Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ctypes: segfault with large POINTER type names #57305

Closed
meadori opened this issue Oct 4, 2011 · 11 comments
Closed

ctypes: segfault with large POINTER type names #57305

meadori opened this issue Oct 4, 2011 · 11 comments
Assignees
@meadori
Labels
extension-modules C modules in the Modules dir topic-ctypes type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@meadori
Copy link
Member

meadori commented Oct 4, 2011

BPO 13096
Nosy @amauryfa, @abalkin, @vstinner, @bitdancer, @meadori, @stratakis
PRs
  • [2.7] bpo-13096: Fix partial backport of issue 13096. #12100
    		•
    Files
  • issue13096.patch: Patch against tip (3.3.0a0)
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/meadori'
closed_at = <Date 2014-10-12.18:27:40.933>
created_at = <Date 2011-10-04.03:47:38.499>
labels = ['extension-modules', 'ctypes', 'type-crash']
title = 'ctypes: segfault with large POINTER type names'
updated_at = <Date 2019-03-04.15:40:28.826>
user = 'https://github.com/meadori'

    bugs.python.org fields:

    activity = <Date 2019-03-04.15:40:28.826>
actor = 'vstinner'
assignee = 'meador.inge'
closed = True
closed_date = <Date 2014-10-12.18:27:40.933>
closer = 'r.david.murray'
components = ['Extension Modules', 'ctypes']
creation = <Date 2011-10-04.03:47:38.499>
creator = 'meador.inge'
dependencies = []
files = ['23800']
hgrepos = []
issue_num = 13096
keywords = ['patch', 'needs review']
message_count = 11.0
messages = ['144850', '144851', '145257', '145258', '148539', '217341', '217367', '229186', '229187', '336858', '337132']
nosy_count = 9.0
nosy_names = ['amaury.forgeotdarc', 'belopolsky', 'vstinner', 'r.david.murray', 'jesstess', 'meador.inge', 'bbrazil', 'python-dev', 'cstratak']
pr_nums = ['12100']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'crash'
url = 'https://bugs.python.org/issue13096'
versions = ['Python 2.7', 'Python 3.4', 'Python 3.5']
    @meadori
    Copy link
    Member Author

    meadori commented Oct 4, 2011

    Reproducible in 2.7 and tip:

    [meadori@motherbrain cpython]$ ./python 
Python 3.3.0a0 (default:61de28fa5537+d05350c14e77+, Oct  3 2011, 21:47:04) 
[GCC 4.6.0 20110603 (Red Hat 4.6.0-10)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from ctypes import *
>>> T = type('x' * 2 ** 25, (Structure,), {})
>>> p = POINTER(T)
Segmentation fault (core dumped)

    @meadori meadori added extension-modules C modules in the Modules dir topic-ctypes type-crash A hard crash of the interpreter, possibly with a core dump labels Oct 4, 2011
    @meadori
    Copy link
    Member Author

    meadori commented Oct 4, 2011

    There is similar crasher to this one that can be reproduced like:

    [meadori@motherbrain cpython]$ ./python 
Python 3.3.0a0 (default:61de28fa5537+d05350c14e77+, Oct  3 2011, 21:47:04) 
[GCC 4.6.0 20110603 (Red Hat 4.6.0-10)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from ctypes import *
>>> p = POINTER('x' * 2 ** 25)
Segmentation fault (core dumped)

    It should be fixed as well.

    @bbrazil
    Copy link
    Mannequin

    bbrazil mannequin commented Oct 9, 2011

    The problem is around line 1734 of callproc.c in tip:

    } else if (PyType_Check(cls)) {
    typ = (PyTypeObject *)cls;
    buf = alloca(strlen(typ->tp_name) + 3 + 1);
    sprintf(buf, "LP_%s", typ->tp_name);   <-- segfault is here

    Replacing the alloca with a malloc fixes it, so I presume it's hitting the stack size limit as 2^25 is 32MB (my stack limit is 8MB).

    @meadori
    Copy link
    Member Author

    meadori commented Oct 9, 2011

    Yup, it is the 'alloca' call. This issue and bpo-13097 are both
    'alloca' related as mentioned in bpo-12881.

    @meadori meadori self-assigned this Nov 29, 2011
    @meadori
    Copy link
    Member Author

    meadori commented Nov 29, 2011

    Here is a small patch against tip. OK?

    @jesstess
    Copy link
    Member

    Thanks for the report and patch, meador.inge.

    I'd prefer not to add more globals that are only used in one place, but doing so is consistent with the existing style of test_pointers.py, and there's plenty in this file that could be cleaned up in another ticket.

    • The patch passes make patchcheck.
    • The full test suite passes with this patch.
    • The reproducers in this issue segfault for me without this patch and do not segfault with this patch.

    lgtm!

    => commit review

    @meadori
    Copy link
    Member Author

    meadori commented Apr 28, 2014

    Thanks for the review and reminder about this issue, jesstess. I will apply the patch later today.

    @python-dev
    Copy link
    Mannequin

    python-dev mannequin commented Oct 12, 2014

    New changeset e940bb13d010 by R David Murray in branch '3.4':
    bpo-13096: Fix segfault in CTypes POINTER handling of large values.
    https://hg.python.org/cpython/rev/e940bb13d010

    New changeset 02c9c3204a04 by R David Murray in branch 'default':
    Merge: bpo-13096: Fix segfault in CTypes POINTER handling of large values.
    https://hg.python.org/cpython/rev/02c9c3204a04

    New changeset ff59b0f9e142 by R David Murray in branch '2.7':
    bpo-13096: Fix segfault in CTypes POINTER handling of large values.
    https://hg.python.org/cpython/rev/ff59b0f9e142

    @bitdancer
    Copy link
    Member

    Committed.

    @stratakis
    Copy link
    Mannequin

    stratakis mannequin commented Feb 28, 2019

    It seems the python2 backport was incomplete as a PyMem_Free is missing, making buf leak.

    @vstinner
    Copy link
    Member

    vstinner commented Mar 4, 2019

    New changeset 710dcfd by Victor Stinner (stratakis) in branch '2.7':
    [2.7] bpo-13096: Fix memory leak in ctypes POINTER handling of large values (GH-12100)
    710dcfd

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees

    @meadori meadori

    Labels
    extension-modules C modules in the Modules dir topic-ctypes type-crash A hard crash of the interpreter, possibly with a core dump
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    4 participants
    @jesstess @vstinner @meadori @bitdancer