) | Date: 2020-05-24 14:43 | |
New changeset ebf650532b41f5e64a5620b8e47acc3a99555e14 by Miss Islington (bot) in branch '3.9': bpo-40705: Fix use-after-free in _zoneinfo's module_free (GH-20280) https://github.com/python/cpython/commit/ebf650532b41f5e64a5620b8e47acc3a99555e14 |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:59:31 | admin | set | github: 84882 |
| 2021-04-02 15:57:53 | ammar2 | set | status: open -> closed resolution: fixed stage: patch review -> resolved |
| 2020-05-24 14:43:09 | miss-islington | set | messages: + msg369806 |
| 2020-05-22 16:11:14 | p-ganssle | set | messages: + msg369615 |
| 2020-05-22 16:11:10 | miss-islington | set | nosy:
+ miss-islington pull_requests: + pull_request19588 |
| 2020-05-21 11:56:52 | p-ganssle | set | versions: + Python 3.9 |
| 2020-05-21 05:37:08 | ammar2 | set | keywords:
+ patch stage: patch review pull_requests: + pull_request19557 |
| 2020-05-21 05:22:11 | ammar2 | create | |