Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

LOAD_ATTR_SLOT andSTORE_ATTR_SLOT don't check the owner's type #99257

Closed
Assignees
brandtbucher
Labels
3.11only security fixes3.12only security fixesinterpreter-core(Objects, Python, Grammar, and Parser dirs)release-blockertype-crashA hard crash of the interpreter, possibly with a core dump
@brandtbucher

Description

@brandtbucher

When specializingLOAD_ATTR_SLOT, we don't check whether the given member descriptor is valid for the type we got it from.

Here is a problematic example, where one class "borrows" a slot from another:

>>>classClass:...__slots__= ("slot",)...>>>classSneaky:...borrowed=Class.slot...>>>deff(o):...returno.borrowed...>>>o=Sneaky()

The unspecialized code behaves correctly:

>>>f(o)Traceback (mostrecentcalllast):File"<stdin>",line1,in<module>File"<stdin>",line2,infTypeError:descriptor'slot'for'Class'objectsdoesn't apply to a 'Sneaky'object

However, the specialized code crashes, since it is accessing memory past the end of the object:

>>>f(o)Segmentationfault

We can fix this by performing the same check that the member descriptor performs (PyObject_TypeCheck(obj, descr->d_type)) when specializing.

CC@markshannon

Metadata

Metadata

Assignees

Labels

3.11only security fixes3.12only security fixesinterpreter-core(Objects, Python, Grammar, and Parser dirs)release-blockertype-crashA hard crash of the interpreter, possibly with a core dump

Projects

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions

    [8]ページ先頭
    ©2009-2025 Movatter.jp