This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author zephyrus00jp
Recipients zephyrus00jp
Date 2019-09-04.23:27:04
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1567639624.78.0.948902616905.issue38033@roundup.psfhosted.org>
In-reply-to
Content 
Hi, 
I am new to Python bug tracker, so my setting of the fields may be inadequate. If so, apologies in advance.
I think Use After Free bug is a potential security issue and so wanted to report ASAP.

First my environment: I am using Debian GNU/Linux, and its kernel version is: uname -a output, 
SMP Debian 4.19.37-6 (2019-07-18) x86_64 GNU/Linux

Python version is:
# python3 --version
Python 3.7.4

mozilla thunderbird mail client testing framework uses
python as a test driver, and when I was checking the local build of thunderbird under a test suite invoked from |make mozmill| under valgrind (a memory usage checker), the first thing I noticed is the following message from valgrind.
PyObject_Free seems to access a memory location (4 octets) in an already freed block. This happened many times during the test.

I have not bothered to look into the source code of python, but a seasoned developer should be able to figure out where such reference is made.

From valgrind log:

==30354== Invalid read of size 4
==30354==    at 0x5A29FE: PyObject_Free (in /usr/bin/python3.7)
==30354==    by 0x5B7337: ??? (in /usr/bin/python3.7)
==30354==    by 0x5BBBFF: PyDict_SetItem (in /usr/bin/python3.7)
==30354==    by 0x58DE19: PyType_Ready (in /usr/bin/python3.7)
==30354==    by 0x6482A0: _Py_ReadyTypes (in /usr/bin/python3.7)
==30354==    by 0x63551A: _Py_InitializeCore_impl (in /usr/bin/python3.7)
==30354==    by 0x6357AA: _Py_InitializeCore (in /usr/bin/python3.7)
==30354==    by 0x5E17EC: ??? (in /usr/bin/python3.7)
==30354==    by 0x653D88: ??? (in /usr/bin/python3.7)
==30354==    by 0x65424D: _Py_UnixMain (in /usr/bin/python3.7)
==30354==    by 0x4ACB09A: (below main) (libc-start.c:308)
==30354==  Address 0x4c8b020 is 16 bytes after a block of size 576 free'd
==30354==    at 0x4833FC0: free (vg_replace_malloc.c:538)
==30354==    by 0x5B7337: ??? (in /usr/bin/python3.7)
==30354==    by 0x5BBBFF: PyDict_SetItem (in /usr/bin/python3.7)
==30354==    by 0x58DE19: PyType_Ready (in /usr/bin/python3.7)
==30354==    by 0x6482A0: _Py_ReadyTypes (in /usr/bin/python3.7)
==30354==    by 0x63551A: _Py_InitializeCore_impl (in /usr/bin/python3.7)
==30354==    by 0x6357AA: _Py_InitializeCore (in /usr/bin/python3.7)
==30354==    by 0x5E17EC: ??? (in /usr/bin/python3.7)
==30354==    by 0x653D88: ??? (in /usr/bin/python3.7)
==30354==    by 0x65424D: _Py_UnixMain (in /usr/bin/python3.7)
==30354==    by 0x4ACB09A: (below main) (libc-start.c:308)
==30354==  Block was alloc'd at
==30354==    at 0x4832E13: malloc (vg_replace_malloc.c:307)
==30354==    by 0x5A4B16: PyObject_Malloc (in /usr/bin/python3.7)
==30354==    by 0x5B72BD: ??? (in /usr/bin/python3.7)
==30354==    by 0x5BBBFF: PyDict_SetItem (in /usr/bin/python3.7)
==30354==    by 0x58DE19: PyType_Ready (in /usr/bin/python3.7)
==30354==    by 0x6482A0: _Py_ReadyTypes (in /usr/bin/python3.7)
==30354==    by 0x63551A: _Py_InitializeCore_impl (in /usr/bin/python3.7)
==30354==    by 0x6357AA: _Py_InitializeCore (in /usr/bin/python3.7)
==30354==    by 0x5E17EC: ??? (in /usr/bin/python3.7)
==30354==    by 0x653D88: ??? (in /usr/bin/python3.7)
==30354==    by 0x65424D: _Py_UnixMain (in /usr/bin/python3.7)
==30354==    by 0x4ACB09A: (below main) (libc-start.c:308)
==30354==


TIA
History
Date User Action Args
2019-09-04 23:27:05zephyrus00jpsetrecipients: + zephyrus00jp
2019-09-04 23:27:04zephyrus00jpsetmessageid: <1567639624.78.0.948902616905.issue38033@roundup.psfhosted.org>
2019-09-04 23:27:04zephyrus00jplinkissue38033 messages
2019-09-04 23:27:04zephyrus00jpcreate