Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Uninitialized value usage of localspluskinds in assemble.c's makecode function #119666

Closed
Assignees
carljm
Labels
type-bugAn unexpected behavior, bug, or errortype-crashA hard crash of the interpreter, possibly with a core dumptype-securityA security issue
@ammaraskar

Description

@ammaraskar

Bug report

Bug description:

Recreator

./python -c"class i:[super for()in d]*[__class__*4for()in d]"<string>:1: SyntaxWarning: invalid decimal literal[1]    23793 segmentation fault  ./python -c"class i:[super for()in d]*[__class__*4for()in d]"

Details

This issue was found through the oss-fuzz compilation fuzzer. Here is the MSAN stack trace:

==691==WARNING: MemorySanitizer: use-of-uninitialized-value    #0 0x5661f67ca290 in get_localsplus_counts cpython3/Objects/codeobject.c:344:13    #1 0x5661f67c95a7 in _PyCode_Validate cpython3/Objects/codeobject.c:433:5    #2 0x5661f6a17be2 in makecode cpython3/Python/assemble.c:614:8    #3 0x5661f6a17be2 in _PyAssemble_MakeCodeObject cpython3/Python/assemble.c:754:14    #4 0x5661f612aa99 in optimize_and_assemble_code_unit cpython3/Python/compile.c:7655:10    ... Uninitialized value was created by a heap allocation    #0 0x5661f5b307b2 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:1007:3    #1 0x5661f675e32c in _PyBytes_FromSize cpython3/Objects/bytesobject.c:96:31    #2 0x5661f675e00a in PyBytes_FromStringAndSize cpython3/Objects/bytesobject.c:129:27    #3 0x5661f6a15d32 in makecode cpython3/Python/assemble.c:580:23    #4 0x5661f6a15d32 in _PyAssemble_MakeCodeObject cpython3/Python/assemble.c:754:14   ...

I haven't done any debugging yet but my hunch is that this code is hitting a path incompute_localsplus_info

compute_localsplus_info(_PyCompile_CodeUnitMetadata*umd,intnlocalsplus,

that ends up not setting thelocalspluskinds made here
localspluskinds=PyBytes_FromStringAndSize(NULL,nlocalsplus);
if (localspluskinds==NULL) {
gotoerror;
}
if (compute_localsplus_info(umd,nlocalsplus,
localsplusnames,localspluskinds)==ERROR) {
gotoerror;
}

and when this eventually gets to_PyCode_Validate it causes it to read uninitialized memory.

CPython versions tested on:

CPython main branch

Operating systems tested on:

Linux

Linked PRs

Metadata

Metadata

Assignees

Labels

type-bugAn unexpected behavior, bug, or errortype-crashA hard crash of the interpreter, possibly with a core dumptype-securityA security issue

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions

    [8]ページ先頭
    ©2009-2025 Movatter.jp