Author billm
Recipients billm
Date 2009-05-22.08:18:49
SpamBayes Score 5.55112e-17
Marked as misclassified No
Message-id <1242980336.93.0.332167282409.issue6083@psf.upfronthosting.co.za>
In-reply-to
Content
The code for resource_setrlimit in Modules/resource.c does not handle
reference counting properly. The following Python code segfaults for me
on Ubuntu 8.10 in Python 2.5.2 and also a custom-built 2.6.1.

--
import resource

l = [0, 0]

class MyNum:
    def __int__(self):
        l[1] = 20
        return 10

    def __del__(self):
        print 'byebye', self

l[0] = MyNum()
l[1] = MyNum()
resource.setrlimit(resource.RLIMIT_CPU, l)
--

The problem is that setrlimit gets its arguments by calling:
   PyArg_ParseTuple(args, "i(OO):setrlimit", 
                    &resource, &curobj, &maxobj)
The references curobj and maxobj are borrowed. The second argument can
be passed as a mutable list rather than a tuple, so it's possible to
update the list in the middle of setrlimit, causing maxobj to be
destroyed before setrlimit is done with it.

I've attached a patch that INCREFs both variables immediately after
parsing them to avoid this problem.

In my opinion it seems dangerous to allow format strings with the 'O'
specifier appearing in parentheses. You normally expect that objects
returned from PyArg_ParseTuple are pretty safe, but the fact that the
inner sequence may be mutable violates this assumption. Might it make
sense to ban this use case? I only found one other instance of it in the
Python source tree, inside ctypes. This one may also be a crashing
bug--I didn't look at it carefully enough.
History
Date User Action Args
2009-05-22 08:18:57billmsetrecipients: + billm
2009-05-22 08:18:56billmsetmessageid: <1242980336.93.0.332167282409.issue6083@psf.upfronthosting.co.za>
2009-05-22 08:18:54billmlinkissue6083 messages
2009-05-22 08:18:51billmcreate