Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Double DECREF in TextIOWrapper #67038

Closed
thatch mannequin opened this issue Nov 11, 2014 · 3 comments
Closed

Double DECREF in TextIOWrapper #67038

thatch mannequin opened this issue Nov 11, 2014 · 3 comments
Labels
stdlib Python modules in the Lib dir type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@thatch
Copy link
Mannequin

thatch mannequin commented Nov 11, 2014

BPO 22849
Nosy @ncoghlan, @benjaminp, @thatch, @serhiy-storchaka
Files
  • segv.py: Reproduction for crasher
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
closed_at = <Date 2014-11-12.15:24:13.152>
created_at = <Date 2014-11-11.22:55:26.016>
labels = ['library', 'type-crash']
title = 'Double DECREF in TextIOWrapper'
updated_at = <Date 2014-11-12.15:24:13.150>
user = 'https://github.com/thatch'

    bugs.python.org fields:

    activity = <Date 2014-11-12.15:24:13.150>
actor = 'python-dev'
assignee = 'none'
closed = True
closed_date = <Date 2014-11-12.15:24:13.152>
closer = 'python-dev'
components = ['Library (Lib)']
creation = <Date 2014-11-11.22:55:26.016>
creator = 'thatch'
dependencies = []
files = ['37183']
hgrepos = []
issue_num = 22849
keywords = []
message_count = 3.0
messages = ['231054', '231081', '231082']
nosy_count = 5.0
nosy_names = ['ncoghlan', 'benjamin.peterson', 'thatch', 'python-dev', 'serhiy.storchaka']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'crash'
url = 'https://bugs.python.org/issue22849'
versions = ['Python 3.3', 'Python 3.4', 'Python 3.5']
    @thatch
    Copy link
    Mannequin Author

    thatch mannequin commented Nov 11, 2014

    There's a reproducible bug in textio.c that causes a double DECREF on codecs. The conditions to trigger are probably rare in real life, so not remotely exploitable (sandbox escape is the worst I can think of on its own, and I'm not aware of any on 3.x):

    • You need to create a TextIOWrapper wrapping a file-like object that only partially supports the protocol. For example, supporting readable(), writable(), and seekable() but not tell().

    The crash I experience most of the time appears to be that the memory being reused, such that the PyObject ob_type field is no longer a valid pointer.

    Affected:
    Source 3.5.0a0 (latest default branch yesterday, 524a004e93dd)
    Archlinux: 3.3.5 and 3.4.2
    Ubuntu: 3.4.0
    Unaffected:
    Centos: 3.3.2
    All 2.7 branch (doesn't contain the faulty commit)

    Here's where it's introduced -- https://hg.python.org/cpython/rev/f3ec00d2b75e/#l5.76

    /* Modules/_io/textio.c line 1064 */

    Py_DECREF(codec_info); 
/* does not set codec_info = NULL; */
...
if(...) goto error;
...
error:
  Py_XDECREF(codec_info);

    The attached script is close to minimal -- I think at most you can reduce by one TextIOWrapper instantiation. Sample stacktrace follows (which is after the corruption occurs, on subsequent access to v->ob_type (which is invalid).

    #0  0x00000000004c8829 in PyObject_GetAttr (v=<unknown at remote 0x7ffff7eb9688>, 
    name='_is_text_encoding') at Objects/object.c:872
#1  0x00000000004c871d in _PyObject_GetAttrId (v=<unknown at remote 0x7ffff7eb9688>, 
    name=0x945d50 <PyId__is_text_encoding.10143>) at Objects/object.c:835
#2  0x00000000005c6674 in _PyCodec_LookupTextEncoding (
    encoding=0x7ffff6f40220 "utf-8", alternate_command=0x6c2fcd "codecs.open()")
    at Python/codecs.c:541
#3  0x000000000064286e in textiowrapper_init (self=0x7ffff7f9ecb8, 
    args=(<F at remote 0x7ffff6f40a18>,), kwds={'encoding': 'utf-8'})
    at ./Modules/_io/textio.c:965

    @thatch thatch mannequin added stdlib Python modules in the Lib dir type-crash A hard crash of the interpreter, possibly with a core dump labels Nov 11, 2014
    @benjaminp
    Copy link
    Contributor

    Thanks for the excellent bug report!

    @python-dev
    Copy link
    Mannequin

    python-dev mannequin commented Nov 12, 2014

    New changeset ec1948191461 by Benjamin Peterson in branch '3.4':
    fix possible double free in TextIOWrapper.__init__ (closes bpo-22849)
    https://hg.python.org/cpython/rev/ec1948191461

    New changeset a664b150b6c2 by Benjamin Peterson in branch 'default':
    merge 3.4 (bpo-22849)
    https://hg.python.org/cpython/rev/a664b150b6c2

    @python-dev python-dev mannequin closed this as completed Nov 12, 2014
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    stdlib Python modules in the Lib dir type-crash A hard crash of the interpreter, possibly with a core dump
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    1 participant
    @benjaminp