Issue 35993: incorrect use of released memory in Python/pystate.c line 284 (original) (raw)

Created on 2019-02-14 06:21 by wjq-security, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Messages (6)
msg335501 - (view)	Author: wangjiangqiang (wjq-security)	Date: 2019-02-14 06:38
the code is trying to visit a link list in a loop, it tries to visit the next node in line 284 "interp = interp->next" while the current node is freed in line 296 "PyMem_RawFree(interp);"
msg335509 - (view)	Author: Stéphane Wirtel (matrixise) *	Date: 2019-02-14 08:16
What do you think of this solution?
msg335584 - (view)	Author: wangjiangqiang (wjq-security)	Date: 2019-02-15 05:24
Just create a temporary node points to the next node before release the current node. change the loop condition if necessary.
msg336083 - (view)	Author: Stéphane Wirtel (matrixise) *	Date: 2019-02-20 13:02
@eric Could you help me for the tests of my PR? Thank you
msg336088 - (view)	Author: STINNER Victor (vstinner) *	Date: 2019-02-20 14:27
New changeset b5409dacc4885146a27d06482b346e55fa12d2ec by Victor Stinner (Stéphane Wirtel) in branch 'master': bpo-35993: Fix _PyInterpreterState_DeleteExceptMain() (GH-11852) https://github.com/python/cpython/commit/b5409dacc4885146a27d06482b346e55fa12d2ec
msg336089 - (view)	Author: STINNER Victor (vstinner) *	Date: 2019-02-20 14:30
Thanks wangjiangqiang for the bug report and thanks Stéphane Wirtel for the fix!