Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Use-after-free inmemoryview slicing via re-entrant__index__ #142665

Open
Assignees
picnixz
Labels
interpreter-core(Objects, Python, Grammar, and Parser dirs)type-crashA hard crash of the interpreter, possibly with a core dump
@jackfromeast

Description

@jackfromeast

What happened?

memory_subscript() creates a new view (mbuf_add_view)before parsing slice indices. If a slice bound’s__index__ releases/truncates the underlying buffer (e.g.,mv.release(); ftruncate()), the newly created subview keeps a dangling pointer. Subsequent access (e.g.,sub[0]) dereferences freed/invalid memory, crashing inunpack_single.

Proof of Concept:

importmmap,os,tempfilefd,path=tempfile.mkstemp()os.write(fd,b"A"*4096)mm=mmap.mmap(fd,4096,access=mmap.ACCESS_WRITE)mv=memoryview(mm)classTrigger:def__index__(self):mv.release()os.ftruncate(fd,0)return0try:sub=mv[slice(Trigger(),None,None)]sub[0]# Trigger the slicing to call __index__finally:mm.close()os.close(fd)os.unlink(path)

Related Code Snippet

Details
staticPyObject*memory_subscript(PyObject*_self,PyObject*key){PyMemoryViewObject*self= (PyMemoryViewObject*)_self;Py_buffer*view;view=&(self->view);CHECK_RELEASED(self);if (view->ndim==0) {if (PyTuple_Check(key)&&PyTuple_GET_SIZE(key)==0) {constchar*fmt=adjust_fmt(view);if (fmt==NULL)returnNULL;returnunpack_single(self,view->buf,fmt);        }elseif (key==Py_Ellipsis) {returnPy_NewRef(self);        }else {PyErr_SetString(PyExc_TypeError,"invalid indexing of 0-dim memory");returnNULL;        }    }if (_PyIndex_Check(key)) {Py_ssize_tindex;index=PyNumber_AsSsize_t(key,PyExc_IndexError);if (index==-1&&PyErr_Occurred())returnNULL;returnmemory_item((PyObject*)self,index);    }elseif (PySlice_Check(key)) {CHECK_RESTRICTED(self);PyMemoryViewObject*sliced;sliced= (PyMemoryViewObject*)mbuf_add_view(self->mbuf,view);if (sliced==NULL)returnNULL;// Call __index__ method which close the mmap memory while sliced still holds its pointerif (init_slice(&sliced->view,key,0)<0) {Py_DECREF(sliced);returnNULL;        }init_len(&sliced->view);init_flags(sliced);return (PyObject*)sliced;    }elseif (is_multiindex(key)) {returnmemory_item_multi(self,key);    }elseif (is_multislice(key)) {PyErr_SetString(PyExc_NotImplementedError,"multi-dimensional slicing is not implemented");returnNULL;    }PyErr_SetString(PyExc_TypeError,"memoryview: invalid slice key");returnNULL;}

Affected Versions:

Details
Python VersionStatusExit Code
Python 3.9.24+ (heads/3.9:9c4638d, Oct 17 2025, 11:19:30)ASAN1
Python 3.10.19+ (heads/3.10:0142619, Oct 17 2025, 11:20:05) [GCC 13.3.0]ASAN1
Python 3.11.14+ (heads/3.11:88f3f5b, Oct 17 2025, 11:20:44) [GCC 13.3.0]ASAN1
Python 3.12.12+ (heads/3.12:8cb2092, Oct 17 2025, 11:21:35) [GCC 13.3.0]ASAN1
Python 3.13.9+ (heads/3.13:0760a57, Oct 17 2025, 11:22:25) [GCC 13.3.0]ASAN1
Python 3.14.0+ (heads/3.14:889e918, Oct 17 2025, 11:23:02) [GCC 13.3.0]ASAN1
Python 3.15.0a1+ (heads/main:fbf0843, Oct 17 2025, 11:23:37) [GCC 13.3.0]ASAN1

Sanitizer Output

Details
===================================================================1532703==ERROR:AddressSanitizer:BUSonunknownaddress (pc0x5ae17c7bd8cebp0x7fffb3a81570sp0x7fffb3a814b0T0)==1532703==ThesignaliscausedbyaREADmemoryaccess.==1532703==Hint:thisfaultwascausedbyadereferenceofahighvalueaddress (seeregistervaluesbelow).Disassembletheprovidedpctolearnwhichregisterwasused.#0 0x5ae17c7bd8ce in unpack_single Objects/memoryobject.c:1842#1 0x5ae17c7be2c2 in memory_item Objects/memoryobject.c:2474#2 0x5ae17c7c31d6 in memory_subscript Objects/memoryobject.c:2610#3 0x5ae17c6e5393 in PyObject_GetItem Objects/abstract.c:163#4 0x5ae17c98a8f8 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:62#5 0x5ae17c9d7e54 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:121#6 0x5ae17c9d8148 in _PyEval_Vector Python/ceval.c:2001#7 0x5ae17c9d83f8 in PyEval_EvalCode Python/ceval.c:884#8 0x5ae17cacf507 in run_eval_code_obj Python/pythonrun.c:1365#9 0x5ae17cacf723 in run_mod Python/pythonrun.c:1459#10 0x5ae17cad057a in pyrun_file Python/pythonrun.c:1293#11 0x5ae17cad3220 in _PyRun_SimpleFileObject Python/pythonrun.c:521#12 0x5ae17cad34f6 in _PyRun_AnyFileObject Python/pythonrun.c:81#13 0x5ae17cb2474d in pymain_run_file_obj Modules/main.c:410#14 0x5ae17cb249b4 in pymain_run_file Modules/main.c:429#15 0x5ae17cb261b2 in pymain_run_python Modules/main.c:691#16 0x5ae17cb26842 in Py_RunMain Modules/main.c:772#17 0x5ae17cb26a2e in pymain_main Modules/main.c:802#18 0x5ae17cb26db3 in Py_BytesMain Modules/main.c:826#19 0x5ae17c5aa645 in main Programs/python.c:15#20 0x715a34c2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58#21 0x715a34c2a28a in __libc_start_main_impl ../csu/libc-start.c:360#22 0x5ae17c5aa574 in _start (/home/jackfromeast/Desktop/entropy/tasks/grammar-afl++-latest/targets/cpython/python+0x2dd574) (BuildId: ff3dc40ea460bd4beb2c3a72283cca525b319bf0)AddressSanitizercannotprovideadditionalinfo.SUMMARY:AddressSanitizer:BUSObjects/memoryobject.c:1842inunpack_single==1532703==ABORTING

Linked PRs

Metadata

Metadata

Assignees

Labels

interpreter-core(Objects, Python, Grammar, and Parser dirs)type-crashA hard crash of the interpreter, possibly with a core dump

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions

    [8]ページ先頭
    ©2009-2026 Movatter.jp