➜
This issue trackerhas been migrated toGitHub, and is currentlyread-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.
Created on2014-11-11 22:55 bythatch, last changed2022-04-11 14:58 byadmin. This issue is nowclosed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| segv.py | thatch,2014-11-11 22:55 | Reproduction for crasher | ||
| Messages (3) | |||
|---|---|---|---|
| msg231054 -(view) | Author: Tim Hatch (thatch)* | Date: 2014-11-11 22:55 | |
There's a reproducible bug in textio.c that causes a double DECREF on codecs. The conditions to trigger are probably rare in real life, so not remotely exploitable (sandbox escape is the worst I can think of on its own, and I'm not aware of any on 3.x):* You need to create a TextIOWrapper wrapping a file-like object that only partially supports the protocol. For example, supporting readable(), writable(), and seekable() but not tell().The crash I experience most of the time appears to be that the memory being reused, such that the PyObject ob_type field is no longer a valid pointer.Affected: Source 3.5.0a0 (latest default branch yesterday,524a004e93dd) Archlinux: 3.3.5 and 3.4.2 Ubuntu: 3.4.0Unaffected: Centos: 3.3.2 All 2.7 branch (doesn't contain the faulty commit)Here's where it's introduced --https://hg.python.org/cpython/rev/f3ec00d2b75e/#l5.76/*Modules/_io/textio.c line 1064 */Py_DECREF(codec_info); /* does not set codec_info = NULL; */...if(...) goto error;...error: Py_XDECREF(codec_info);The attached script is close to minimal -- I think at most you can reduce by one TextIOWrapper instantiation. Sample stacktrace follows (which is after the corruption occurs, on subsequent access to v->ob_type (which is invalid).#0 0x00000000004c8829 in PyObject_GetAttr (v=<unknown at remote 0x7ffff7eb9688>, name='_is_text_encoding') atObjects/object.c:872#1 0x00000000004c871d in _PyObject_GetAttrId (v=<unknown at remote 0x7ffff7eb9688>, name=0x945d50 <PyId__is_text_encoding.10143>) atObjects/object.c:835#2 0x00000000005c6674 in _PyCodec_LookupTextEncoding ( encoding=0x7ffff6f40220 "utf-8", alternate_command=0x6c2fcd "codecs.open()") atPython/codecs.c:541#3 0x000000000064286e in textiowrapper_init (self=0x7ffff7f9ecb8, args=(<F at remote 0x7ffff6f40a18>,), kwds={'encoding': 'utf-8'}) at ./Modules/_io/textio.c:965 | |||
| msg231081 -(view) | Author: Benjamin Peterson (benjamin.peterson)* | Date: 2014-11-12 15:24 | |
Thanks for the excellent bug report! | |||
| msg231082 -(view) | Author: Roundup Robot (python-dev) | Date: 2014-11-12 15:24 | |
New changesetec1948191461 by Benjamin Peterson in branch '3.4':fix possible double free in TextIOWrapper.__init__ (closes#22849)https://hg.python.org/cpython/rev/ec1948191461New changeseta664b150b6c2 by Benjamin Peterson in branch 'default':merge 3.4 (#22849)https://hg.python.org/cpython/rev/a664b150b6c2 | |||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:58:10 | admin | set | github: 67038 |
| 2014-11-12 15:24:13 | python-dev | set | status: open -> closed nosy: +python-dev messages: +msg231082 resolution: fixed stage: resolved |
| 2014-11-12 15:24:01 | benjamin.peterson | set | nosy: +benjamin.peterson messages: +msg231081 |
| 2014-11-12 01:52:24 | berker.peksag | set | nosy: +ncoghlan,serhiy.storchaka |
| 2014-11-11 22:55:26 | thatch | create | |