classification
Title: Incorrect arguments in function select() cause segfault
Type: crash Stage:
Components: Interpreter Core Versions: Python 3.11, Python 3.10, Python 3.9, Python 3.8, Python 3.7, Python 3.6
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: ronaldoussoren, xxm
Priority: normal Keywords:

Created on 2021-07-23 04:25 by xxm, last changed 2021-07-23 08:48 by ronaldoussoren.

Messages (2)
msg398027 - (view) Author: Xinmeng Xia (xxm) Date: 2021-07-23 04:25
The following program can trigger segfault on all releases of Python. I think it may be caused  by incorrect arguments.

Version of Python: 3.6 - master(3.11.0a0)
system: ubuntu 16.04

test.py
================================
import select

def test_select_mutated():
    a = []

    class F:
        def fileno(a):
            del test_select_mutated()[-1]
            return sys.__stdout__.fileno()
    a[:] = [F()] * 10
    select.select([], a, []), ([], a[:5], [])

test_select_mutated()
================================

output:
---------------------------------------------------------------------
xxm@xxm:~$ '/home/xxm/Desktop/compiler/cpython-main/python'  test.py 
Segmentation fault (core dumped)
---------------------------------------------------------------------
msg398036 - (view) Author: Ronald Oussoren (ronaldoussoren) * (Python committer) Date: 2021-07-23 08:48
The problem is related to recursion, the code basically ends up with an unlimited number of iterations of select.select and test_select_mutated on the call stack and this doesn't trigger the stack depth checker.

The following definition of class F triggers the same error:

    class F:
        def fileno(self):
            test_select_mutated()
            return self.fileno()

The call stack behaviour can be observed by using the fault handler (``python3.9 -Xfaulthandler crash.py``), although you won't see select.select in the traceback due to it being a C extension function.

Fixing this would basically require adding a stack depth check to the PyObject_Call family of functions.  I don't know if a PR for that would be accepted due to the possible performance impact.
History
Date User Action Args
2021-07-23 08:48:04ronaldoussorensetnosy: + ronaldoussoren
messages: + msg398036
2021-07-23 04:25:27xxmcreate