Message351154
Hi,
I am new to Python bug tracker, so my setting of the fields may be inadequate. If so, apologies in advance.
I think Use After Free bug is a potential security issue and so wanted to report ASAP.
First my environment: I am using Debian GNU/Linux, and its kernel version is: uname -a output,
SMP Debian 4.19.37-6 (2019-07-18) x86_64 GNU/Linux
Python version is:
# python3 --version
Python 3.7.4
mozilla thunderbird mail client testing framework uses
python as a test driver, and when I was checking the local build of thunderbird under a test suite invoked from |make mozmill| under valgrind (a memory usage checker), the first thing I noticed is the following message from valgrind.
PyObject_Free seems to access a memory location (4 octets) in an already freed block. This happened many times during the test.
I have not bothered to look into the source code of python, but a seasoned developer should be able to figure out where such reference is made.
From valgrind log:
==30354== Invalid read of size 4
==30354== at 0x5A29FE: PyObject_Free (in /usr/bin/python3.7)
==30354== by 0x5B7337: ??? (in /usr/bin/python3.7)
==30354== by 0x5BBBFF: PyDict_SetItem (in /usr/bin/python3.7)
==30354== by 0x58DE19: PyType_Ready (in /usr/bin/python3.7)
==30354== by 0x6482A0: _Py_ReadyTypes (in /usr/bin/python3.7)
==30354== by 0x63551A: _Py_InitializeCore_impl (in /usr/bin/python3.7)
==30354== by 0x6357AA: _Py_InitializeCore (in /usr/bin/python3.7)
==30354== by 0x5E17EC: ??? (in /usr/bin/python3.7)
==30354== by 0x653D88: ??? (in /usr/bin/python3.7)
==30354== by 0x65424D: _Py_UnixMain (in /usr/bin/python3.7)
==30354== by 0x4ACB09A: (below main) (libc-start.c:308)
==30354== Address 0x4c8b020 is 16 bytes after a block of size 576 free'd
==30354== at 0x4833FC0: free (vg_replace_malloc.c:538)
==30354== by 0x5B7337: ??? (in /usr/bin/python3.7)
==30354== by 0x5BBBFF: PyDict_SetItem (in /usr/bin/python3.7)
==30354== by 0x58DE19: PyType_Ready (in /usr/bin/python3.7)
==30354== by 0x6482A0: _Py_ReadyTypes (in /usr/bin/python3.7)
==30354== by 0x63551A: _Py_InitializeCore_impl (in /usr/bin/python3.7)
==30354== by 0x6357AA: _Py_InitializeCore (in /usr/bin/python3.7)
==30354== by 0x5E17EC: ??? (in /usr/bin/python3.7)
==30354== by 0x653D88: ??? (in /usr/bin/python3.7)
==30354== by 0x65424D: _Py_UnixMain (in /usr/bin/python3.7)
==30354== by 0x4ACB09A: (below main) (libc-start.c:308)
==30354== Block was alloc'd at
==30354== at 0x4832E13: malloc (vg_replace_malloc.c:307)
==30354== by 0x5A4B16: PyObject_Malloc (in /usr/bin/python3.7)
==30354== by 0x5B72BD: ??? (in /usr/bin/python3.7)
==30354== by 0x5BBBFF: PyDict_SetItem (in /usr/bin/python3.7)
==30354== by 0x58DE19: PyType_Ready (in /usr/bin/python3.7)
==30354== by 0x6482A0: _Py_ReadyTypes (in /usr/bin/python3.7)
==30354== by 0x63551A: _Py_InitializeCore_impl (in /usr/bin/python3.7)
==30354== by 0x6357AA: _Py_InitializeCore (in /usr/bin/python3.7)
==30354== by 0x5E17EC: ??? (in /usr/bin/python3.7)
==30354== by 0x653D88: ??? (in /usr/bin/python3.7)
==30354== by 0x65424D: _Py_UnixMain (in /usr/bin/python3.7)
==30354== by 0x4ACB09A: (below main) (libc-start.c:308)
==30354==
TIA |
|
Date |
User |
Action |
Args |
2019-09-04 23:27:05 | zephyrus00jp | set | recipients:
+ zephyrus00jp |
2019-09-04 23:27:04 | zephyrus00jp | set | messageid: <1567639624.78.0.948902616905.issue38033@roundup.psfhosted.org> |
2019-09-04 23:27:04 | zephyrus00jp | link | issue38033 messages |
2019-09-04 23:27:04 | zephyrus00jp | create | |
|