Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork33.7k
gh-101765: Fix SystemError / segmentation fault in iter__reduce__ when internal access ofbuiltins.__dict__ exhausts the iterator#101769
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
…o potential side effects
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
- Added some comments for dict del usages- Switched to `__builtin__` instead of conditional `__dict__` access- Use kwargs for improved readability
…ist conditional branch
JelleZijlstra commentedFeb 24, 2023
Since this could cause a segfault, it should perhaps be considered a security issue to be backported to the security branches. However, the way to trigger it is so obscure that I'm not sure it's worth backporting.@ambv what do you think? |
miss-islington commentedFeb 24, 2023
Thanks@ionite34 for the PR, and@JelleZijlstra for merging it 🌮🎉.. I'm working now to backport this PR to: 3.10, 3.11. |
miss-islington commentedFeb 24, 2023
Sorry,@ionite34 and@JelleZijlstra, I could not cleanly backport this to |
miss-islington commentedFeb 24, 2023
Sorry@ionite34 and@JelleZijlstra, I had trouble checking out the |
JelleZijlstra commentedFeb 24, 2023
@ionite34 are you interested in doing the 3.10/3.11 backports (and potentially 3.7-3.9 if we decide this is important enough)? It's probably a matter of installing cherry-picker locally and fixing a few conflicts. |
ionite34 commentedFeb 25, 2023
Yeah I could try 👀, though uh, I don't think I saw anything on the dev guide regarding backports. Am I essentially doing the stuff mentioned here?https://pypi.org/project/cherry_picker/#example |
JelleZijlstra commentedFeb 25, 2023
Thanks! Yes, cherrry-picker will do most of the work of actually creating the PR, you just have to do the manual work to fix the merge. Just as general background, we develop every 3.x version in a separate branch. PRs are usually first against the main branch (which will be 3.12). If the PR fixes a bug (as opposed to a new feature), we'll backport the change into the bugfix branches, which are currently for 3.10 and 3.11. |
…`__reduce__` when internal access of `builtins.__dict__` exhausts the iterator (pythonGH-101769).(cherry picked from commit54dfa14)Co-authored-by: Ionite <dev@ionite.io>
…`__reduce__` when internal access of `builtins.__dict__` exhausts the iterator (pythonGH-101769).(cherry picked from commit54dfa14)Co-authored-by: Ionite <dev@ionite.io>
bedevere-bot commentedFeb 25, 2023
GH-102228 is a backport of this pull request to the3.11 branch. |
…`__reduce__` when internal access of `builtins.__dict__` exhausts the iterator (pythonGH-101769).(cherry picked from commit54dfa14)Co-authored-by: Ionite <dev@ionite.io>
bedevere-bot commentedFeb 25, 2023
GH-102229 is a backport of this pull request to the3.10 branch. |
| }else { | ||
| PyObject*reversed=_PyEval_GetBuiltin(&_Py_ID(reversed)); | ||
| listreviterobject*it= (listreviterobject*)_it; | ||
| if (it->it_seq) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Ifit_seq is NULL then reversed is leaked here,_PyEval_GetBuiltin returns a strong reference.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Good point, but doesn't that mean the old code also leaked references? I'll prepare a PR to fix this now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Oh wait, the N code to Py_BuildValue steals a reference, so the previous code was right in terms of refcounting.
…ing (pythonGH-102265)Followup frompythonGH-101769..(cherry picked from commitd71edbd)Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
…ing (pythonGH-102265)Followup frompythonGH-101769..(cherry picked from commitd71edbd)Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
…ce__` when internal access of `builtins.__dict__` exhausts the iterator (python#101769)
Uh oh!
There was an error while loading.Please reload this page.
Summary
__reduce__is called oniterobjects when the key of the hash of"iter"within__builtins__.__dict__is a custom object that executes arbitrary code within__eq__, mutating theiterobject and causing illegal memory access or SystemError (based on C argument evaluation order, which is undefined behavior).Affected methods
iterobject.citer_reducecalliter_reducelistobject.clistiter_reduce_generalbytearrayobject.cbytearrayiter_reducebytesobject.cstriter_reducetupleobject.ctupleiter_reducegenericaliasobject.cga_iter_reduceThis PR also fixes a compounded issue where currently
genericaliasobject.ga_iter_reducedoes not handle empty iterators at all and has no NULL checkAlong with moving the evaluation of
_PyEval_GetBuiltinfor potential side effects, this also adds handling of the NULL case (like the otheriter_reducefunctions have:Linked Issue
__reduce__can segfault if accessing__builtins__.__dict__['iter']mutates the iter object #101765