Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bad free in py_sha3_new_impl function #87528

Closed
alexhenrie mannequin opened this issue Mar 2, 2021 · 4 comments
Closed

Bad free in py_sha3_new_impl function #87528

alexhenrie mannequin opened this issue Mar 2, 2021 · 4 comments
Assignees
@tiran
Labels
3.10 only security fixes stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error

Comments

@alexhenrie
Copy link
Mannequin

alexhenrie mannequin commented Mar 2, 2021

BPO 43362
Nosy @tiran, @alexhenrie
PRs
  • bpo-43362: Fix bad free in py_sha3_new_impl function #24702
  • bpo-43362: Fix invalid free and return check in _sha3 module (GH-25463) #25463
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/tiran'
closed_at = <Date 2021-04-18.06:40:39.074>
created_at = <Date 2021-03-02.02:49:55.671>
labels = ['type-bug', 'library', '3.10']
title = 'Bad free in py_sha3_new_impl function'
updated_at = <Date 2021-04-18.06:40:39.073>
user = 'https://github.com/alexhenrie'

    bugs.python.org fields:

    activity = <Date 2021-04-18.06:40:39.073>
actor = 'christian.heimes'
assignee = 'christian.heimes'
closed = True
closed_date = <Date 2021-04-18.06:40:39.074>
closer = 'christian.heimes'
components = ['Library (Lib)']
creation = <Date 2021-03-02.02:49:55.671>
creator = 'alex.henrie'
dependencies = []
files = []
hgrepos = []
issue_num = 43362
keywords = ['patch']
message_count = 4.0
messages = ['387898', '391315', '391326', '391327']
nosy_count = 2.0
nosy_names = ['christian.heimes', 'alex.henrie']
pr_nums = ['24702', '25463']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'behavior'
url = 'https://bugs.python.org/issue43362'
versions = ['Python 3.10']
    @alexhenrie
    Copy link
    Mannequin Author

    alexhenrie mannequin commented Mar 2, 2021

    The py_sha3_new_impl function in sha3module.c has error handling code that looks like this:

        error:
      if (self) {
          Py_DECREF(self);
      }
      if (data && buf.obj) {
          PyBuffer_Release(&buf);
      }

    However, there is a goto error before the variable buf is initialized. If that error path is triggered, the function will attempt to free an invalid object, possibly leading to a program crash.

    @alexhenrie alexhenrie mannequin added type-crash A hard crash of the interpreter, possibly with a core dump 3.10 only security fixes stdlib Python modules in the Lib dir labels Mar 2, 2021
    @tiran tiran added 3.8 only security fixes 3.9 only security fixes labels Apr 17, 2021
    @tiran tiran self-assigned this Apr 17, 2021
    @tiran tiran added type-bug An unexpected behavior, bug, or error 3.8 only security fixes 3.9 only security fixes and removed type-crash A hard crash of the interpreter, possibly with a core dump labels Apr 17, 2021
    @tiran tiran self-assigned this Apr 17, 2021
    @tiran tiran added type-bug An unexpected behavior, bug, or error and removed type-crash A hard crash of the interpreter, possibly with a core dump labels Apr 17, 2021
    @tiran
    Copy link
    Member

    tiran commented Apr 17, 2021

    Excellent finding! The issue was introduced in commit 93d50a6 as part of bpo-1635741

    @tiran
    Copy link
    Member

    tiran commented Apr 18, 2021

    New changeset aa6da32 by Christian Heimes in branch 'master':
    bpo-43362: Fix invalid free and return check in _sha3 module (GH-25463)
    aa6da32

    @tiran
    Copy link
    Member

    tiran commented Apr 18, 2021

    The issue affected Python 3.10a1 to latest alpha. 3.9 and earlier are not affected.

    Thanks!

    @tiran tiran removed 3.8 only security fixes 3.9 only security fixes labels Apr 18, 2021
    @tiran tiran closed this as completed Apr 18, 2021
    @tiran tiran removed 3.8 only security fixes 3.9 only security fixes labels Apr 18, 2021
    @tiran tiran closed this as completed Apr 18, 2021
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees

    @tiran tiran

    Labels
    3.10 only security fixes stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    1 participant
    @tiran