Message 306887 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	vstinner
Recipients	davin, larry, serhiy.storchaka, skrah, vstinner, xdegaye
Date	2017-11-24.11:08:20
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1511521700.94.0.213398074469.issue31626@psf.upfronthosting.co.za>
In-reply-to

Content
Ok, let me summarize: * 2.7: memset() before realloc() if shrinking a memory block, but crash when Py_FatalError() if realloc() fails on shrinking --> cannot corrupt memory, but can crash if realloc() fails on shrinking * master (3.7): memset() before realloc() if shrinking a memory block, but save erased bytes, and restore erased bytes if realloc() fails --> always correct * 3.6: don't memset() --> correct, but don't detect "use after free" bug when a memory block is skrinked Python 3.6 release manager, Ned Deily, rejected the proposal to backport the complex fix from master to 3.6. Victor (me): > Serhiy: I added a Py_FatalError() to Python 2.7 if the case that must not happen does happen. Are you ok to apply the same change for Python 3.6 (...) Sorry, when I asked the question, I expected that Python 3.6 still erased bytes before realloc(). But it's not the case. I agree that Py_FatalError() would be a bad idea for Python 3.6. Serhiy: Thank you for fixing Python 3.6 (don't memset() after realloc, which crashed on OpenBSD) and "fix" the feature in master (restore erased bytes if realloc fails)! I close the issue. I don't think that Python 2.7 or 3.6 need further changes.

Ok, let me summarize:

* 2.7: memset() *before* realloc() if shrinking a memory block, but crash when Py_FatalError() if realloc() fails on shrinking --> cannot corrupt memory, but can crash if realloc() fails on shrinking

* master (3.7): memset() *before* realloc() if shrinking a memory block, but save erased bytes, and restore erased bytes if realloc() fails --> always correct

* 3.6: don't memset() --> correct, but don't detect "use after free" bug when a memory block is skrinked

Python 3.6 release manager, Ned Deily, rejected the proposal to backport the complex fix from master to 3.6.


Victor (me):
> Serhiy: I added a Py_FatalError() to Python 2.7 if the case that must not happen does happen. Are you ok to apply the same change for Python 3.6 (...)

Sorry, when I asked the question, I expected that Python 3.6 still erased bytes before realloc(). But it's not the case. I agree that Py_FatalError() would be a bad idea for Python 3.6.


Serhiy: Thank you for fixing Python 3.6 (don't memset() *after* realloc, which crashed on OpenBSD) and "fix" the feature in master (restore erased bytes if realloc fails)!


I close the issue. I don't think that Python 2.7 or 3.6 need further changes.

History
Date	User	Action	Args
2017-11-24 11:08:20	vstinner	set	recipients: + vstinner, larry, skrah, xdegaye, serhiy.storchaka, davin
2017-11-24 11:08:20	vstinner	set	messageid: <1511521700.94.0.213398074469.issue31626@psf.upfronthosting.co.za>
2017-11-24 11:08:20	vstinner	link	issue31626 messages
2017-11-24 11:08:20	vstinner	create