Issue 24097: Use after free in PyObject_GetState (original) (raw)

Created on 2015-05-01 14:05 by pkt, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Files
File name Uploaded Description Edit
poc_getstate.py pkt,2015-05-01 14:05
getstate_borrowed_ref.patch pitrou,2015-07-02 10:49
test_issue24097.patch serhiy.storchaka,2015-07-19 21:12 review
getstate_borrowed_ref_with_test-2.7.patch serhiy.storchaka,2015-11-03 16:51 review
getstate_borrowed_ref_with_test-3.4.patch serhiy.storchaka,2015-11-03 16:52 review
Messages (9)
msg242313 - (view) Author: paul (pkt) Date: 2015-05-01 14:05
# Program received signal SIGSEGV, Segmentation fault. # 0x080f27b2 in PyObject_Hash (v=<unknown at remote 0x405720e4>) at Objects/object.c:746 # 746 if (tp->tp_hash != NULL) # (gdb) bt # #0 0x080f27b2 in PyObject_Hash (v=<unknown at remote 0x405720e4>) at Objects/object.c:746 # #1 0x080e1717 in PyDict_SetItem (op={}, key=<unknown at remote 0x405720e4>, value=None) at Objects/dictobject.c:1201 # #2 0x0810e8a0 in _PyObject_GetState (obj=<Y at remote 0x405731bc>) at Objects/typeobject.c:3657 # #3 0x081100e9 in reduce_2 (obj=<Y at remote 0x405731bc>) at Objects/typeobject.c:3949 # #4 0x08110551 in _common_reduce (self=<Y at remote 0x405731bc>, proto=2) at Objects/typeobject.c:4012 # #5 0x08110641 in object_reduce (self=<Y at remote 0x405731bc>, args=(2,)) at Objects/typeobject.c:4032 # # (gdb) frame 2 # #2 0x0810e8a0 in _PyObject_GetState (obj=<Y at remote 0x405731bc>) at Objects/typeobject.c:3657 # 3657 int err = PyDict_SetItem(slots, name, value); # (gdb) print *name # $1 = {_ob_next = 0xdbdbdbdb, _ob_prev = 0xdbdbdbdb, ob_refcnt = -606348325, ob_type = 0xdbdbdbdb} # # "name" is freed inside __getattr__ and is later used by PyDict_SetItem.
msg246069 - (view) Author: paul (pkt) Date: 2015-07-02 10:26
ping
msg246070 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2015-07-02 10:48
Thanks for the report. Here is a patch.
msg246102 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2015-07-02 22:05
lgtm
msg246122 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2015-07-03 03:15
The fix LGTM. It would be nice to add a test.
msg246949 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2015-07-19 21:12
Here is a test for this issue.
msg254001 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2015-11-03 16:49
In 2.7 the test doesn't crash, but __reduce__ produces invalid recursive structure.
msg254002 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2015-11-03 16:51
Here is backported to 2.7 patch with test. Can you review the test and commit the patch Antoine?
msg255366 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2015-11-25 16:36
New changeset eed36e19f8b8 by Serhiy Storchaka in branch '3.4': Issue #24097: Fixed crash in object.__reduce__() if slot name is freed inside https://hg.python.org/cpython/rev/eed36e19f8b8 New changeset 99839a1c9c6d by Serhiy Storchaka in branch '3.5': Issue #24097: Fixed crash in object.__reduce__() if slot name is freed inside https://hg.python.org/cpython/rev/99839a1c9c6d New changeset 502465d22522 by Serhiy Storchaka in branch 'default': Issue #24097: Fixed crash in object.__reduce__() if slot name is freed inside https://hg.python.org/cpython/rev/502465d22522 New changeset 4a201d0d4d1e by Serhiy Storchaka in branch '2.7': Issue #24097: Fixed crash in object.__reduce__() if slot name is freed inside https://hg.python.org/cpython/rev/4a201d0d4d1e
History
Date User Action Args
2022-04-11 14:58:16 admin set github: 68285
2015-11-25 16:37:39 serhiy.storchaka set status: open -> closedresolution: fixedstage: patch review -> resolved
2015-11-25 16:36:16 python-dev set nosy: + python-devmessages: +
2015-11-03 16:52:04 serhiy.storchaka set files: + getstate_borrowed_ref_with_test-3.4.patch
2015-11-03 16:51:47 serhiy.storchaka set files: + getstate_borrowed_ref_with_test-2.7.patchassignee: serhiy.storchaka -> pitroumessages: +
2015-11-03 16:49:21 serhiy.storchaka set messages: + versions: + Python 2.7
2015-11-03 16:37:59 serhiy.storchaka set assignee: pitrou -> serhiy.storchaka
2015-07-19 21:12:23 serhiy.storchaka set files: + test_issue24097.patchmessages: + stage: test needed -> patch review
2015-07-03 03:15:35 serhiy.storchaka set assignee: serhiy.storchaka -> pitroumessages: + stage: patch review -> test needed
2015-07-02 22:05:25 benjamin.peterson set nosy: + benjamin.petersonmessages: +
2015-07-02 10:49:41 pitrou set files: + getstate_borrowed_ref.patchkeywords: + patch
2015-07-02 10:49:03 pitrou set stage: needs patch -> patch reviewversions: + Python 3.6
2015-07-02 10:48:49 pitrou set messages: +
2015-07-02 10:47:16 serhiy.storchaka set assignee: serhiy.storchaka
2015-07-02 10:26:50 pkt set messages: +
2015-05-03 06:47:42 Arfrever set nosy: + Arfrever
2015-05-02 04:49:13 serhiy.storchaka set nosy: + pitrou, alexandre.vassalotti, serhiy.storchaka
2015-05-01 14:12:55 christian.heimes set stage: needs patchcomponents: + Extension Modulesversions: + Python 3.5
2015-05-01 14:05:35 pkt create