➜
This issue trackerhas been migrated toGitHub, and is currentlyread-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.
Created on2015-05-01 14:10 bypkt, last changed2022-04-11 14:58 byadmin. This issue is nowclosed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| poc_obj2mod.py | pkt,2015-05-01 14:10 | |||
| issue24098.patch | pkt,2016-09-26 13:40 | patch | ||
| issue24098-check-size.patch | serhiy.storchaka,2016-09-27 08:19 | review | ||
| issue24098-iterate-tuple.patch | serhiy.storchaka,2016-09-27 08:19 | review | ||
| Pull Requests | |||
|---|---|---|---|
| URL | Status | Linked | Edit |
| PR 552 | closed | dstufft,2017-03-31 16:36 | |
| Messages (9) | |||
|---|---|---|---|
| msg242315 -(view) | Author: paul (pkt) | Date: 2015-05-01 14:10 | |
# 3617 for (i = 0; i < len; i++) { # (gdb) print *(PyListObject*)tmp# $1 = {ob_base = {ob_base = {_ob_next = 0x4056f8f4, _ob_prev = 0x4057329c, ob_refcnt = 2, ob_type = 0x830e1c0 <PyList_Type>}, # ob_size = 1337}, ob_item = 0x8491ae0, allocated = 1432}# (gdb) n# 3619 res = obj2ast_stmt(PyList_GET_ITEM(tmp, i), &value, arena);# (gdb) n# 3620 if (res != 0) goto failed;# (gdb) print *(PyListObject*)tmp# $2 = {ob_base = {ob_base = {_ob_next = 0x4056f8f4, _ob_prev = 0x4057329c, ob_refcnt = 2, ob_type = 0x830e1c0 <PyList_Type>}, # ob_size = 1}, ob_item = 0x8491ae0, allocated = 4}# (gdb) c# Continuing.# # Program received signal SIGSEGV, Segmentation fault.# 0x080f2c17 in PyObject_GetAttr (v=<unknown at remote 0x405733b4>, name='lineno') atObjects/object.c:872# 872 if (tp->tp_getattro != NULL)# # Objects freed in __getattr__ are used later in the loop above. There are two# bugs actually. One is the use-after-free and the second is using a stale size# variable "len" to control the for(...) loop. "body" can be mutated inside# obj2ast_stmt.This construct: for (i = 0; i < len; i++) { stmt_ty value; res = obj2ast_stmt(PyList_GET_ITEM(tmp, i), &value, arena); if (res != 0) goto failed; asdl_seq_SET(body, i, value); }is repeated multiple times in multiple obj2ast_ methods. It contains two bugs:1. tmp[i] isn't protected from deletion inside python code (refcnt is not increased by GET_ITEM),2. tmp's length can drop below "len" resulting in an OOB read, because the loop counter is static. | |||
| msg242750 -(view) | Author: paul (pkt) | Date: 2015-05-08 08:14 | |
ping | |||
| msg242980 -(view) | Author: paul (pkt) | Date: 2015-05-12 15:42 | |
ping | |||
| msg246066 -(view) | Author: paul (pkt) | Date: 2015-07-02 10:26 | |
ping | |||
| msg246147 -(view) | Author: paul (pkt) | Date: 2015-07-03 07:46 | |
ping | |||
| msg277419 -(view) | Author: paul (pkt) | Date: 2016-09-26 13:40 | |
Fix by replacing static 'len' in loops with a macro, so that mutations of size of the containter do not casue OOB reads. | |||
| msg277469 -(view) | Author: Berker Peksag (berker.peksag)* | Date: 2016-09-26 20:53 | |
Please note thatPython/Python-ast.c is automatically generated byParser/asdl_c.py. | |||
| msg277504 -(view) | Author: Serhiy Storchaka (serhiy.storchaka)* | Date: 2016-09-27 08:19 | |
Bad things happen not only when a list shrinks, but also when it grows during iteration.The one solution is to check if the size is changed on every iteration. The other solution is to convert a list to a tuple for iterating. | |||
| msg278261 -(view) | Author: Roundup Robot (python-dev) | Date: 2016-10-07 18:57 | |
New changeset47d5bf5a846f by Serhiy Storchaka in branch '2.7':Issue#24098: Fixed possible crash when AST is changed in process ofhttps://hg.python.org/cpython/rev/47d5bf5a846fNew changesetf575710b5f56 by Serhiy Storchaka in branch '3.5':Issue#24098: Fixed possible crash when AST is changed in process ofhttps://hg.python.org/cpython/rev/f575710b5f56New changeset7528154cadaa by Serhiy Storchaka in branch '3.6':Issue#24098: Fixed possible crash when AST is changed in process ofhttps://hg.python.org/cpython/rev/7528154cadaaNew changesetdef217aaad2f by Serhiy Storchaka in branch 'default':Issue#24098: Fixed possible crash when AST is changed in process ofhttps://hg.python.org/cpython/rev/def217aaad2f | |||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:58:16 | admin | set | github: 68286 |
| 2017-03-31 16:36:27 | dstufft | set | pull_requests: +pull_request1008 |
| 2016-10-07 20:37:29 | serhiy.storchaka | set | status: open -> closed resolution: fixed stage: patch review -> resolved |
| 2016-10-07 18:57:47 | python-dev | set | nosy: +python-dev messages: +msg278261 |
| 2016-10-05 08:05:05 | serhiy.storchaka | set | assignee:serhiy.storchaka |
| 2016-09-27 08:19:21 | serhiy.storchaka | set | files: +issue24098-iterate-tuple.patch |
| 2016-09-27 08:19:02 | serhiy.storchaka | set | files: +issue24098-check-size.patch messages: +msg277504 versions: + Python 2.7, - Python 3.4 |
| 2016-09-26 20:53:22 | berker.peksag | set | nosy: +berker.peksag,benjamin.peterson messages: +msg277469 |
| 2016-09-26 13:44:04 | christian.heimes | set | priority: normal -> high stage: needs patch -> patch review versions: + Python 3.6, Python 3.7 |
| 2016-09-26 13:40:22 | pkt | set | files: +issue24098.patch keywords: +patch messages: +msg277419 |
| 2015-07-03 07:46:07 | pkt | set | messages: +msg246147 |
| 2015-07-02 10:26:20 | pkt | set | messages: +msg246066 |
| 2015-05-12 15:42:17 | pkt | set | messages: +msg242980 |
| 2015-05-08 08:14:42 | pkt | set | messages: +msg242750 |
| 2015-05-03 06:48:04 | Arfrever | set | nosy: +Arfrever |
| 2015-05-02 04:49:57 | serhiy.storchaka | set | nosy: +serhiy.storchaka |
| 2015-05-01 14:13:35 | christian.heimes | set | nosy: +christian.heimes |
| 2015-05-01 14:13:06 | christian.heimes | set | stage: needs patch components: + Extension Modules versions: + Python 3.5 |
| 2015-05-01 14:10:29 | pkt | create | |