classification
Title: five possible Null Pointer Dereference bugs.
Type: behavior Stage: patch review
Components: Extension Modules Versions: Python 3.10, Python 3.9, Python 3.8
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: brightest3379, miss-islington, p-ganssle, python-dev, vstinner
Priority: normal Keywords: patch

Created on 2020-10-10 11:49 by brightest3379, last changed 2020-10-13 07:09 by miss-islington.

Pull Requests
URL Status Linked Edit
PR 22635 open python-dev, 2020-10-10 11:53
PR 22660 merged python-dev, 2020-10-12 02:05
PR 22681 merged miss-islington, 2020-10-13 06:47
Messages (3)
msg378385 - (view) Author: brightest star (brightest3379) * Date: 2020-10-10 11:49
Hello everyone,

I have found five Null Pointer Dereference bugs in recent master branch.
Although it's impact could be slightly, i think it is better to fix it.

Bug 1:
In the file ; ./Modules/_tracemalloc.c:
static int
tracemalloc_copy_trace(_Py_hashtable_t *traces,
                       const void *key, const void *value,
                       void *user_data)
{
        _Py_hashtable_t *traces2 = (_Py_hashtable_t *)user_data;

        trace_t *trace = (trace_t *)value;

1201:    trace_t *trace2 = raw_malloc(sizeof(trace_t));
1202:    if (traces2 == NULL) {  <-----
            return -1;
        }
1205:   *trace2 = *trace;
        ...
        return 0;
}
At line 1201, we malloc a varible 'trace2' and then we should check whether the varible 'trace2' is NULL. But it checks 'traces2'(not 'trace2') in line 1202. The varible 'trace2' still could be NULL.I think it is a spelling mistake.

Bug 2 and 3:
In the file :Modules/_zoneinfo.c

static int
load_data(PyZoneInfo_ZoneInfo *self, PyObject *file_obj)
{
        ...
908:     self->trans_list_utc =
        PyMem_Malloc(self->num_transitions * sizeof(int64_t));
910:    trans_idx = PyMem_Malloc(self->num_transitions * sizeof(Py_ssize_t));
        ...
}
Line 908 alloc a memory to 'self->trans_list_utc' and line 910 alloc a memory to 'trans_idx'. But the paramters passed to PyMem_Malloc are not fixed,it means that we possible could control the size to malloc. If we pass a big size to PyMem_Malloc, it will return NULL.
So,we should add some checks for 'self->trans_list_utc' and 'trans_idx',such as 
    if (self->trans_list_utc == NULL) {
        goto error;
    }

Bug 4 and 5:
In the file :Modules/_zoneinfo.c

The problem same to bug 3 and 4.
line 991:    self->_ttinfos = PyMem_Malloc(self->num_ttinfos * sizeof(_ttinfo));
line 1005:   self->trans_ttinfos =
        PyMem_Calloc(self->num_transitions, sizeof(_ttinfo *));

We should add some checks below these lines.
msg378540 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2020-10-13 06:46
New changeset 66c28f50c76e4f23af7146e0e580457c5fd6bde7 by Yunlongs in branch 'master':
bpo-41995: Fix null ptr deref in tracemalloc_copy_trace() (GH-22660)
https://github.com/python/cpython/commit/66c28f50c76e4f23af7146e0e580457c5fd6bde7
msg378542 - (view) Author: miss-islington (miss-islington) Date: 2020-10-13 07:09
New changeset afe86066e748076f970ccd277fc64fc51bea189b by Miss Skeleton (bot) in branch '3.9':
bpo-41995: Fix null ptr deref in tracemalloc_copy_trace() (GH-22660)
https://github.com/python/cpython/commit/afe86066e748076f970ccd277fc64fc51bea189b
History
Date User Action Args
2020-10-13 07:09:16miss-islingtonsetmessages: + msg378542
2020-10-13 06:47:43miss-islingtonsetnosy: + miss-islington
pull_requests: + pull_request21652
2020-10-13 06:46:47vstinnersetmessages: + msg378540
2020-10-12 02:05:45python-devsetpull_requests: + pull_request21637
2020-10-10 12:56:27serhiy.storchakasetnosy: + p-ganssle
2020-10-10 12:54:00serhiy.storchakasetnosy: + vstinner

versions: + Python 3.10, - Python 3.5, Python 3.6, Python 3.7
2020-10-10 11:53:08python-devsetkeywords: + patch
nosy: + python-dev

pull_requests: + pull_request21610
stage: patch review
2020-10-10 11:49:40brightest3379create