Use after free in PyObject_GetState #68285

pkt · 2015-05-01T14:05:36Z

BPO	24097
Nosy	@pitrou, @avassalotti, @benjaminp, @serhiy-storchaka
Files	poc_getstate.py getstate_borrowed_ref.patch test_issue24097.patch getstate_borrowed_ref_with_test-2.7.patch getstate_borrowed_ref_with_test-3.4.patch

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = 'https://github.com/pitrou'
closed_at = <Date 2015-11-25.16:37:39.506>
created_at = <Date 2015-05-01.14:05:35.520>
labels = ['extension-modules', 'type-crash']
title = 'Use after free in PyObject_GetState'
updated_at = <Date 2015-11-25.16:37:39.505>
user = 'https://bugs.python.org/pkt'

bugs.python.org fields:

activity = <Date 2015-11-25.16:37:39.505>
actor = 'serhiy.storchaka'
assignee = 'pitrou'
closed = True
closed_date = <Date 2015-11-25.16:37:39.506>
closer = 'serhiy.storchaka'
components = ['Extension Modules']
creation = <Date 2015-05-01.14:05:35.520>
creator = 'pkt'
dependencies = []
files = ['39248', '39842', '39953', '40936', '40937']
hgrepos = []
issue_num = 24097
keywords = ['patch']
message_count = 9.0
messages = ['242313', '246069', '246070', '246102', '246122', '246949', '254001', '254002', '255366']
nosy_count = 7.0
nosy_names = ['pitrou', 'alexandre.vassalotti', 'benjamin.peterson', 'Arfrever', 'python-dev', 'serhiy.storchaka', 'pkt']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'crash'
url = 'https://bugs.python.org/issue24097'
versions = ['Python 2.7', 'Python 3.4', 'Python 3.5', 'Python 3.6']

pkt · 2015-05-01T14:05:35Z

# Program received signal SIGSEGV, Segmentation fault.
# 0x080f27b2 in PyObject_Hash (v=<unknown at remote 0x405720e4>) at Objects/object.c:746
# 746 if (tp->tp_hash != NULL)
# (gdb) bt
# #0 0x080f27b2 in PyObject_Hash (v=<unknown at remote 0x405720e4>) at Objects/object.c:746
# #1 0x080e1717 in PyDict_SetItem (op={}, key=<unknown at remote 0x405720e4>, value=None) at Objects/dictobject.c:1201
# #2 0x0810e8a0 in _PyObject_GetState (obj=<Y at remote 0x405731bc>) at Objects/typeobject.c:3657
# #3 0x081100e9 in reduce_2 (obj=<Y at remote 0x405731bc>) at Objects/typeobject.c:3949
# #4 0x08110551 in _common_reduce (self=<Y at remote 0x405731bc>, proto=2) at Objects/typeobject.c:4012
# #5 0x08110641 in object_reduce (self=<Y at remote 0x405731bc>, args=(2,)) at Objects/typeobject.c:4032
#
# (gdb) frame 2
# #2 0x0810e8a0 in _PyObject_GetState (obj=<Y at remote 0x405731bc>) at Objects/typeobject.c:3657
\bpo-3657 int err = PyDict_SetItem(slots, name, value);
# (gdb) print *name
# $1 = {ob_next = 0xdbdbdbdb, _ob_prev = 0xdbdbdbdb, ob_refcnt = -606348325, ob_type = 0xdbdbdbdb}
#
# "name" is freed inside __getattr_ and is later used by PyDict_SetItem.

pkt · 2015-07-02T10:26:50Z

ping

pitrou · 2015-07-02T10:48:49Z

Thanks for the report. Here is a patch.

benjaminp · 2015-07-02T22:05:25Z

lgtm

serhiy-storchaka · 2015-07-03T03:15:36Z

The fix LGTM.

It would be nice to add a test.

serhiy-storchaka · 2015-07-19T21:12:24Z

Here is a test for this issue.

serhiy-storchaka · 2015-11-03T16:49:21Z

In 2.7 the test doesn't crash, but __reduce__ produces invalid recursive structure.

serhiy-storchaka · 2015-11-03T16:51:46Z

Here is backported to 2.7 patch with test. Can you review the test and commit the patch Antoine?

python-dev · 2015-11-25T16:36:16Z

New changeset eed36e19f8b8 by Serhiy Storchaka in branch '3.4':
Issue bpo-24097: Fixed crash in object.__reduce__() if slot name is freed inside
https://hg.python.org/cpython/rev/eed36e19f8b8

New changeset 99839a1c9c6d by Serhiy Storchaka in branch '3.5':
Issue bpo-24097: Fixed crash in object.__reduce__() if slot name is freed inside
https://hg.python.org/cpython/rev/99839a1c9c6d

New changeset 502465d22522 by Serhiy Storchaka in branch 'default':
Issue bpo-24097: Fixed crash in object.__reduce__() if slot name is freed inside
https://hg.python.org/cpython/rev/502465d22522

New changeset 4a201d0d4d1e by Serhiy Storchaka in branch '2.7':
Issue bpo-24097: Fixed crash in object.__reduce__() if slot name is freed inside
https://hg.python.org/cpython/rev/4a201d0d4d1e

pkt mannequin added the type-crash A hard crash of the interpreter, possibly with a core dump label May 1, 2015

tiran added the extension-modules C modules in the Modules dir label May 1, 2015

serhiy-storchaka self-assigned this Jul 2, 2015

serhiy-storchaka assigned pitrou and unassigned serhiy-storchaka Jul 3, 2015

serhiy-storchaka assigned serhiy-storchaka and unassigned pitrou Nov 3, 2015

serhiy-storchaka assigned pitrou and unassigned serhiy-storchaka Nov 3, 2015

serhiy-storchaka closed this as completed Nov 25, 2015

ezio-melotti transferred this issue from another repository Apr 10, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Use after free in PyObject_GetState #68285

Use after free in PyObject_GetState #68285

pkt mannequin commented May 1, 2015

pkt mannequin commented May 1, 2015

pkt mannequin commented Jul 2, 2015

pitrou commented Jul 2, 2015

benjaminp commented Jul 2, 2015

serhiy-storchaka commented Jul 3, 2015

serhiy-storchaka commented Jul 19, 2015

serhiy-storchaka commented Nov 3, 2015

serhiy-storchaka commented Nov 3, 2015

python-dev mannequin commented Nov 25, 2015

Use after free in PyObject_GetState #68285

Use after free in PyObject_GetState #68285

Comments

pkt mannequin commented May 1, 2015

pkt mannequin commented May 1, 2015

pkt mannequin commented Jul 2, 2015

pitrou commented Jul 2, 2015

benjaminp commented Jul 2, 2015

serhiy-storchaka commented Jul 3, 2015

serhiy-storchaka commented Jul 19, 2015

serhiy-storchaka commented Nov 3, 2015

serhiy-storchaka commented Nov 3, 2015

python-dev mannequin commented Nov 25, 2015