Message 381527 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	sbz
Recipients	sbz
Date	2020-11-21.07:20:05
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1605943207.33.0.904447657295.issue42422@roundup.psfhosted.org>
In-reply-to

Content
This PoC is causing a local crash of python interpreters version 2.7,3.6,3.7,3.8 and 3.9. By creating a code object of size 0 with a POP_TOP opcode, in Python/ceval.c the call to Py_DECREF(value) on a NULL pointer lead to a segmentation fault of the python interpreter. It was tested on all python3.x versions against a fresh compilation of a git clone github.com/python/cpython.git on branches and master. You need to adapt the code() constructor because the parameters are different across versions but crash remains. I'm just covering the version 3.7 in following text $ git clone --depth 1 https://github.com/python/cpython.git $ git checkout -b 3.7 origin/3.7 $ export CFLAGS+="-g -O0" $ ./configure $ make $ ./python -V Python 3.7.9+ $ ./python -c 'import sys; print(sys.version)' 3.7.9+ (heads/3.7-dirty:08ba61dade, Nov 21 2020, 04:57:20) [Clang 10.0.1 (git@github.com:llvm/llvm-project.git llvmorg-10.0.1-0-gef32c611a $ ./python crash.py Running the python3.7 execution into gdb, helped me to locate the crash for python3.7 https://github.com/python/cpython/blob/3.7/Python/ceval.c#L1104 $ gdb --batch --silent ./python -ex 'r crash.py' Program received signal SIGSEGV, Segmentation fault. 0x000000000033873a in _PyEval_EvalFrameDefault (f=0x800bdda00, throwflag=0) at Python/ceval.c:1104 1104 Py_DECREF(value); Also I have executed the PoC on different platforms Linux, FreeBSD and MacOSX. The behaviour is the same and SIGSEGV the interpreter. I have located the issue in the source code but I'm wondering what will be the best solution to fix it? Python developers should know better, I am open to your advices and suggestions. I have noticed that one assertion handle this case (in master) https://github.com/python/cpython/blob/master/Python/ceval.c#L1430 but most of the interpreters are built without --with-assertions enabled, so the crash will still persist. More details on this gist https://gist.github.com/sbz/267d35de5766c53835c5c4ef45b18705 I think the python interpreter shouldn't crash and handle properly this edge case.

This PoC is causing a local crash of python interpreters version 2.7,3.6,3.7,3.8 and 3.9.

By creating a code object of size 0 with a POP_TOP opcode, in Python/ceval.c the call to Py_DECREF(value) on a NULL pointer lead to a segmentation fault of the python interpreter.

It was tested on all python3.x versions against a fresh compilation of a git clone github.com/python/cpython.git on branches and master. You need to adapt the code() constructor because the parameters are different across versions but crash remains.

I'm just covering the version 3.7 in following text

$ git clone --depth 1 https://github.com/python/cpython.git
$ git checkout -b 3.7 origin/3.7
$ export CFLAGS+="-g -O0"
$ ./configure
$ make
$ ./python -V
Python 3.7.9+
$ ./python -c 'import sys; print(sys.version)'
3.7.9+ (heads/3.7-dirty:08ba61dade, Nov 21 2020, 04:57:20) 
[Clang 10.0.1 (git@github.com:llvm/llvm-project.git llvmorg-10.0.1-0-gef32c611a
$ ./python crash.py

Running the python3.7 execution into gdb, helped me to locate the crash for python3.7 https://github.com/python/cpython/blob/3.7/Python/ceval.c#L1104

$ gdb --batch --silent ./python -ex 'r crash.py'
Program received signal SIGSEGV, Segmentation fault.
0x000000000033873a in _PyEval_EvalFrameDefault (f=0x800bdda00, throwflag=0) at Python/ceval.c:1104
1104                Py_DECREF(value);

Also I have executed the PoC on different platforms Linux, FreeBSD and MacOSX. The behaviour is the same and SIGSEGV the interpreter.

I have located the issue in the source code but I'm wondering what will be the best solution to fix it? Python developers should know better, I am open to your advices and suggestions.

I have noticed that one assertion handle this case (in master) https://github.com/python/cpython/blob/master/Python/ceval.c#L1430 but most of the interpreters are built without --with-assertions enabled, so the crash will still persist.

More details on this gist https://gist.github.com/sbz/267d35de5766c53835c5c4ef45b18705

I think the python interpreter shouldn't crash and handle properly this edge case.

History
Date	User	Action	Args
2020-11-21 07:20:07	sbz	set	recipients: + sbz
2020-11-21 07:20:07	sbz	set	messageid: <1605943207.33.0.904447657295.issue42422@roundup.psfhosted.org>
2020-11-21 07:20:07	sbz	link	issue42422 messages
2020-11-21 07:20:05	sbz	create