➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2020-10-10 11:49 by brightest3379, last changed 2022-04-11 14:59 by admin. This issue is now closed.
| Pull Requests | |||
|---|---|---|---|
| URL | Status | Linked | Edit |
| PR 22635 | merged | python-dev, 2020-10-10 11:53 | |
| PR 22660 | merged | python-dev, 2020-10-12 02:05 | |
| PR 22681 | merged | miss-islington, 2020-10-13 06:47 | |
| PR 24261 | merged | miss-islington, 2021-01-20 08:39 | |
| Messages (6) | |||
|---|---|---|---|
| msg378385 - (view) | Author: brightest star (brightest3379) * | Date: 2020-10-10 11:49 | |
Hello everyone,
I have found five Null Pointer Dereference bugs in recent master branch.
Although it's impact could be slightly, i think it is better to fix it.
Bug 1:
In the file ; ./Modules/_tracemalloc.c:
static int
tracemalloc_copy_trace(_Py_hashtable_t *traces,
const void *key, const void *value,
void *user_data)
{
_Py_hashtable_t *traces2 = (_Py_hashtable_t *)user_data;
trace_t *trace = (trace_t *)value;
1201: trace_t *trace2 = raw_malloc(sizeof(trace_t));
1202: if (traces2 == NULL) { <-----
return -1;
}
1205: *trace2 = *trace;
...
return 0;
}
At line 1201, we malloc a varible 'trace2' and then we should check whether the varible 'trace2' is NULL. But it checks 'traces2'(not 'trace2') in line 1202. The varible 'trace2' still could be NULL.I think it is a spelling mistake.
Bug 2 and 3:
In the file :Modules/_zoneinfo.c
static int
load_data(PyZoneInfo_ZoneInfo *self, PyObject *file_obj)
{
...
908: self->trans_list_utc =
PyMem_Malloc(self->num_transitions * sizeof(int64_t));
910: trans_idx = PyMem_Malloc(self->num_transitions * sizeof(Py_ssize_t));
...
}
Line 908 alloc a memory to 'self->trans_list_utc' and line 910 alloc a memory to 'trans_idx'. But the paramters passed to PyMem_Malloc are not fixed,it means that we possible could control the size to malloc. If we pass a big size to PyMem_Malloc, it will return NULL.
So,we should add some checks for 'self->trans_list_utc' and 'trans_idx',such as
if (self->trans_list_utc == NULL) {
goto error;
}
Bug 4 and 5:
In the file :Modules/_zoneinfo.c
The problem same to bug 3 and 4.
line 991: self->_ttinfos = PyMem_Malloc(self->num_ttinfos * sizeof(_ttinfo));
line 1005: self->trans_ttinfos =
PyMem_Calloc(self->num_transitions, sizeof(_ttinfo *));
We should add some checks below these lines.
|
|||
| msg378540 - (view) | Author: STINNER Victor (vstinner) *  |
Date: 2020-10-13 06:46 | |
New changeset 66c28f50c76e4f23af7146e0e580457c5fd6bde7 by Yunlongs in branch 'master': bpo-41995: Fix null ptr deref in tracemalloc_copy_trace() (GH-22660) https://github.com/python/cpython/commit/66c28f50c76e4f23af7146e0e580457c5fd6bde7 |
|||
| msg378542 - (view) | Author: miss-islington (miss-islington) | Date: 2020-10-13 07:09 | |
New changeset afe86066e748076f970ccd277fc64fc51bea189b by Miss Skeleton (bot) in branch '3.9': bpo-41995: Fix null ptr deref in tracemalloc_copy_trace() (GH-22660) https://github.com/python/cpython/commit/afe86066e748076f970ccd277fc64fc51bea189b |
|||
| msg385315 - (view) | Author: STINNER Victor (vstinner) * |
Date: 2021-01-20 08:38 | |
New changeset f1ff800db1f9fa5ff8f2fa2863796a46bfa9ee46 by Yunlongs in branch 'master': bpo-41995: Handle allocation failure in _tracemalloc and _zoneinfo (GH-22635) https://github.com/python/cpython/commit/f1ff800db1f9fa5ff8f2fa2863796a46bfa9ee46 |
|||
| msg385316 - (view) | Author: STINNER Victor (vstinner) * |
Date: 2021-01-20 08:42 | |
Thanks for the bug report brightest star, and thanks for the fix Yunlongs! |
|||
| msg385319 - (view) | Author: miss-islington (miss-islington) | Date: 2021-01-20 09:03 | |
New changeset 50938b63fbb0d4bed24dceccf188b8d0fe58463c by Miss Islington (bot) in branch '3.9': bpo-41995: Handle allocation failure in _tracemalloc and _zoneinfo (GH-22635) https://github.com/python/cpython/commit/50938b63fbb0d4bed24dceccf188b8d0fe58463c |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:59:36 | admin | set | github: 86161 |
| 2021-01-20 09:03:36 | miss-islington | set | messages: + msg385319 |
| 2021-01-20 08:42:42 | vstinner | set | status: open -> closed resolution: fixed messages: + msg385316 stage: patch review -> resolved |
| 2021-01-20 08:39:33 | miss-islington | set | pull_requests: + pull_request23086 |
| 2021-01-20 08:39:00 | vstinner | set | messages: + msg385315 |
| 2020-10-13 07:09:16 | miss-islington | set | messages: + msg378542 |
| 2020-10-13 06:47:43 | miss-islington | set | nosy:
+ miss-islington pull_requests: + pull_request21652 |
| 2020-10-13 06:46:47 | vstinner | set | messages: + msg378540 |
| 2020-10-12 02:05:45 | python-dev | set | pull_requests: + pull_request21637 |
| 2020-10-10 12:56:27 | serhiy.storchaka | set | nosy:
+ p-ganssle |
| 2020-10-10 12:54:00 | serhiy.storchaka | set | nosy:
+ vstinner versions: + Python 3.10, - Python 3.5, Python 3.6, Python 3.7 |
| 2020-10-10 11:53:08 | python-dev | set | keywords:
+ patch nosy: + python-dev pull_requests: + pull_request21610 stage: patch review |
| 2020-10-10 11:49:40 | brightest3379 | create | |