Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segfault with nonsensical random state #68808

Closed
skrah mannequin opened this issue Jul 12, 2015 · 6 comments
Closed

Segfault with nonsensical random state #68808

skrah mannequin opened this issue Jul 12, 2015 · 6 comments
Assignees
@serhiy-storchaka
Labels
extension-modules C modules in the Modules dir type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@skrah
Copy link
Mannequin

skrah mannequin commented Jul 12, 2015

BPO 24620
Nosy @rhettinger, @mdickinson, @skrah, @serhiy-storchaka
Files
  • random_setstate_index.patch
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/serhiy-storchaka'
closed_at = <Date 2015-07-24.06:12:27.397>
created_at = <Date 2015-07-12.19:19:24.248>
labels = ['extension-modules', 'type-crash']
title = 'Segfault with nonsensical random state'
updated_at = <Date 2015-07-24.06:12:27.396>
user = 'https://github.com/skrah'

    bugs.python.org fields:

    activity = <Date 2015-07-24.06:12:27.396>
actor = 'serhiy.storchaka'
assignee = 'serhiy.storchaka'
closed = True
closed_date = <Date 2015-07-24.06:12:27.397>
closer = 'serhiy.storchaka'
components = ['Extension Modules']
creation = <Date 2015-07-12.19:19:24.248>
creator = 'skrah'
dependencies = []
files = ['39917']
hgrepos = []
issue_num = 24620
keywords = ['patch']
message_count = 6.0
messages = ['246661', '246666', '246667', '246669', '247259', '247261']
nosy_count = 5.0
nosy_names = ['rhettinger', 'mark.dickinson', 'skrah', 'python-dev', 'serhiy.storchaka']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'crash'
url = 'https://bugs.python.org/issue24620'
versions = ['Python 2.7', 'Python 3.4', 'Python 3.5', 'Python 3.6']
    @skrah
    Copy link
    Mannequin Author

    skrah mannequin commented Jul 12, 2015

    While trying to find a possible cause for bpo-24546, I came across this
    glitch:

    Python 3.6.0a0 (default:02b81a82a57d, Jul 12 2015, 20:33:44) 
[GCC 4.8.4] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import random
>>> s = (3, (999999999999999,)*625, None)
>>> random.setstate(s)
>>> random.choice([1,2,3,4,5])
Segmentation fault (core dumped)

    @serhiy-storchaka
    Copy link
    Member

    Can't reproduce on 32-bit.

    @serhiy-storchaka serhiy-storchaka added extension-modules C modules in the Modules dir type-crash A hard crash of the interpreter, possibly with a core dump labels Jul 12, 2015
    @skrah
    Copy link
    Mannequin Author

    skrah mannequin commented Jul 12, 2015

    I think it's just a matter of checking for self->index <= N in setstate().

    @serhiy-storchaka
    Copy link
    Member

    But I can reproduce the crash with other example.

    import random
random.setstate((3, (1,)*624+(-10**9,), None))
random.random()

    The index attribute can be set to negative value and this causes reading out of the buffer.

    Here is a patch that fixes this.

    @rhettinger rhettinger self-assigned this Jul 13, 2015
    @rhettinger
    Copy link
    Contributor

    This is ready to apply.

    @python-dev
    Copy link
    Mannequin

    python-dev mannequin commented Jul 24, 2015

    New changeset 0933c00c2765 by Serhiy Storchaka in branch '3.4':
    Issue bpo-24620: Random.setstate() now validates the value of state last element.
    https://hg.python.org/cpython/rev/0933c00c2765

    New changeset 84070c1225c5 by Serhiy Storchaka in branch '2.7':
    Issue bpo-24620: Random.setstate() now validates the value of state last element.
    https://hg.python.org/cpython/rev/84070c1225c5

    New changeset d8229c26dd92 by Serhiy Storchaka in branch '3.5':
    Issue bpo-24620: Random.setstate() now validates the value of state last element.
    https://hg.python.org/cpython/rev/d8229c26dd92

    New changeset f6e399ae670f by Serhiy Storchaka in branch 'default':
    Issue bpo-24620: Random.setstate() now validates the value of state last element.
    https://hg.python.org/cpython/rev/f6e399ae670f

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees

    @serhiy-storchaka serhiy-storchaka

    Labels
    extension-modules C modules in the Modules dir type-crash A hard crash of the interpreter, possibly with a core dump
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    2 participants
    @rhettinger @serhiy-storchaka