This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: Bad free in py_sha3_new_impl function
Type: behavior Stage: resolved
Components: Library (Lib) Versions: Python 3.10
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: alex.henrie, christian.heimes
Priority: normal Keywords: patch

Created on 2021-03-02 02:49 by alex.henrie, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 24702 closed alex.henrie, 2021-03-02 02:52
PR 25463 merged christian.heimes, 2021-04-17 22:57
Messages (4)
msg387898 - (view) Author: Alex Henrie (alex.henrie) * Date: 2021-03-02 02:49
The py_sha3_new_impl function in sha3module.c has error handling code that looks like this:

    error:
      if (self) {
          Py_DECREF(self);
      }
      if (data && buf.obj) {
          PyBuffer_Release(&buf);
      }

However, there is a `goto error` before the variable buf is initialized. If that error path is triggered, the function will attempt to free an invalid object, possibly leading to a program crash.
msg391315 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-04-17 22:04
Excellent finding! The issue was introduced in commit 93d50a6a8d0c5d332c11aef267e66573a09765ac as part of bpo-1635741
msg391326 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-04-18 06:39
New changeset aa6da32edc3c6ddfda5e849561e20273b8d82771 by Christian Heimes in branch 'master':
bpo-43362: Fix invalid free and return check in _sha3 module (GH-25463)
https://github.com/python/cpython/commit/aa6da32edc3c6ddfda5e849561e20273b8d82771
msg391327 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-04-18 06:40
The issue affected Python 3.10a1 to latest alpha. 3.9 and earlier are not affected.

Thanks!
History
Date User Action Args
2022-04-11 14:59:42adminsetgithub: 87528
2021-04-18 06:40:39christian.heimessetstatus: open -> closed
versions: - Python 3.8, Python 3.9
messages: + msg391327

resolution: fixed
stage: patch review -> resolved
2021-04-18 06:39:47christian.heimessetmessages: + msg391326
2021-04-17 22:57:30christian.heimessetpull_requests: + pull_request24189
2021-04-17 22:04:25christian.heimessetmessages: + msg391315
2021-04-17 21:20:15christian.heimessetassignee: christian.heimes

type: crash -> behavior
nosy: + christian.heimes
versions: + Python 3.8, Python 3.9
2021-03-02 02:52:09alex.henriesetkeywords: + patch
stage: patch review
pull_requests: + pull_request23479
2021-03-02 02:49:55alex.henriecreate