Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crash when try to disassemble bogus code object #86905

Closed
serhiy-storchaka opened this issue Dec 25, 2020 · 5 comments
Closed

Crash when try to disassemble bogus code object #86905

serhiy-storchaka opened this issue Dec 25, 2020 · 5 comments
Assignees
@markshannon
Labels
3.10 only security fixes interpreter-core (Objects, Python, Grammar, and Parser dirs) type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@serhiy-storchaka
Copy link
Member

BPO 42739
Nosy @markshannon, @serhiy-storchaka, @ammaraskar
PRs
  • bpo-42739: Don't use sentinels to mark end of line table. #25657
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/markshannon'
closed_at = <Date 2021-04-29.13:16:18.425>
created_at = <Date 2020-12-25.11:55:58.959>
labels = ['interpreter-core', '3.10', 'type-crash']
title = 'Crash when try to disassemble bogus code object'
updated_at = <Date 2021-04-29.13:16:18.424>
user = 'https://github.com/serhiy-storchaka'

    bugs.python.org fields:

    activity = <Date 2021-04-29.13:16:18.424>
actor = 'Mark.Shannon'
assignee = 'Mark.Shannon'
closed = True
closed_date = <Date 2021-04-29.13:16:18.425>
closer = 'Mark.Shannon'
components = ['Interpreter Core']
creation = <Date 2020-12-25.11:55:58.959>
creator = 'serhiy.storchaka'
dependencies = []
files = []
hgrepos = []
issue_num = 42739
keywords = ['patch']
message_count = 5.0
messages = ['383741', '383929', '384325', '392051', '392302']
nosy_count = 3.0
nosy_names = ['Mark.Shannon', 'serhiy.storchaka', 'ammar2']
pr_nums = ['25657']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'crash'
url = 'https://bugs.python.org/issue42739'
versions = ['Python 3.10']
    @serhiy-storchaka
    Copy link
    Member Author 

    >>> def f(): pass
... 
>>> co = f.__code__.replace(co_linetable=b'')
>>> import dis
>>> dis.dis(co)
python: Objects/codeobject.c:1185: PyLineTable_NextAddressRange: Assertion `!at_end(range)' failed.
Aborted (core dumped)

    It is expected that executing bogus code object can crash (or cause any other effect). But it is surprising that just inspecting it causes a crash.

    @serhiy-storchaka serhiy-storchaka added 3.10 only security fixes interpreter-core (Objects, Python, Grammar, and Parser dirs) type-crash A hard crash of the interpreter, possibly with a core dump labels Dec 25, 2020
    @ammaraskar
    Copy link
    Member

    This seems to be part 2 of the problems Mark mentioned in bpo-42562. Namely in this case the co_lnotab accessor uses PyLineTable_NextAddressRange which has that assertion.

    @markshannon
    Copy link
    Member

    dis is able to handle code with no line numbers.

    >>> def f(): pass
... 
>>> co = f.__code__.replace(co_linetable=b'\xff')
>>> list(co.co_lines())
[]
>>> import dis
>>> dis.dis(co)
          0 LOAD_CONST               0 (None)
          2 RETURN_VALUE

    The problem with the example Serhiy gives is that the line number table does not end in a sentinel value.

    You shouldn't be creating code objects unless you really know what you are doing. I.e. never.

    For manually created code objects that don't respect the invariants, any behavior is acceptable IMO.

    @markshannon
    Copy link
    Member

    Using sentinels as a marker to terminate the line number table, might be a problem if we want to use a different format. So I'm fixing this for 3.10.

    @markshannon
    Copy link
    Member

    New changeset c76da79 by Mark Shannon in branch 'master':
    bpo-42739: Don't use sentinels to mark end of line table. (GH-25657)
    c76da79

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees

    @markshannon markshannon

    Labels
    3.10 only security fixes interpreter-core (Objects, Python, Grammar, and Parser dirs) type-crash A hard crash of the interpreter, possibly with a core dump
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    3 participants
    @ammaraskar @serhiy-storchaka @markshannon