Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use after free during json encoding (PyType_IsSubtype) #68282

Closed
pkt mannequin opened this issue May 1, 2015 · 2 comments
Closed

Use after free during json encoding (PyType_IsSubtype) #68282

pkt mannequin opened this issue May 1, 2015 · 2 comments
Labels
extension-modules C modules in the Modules dir type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@pkt
Copy link
Mannequin

pkt mannequin commented May 1, 2015

BPO 24094
Nosy @rhettinger, @pitrou, @tiran, @ezio-melotti, @serhiy-storchaka
Files
  • poc_enc_dict1.py
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
closed_at = <Date 2015-05-03.02:37:22.193>
created_at = <Date 2015-05-01.14:00:58.881>
labels = ['extension-modules', 'type-crash']
title = 'Use after free during json encoding (PyType_IsSubtype)'
updated_at = <Date 2015-05-03.06:45:58.964>
user = 'https://bugs.python.org/pkt'

    bugs.python.org fields:

    activity = <Date 2015-05-03.06:45:58.964>
actor = 'Arfrever'
assignee = 'none'
closed = True
closed_date = <Date 2015-05-03.02:37:22.193>
closer = 'python-dev'
components = ['Extension Modules']
creation = <Date 2015-05-01.14:00:58.881>
creator = 'pkt'
dependencies = []
files = ['39243']
hgrepos = []
issue_num = 24094
keywords = []
message_count = 2.0
messages = ['242308', '242448']
nosy_count = 8.0
nosy_names = ['rhettinger', 'pitrou', 'christian.heimes', 'ezio.melotti', 'Arfrever', 'python-dev', 'serhiy.storchaka', 'pkt']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'crash'
url = 'https://bugs.python.org/issue24094'
versions = ['Python 3.4', 'Python 3.5']
    @pkt
    Copy link
    Mannequin Author

    pkt mannequin commented May 1, 2015

    # Breakpoint 1, encoder_listencode_dict (s=0x405b23fc, acc=0xbfc4038c, dct=<D at remote 0x405c8b34>, indent_level=0)
    # at /home/p/Python-3.4.1/Modules/_json.c:1540
    \bpo-1540 items = PyMapping_Keys(dct);
    # (gdb) n
    \bpo-1541 if (items == NULL)
    # (gdb) print *items
    # $1 = {ob_next = 0x405c8af4, _ob_prev = 0x4059006c, ob_refcnt = 2, ob_type = 0x830e1c0 <PyList_Type>}
    # (gdb) n
    \bpo-1543 if (!PyList_Check(items)) {
    # (gdb) n
    \bpo-1547 if (PyList_Sort(items) < 0)
    # (gdb) n
    \bpo-1549 nitems = PyList_GET_SIZE(items);
    # (gdb) n
    \bpo-1550 for (i = 0; i < nitems; i++) {
    # (gdb) print nitems
    # $2 = 1122
    # (gdb) n
    \bpo-1552 key = PyList_GET_ITEM(items, i);
    # (gdb) n
    \bpo-1553 value = PyDict_GetItem(dct, key);
    # (gdb) print *key
    # $3 = {ob_next = 0x4058eedc, _ob_prev = 0x40590d1c, ob_refcnt = 1, ob_type = 0x405afd1c}
    # (gdb) n
    #
    # Program received signal SIGSEGV, Segmentation fault.
    # 0x08108825 in PyType_IsSubtype (a=0xdbdbdbdb, b=0x830f1a0 <PyLong_Type>) at Objects/typeobject.c:1292
    \bpo-1292 mro = a->tp_mro;
    # (gdb) bt
    # #0 0x08108825 in PyType_IsSubtype (a=0xdbdbdbdb, b=0x830f1a0 <PyLong_Type>) at Objects/typeobject.c:1292
    # #1 0x080f22d6 in do_richcompare (v=1337, w=<unknown at remote 0x4059006c>, op=2) at Objects/object.c:643
    # #2 0x080f263d in PyObject_RichCompare (v=1337, w=<unknown at remote 0x4059006c>, op=2) at Objects/object.c:701
    # #3 0x080f26ce in PyObject_RichCompareBool (v=1337, w=<unknown at remote 0x4059006c>, op=2) at Objects/object.c:723
    # #4 0x080df7b5 in lookdict (mp=0x405c8b34, key=<unknown at remote 0x4059006c>, hash=1337, value_addr=0xbfc40200)
    # at Objects/dictobject.c:485
    # #5 0x080e145d in PyDict_GetItem (op=<D at remote 0x405c8b34>, key=<unknown at remote 0x4059006c>) at Objects/dictobject.c:1095
    # #6 0x405bf6f9 in encoder_listencode_dict (s=0x405b23fc, acc=0xbfc4038c, dct=<D at remote 0x405c8b34>, indent_level=0)
    #
    # Deleting the object in __hash    () method triggers an use after free in PyType_IsSubtype.

    @pkt pkt mannequin added the type-crash A hard crash of the interpreter, possibly with a core dump label May 1, 2015
    @tiran tiran added the extension-modules C modules in the Modules dir label May 1, 2015
    @python-dev
    Copy link
    Mannequin

    python-dev mannequin commented May 3, 2015

    New changeset 0e8c9cf1fede by Benjamin Peterson in branch '3.3':
    just sort the items tuple directly (closes bpo-24094)
    https://hg.python.org/cpython/rev/0e8c9cf1fede

    New changeset f9027b10b3c4 by Benjamin Peterson in branch '3.4':
    merge 3.3 (bpo-24094)
    https://hg.python.org/cpython/rev/f9027b10b3c4

    New changeset 3bdf1816f561 by Benjamin Peterson in branch 'default':
    merge 3.4 (bpo-24094)
    https://hg.python.org/cpython/rev/3bdf1816f561

    @python-dev python-dev mannequin closed this as completed May 3, 2015
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    extension-modules C modules in the Modules dir type-crash A hard crash of the interpreter, possibly with a core dump
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    1 participant
    @tiran