Issue 24098: Multiple use after frees in obj2ast_* methods

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/68286

classification

Title:	Multiple use after frees in obj2ast_* methods
Type:	crash	Stage:	resolved
Components:	Extension Modules	Versions:	Python 3.7, Python 3.6, Python 3.5, Python 2.7

process

Dependencies:	Superseder:
Status:	closed	Resolution:	fixed
Assigned To:	serhiy.storchaka	Nosy List:	Arfrever, benjamin.peterson, berker.peksag, christian.heimes, pkt, python-dev, serhiy.storchaka
Priority:	high	Keywords:	patch

Created on 2015年05月01日 14:10 by pkt, last changed 2022年04月11日 14:58 by admin. This issue is now closed.

Files
File name	Uploaded	Description	Edit
poc_obj2mod.py	pkt, 2015年05月01日 14:10
issue24098.patch	pkt, 2016年09月26日 13:40	patch
issue24098-check-size.patch	serhiy.storchaka, 2016年09月27日 08:19	review
issue24098-iterate-tuple.patch	serhiy.storchaka, 2016年09月27日 08:19	review

Pull Requests
URL	Status	Linked	Edit
PR 552	closed	dstufft, 2017年03月31日 16:36

Messages (9)
msg242315 - (view)	Author: paul (pkt)	Date: 2015年05月01日 14:10
# 3617 for (i = 0; i < len; i++) { # (gdb) print (PyListObject)tmp # 1ドル = {ob_base = {ob_base = {_ob_next = 0x4056f8f4, _ob_prev = 0x4057329c, ob_refcnt = 2, ob_type = 0x830e1c0 <PyList_Type>}, # ob_size = 1337}, ob_item = 0x8491ae0, allocated = 1432} # (gdb) n # 3619 res = obj2ast_stmt(PyList_GET_ITEM(tmp, i), &value, arena); # (gdb) n # 3620 if (res != 0) goto failed; # (gdb) print (PyListObject)tmp # 2ドル = {ob_base = {ob_base = {_ob_next = 0x4056f8f4, _ob_prev = 0x4057329c, ob_refcnt = 2, ob_type = 0x830e1c0 <PyList_Type>}, # ob_size = 1}, ob_item = 0x8491ae0, allocated = 4} # (gdb) c # Continuing. # # Program received signal SIGSEGV, Segmentation fault. # 0x080f2c17 in PyObject_GetAttr (v=<unknown at remote 0x405733b4>, name='lineno') at Objects/object.c:872 # 872 if (tp->tp_getattro != NULL) # # Objects freed in __getattr__ are used later in the loop above. There are two # bugs actually. One is the use-after-free and the second is using a stale size # variable "len" to control the for(...) loop. "body" can be mutated inside # obj2ast_stmt. This construct: for (i = 0; i < len; i++) { stmt_ty value; res = obj2ast_stmt(PyList_GET_ITEM(tmp, i), &value, arena); if (res != 0) goto failed; asdl_seq_SET(body, i, value); } is repeated multiple times in multiple obj2ast_ methods. It contains two bugs: 1. tmp[i] isn't protected from deletion inside python code (refcnt is not increased by GET_ITEM), 2. tmp's length can drop below "len" resulting in an OOB read, because the loop counter is static.
msg242750 - (view)	Author: paul (pkt)	Date: 2015年05月08日 08:14
ping
msg242980 - (view)	Author: paul (pkt)	Date: 2015年05月12日 15:42
ping
msg246066 - (view)	Author: paul (pkt)	Date: 2015年07月02日 10:26
ping
msg246147 - (view)	Author: paul (pkt)	Date: 2015年07月03日 07:46
ping
msg277419 - (view)	Author: paul (pkt)	Date: 2016年09月26日 13:40
Fix by replacing static 'len' in loops with a macro, so that mutations of size of the containter do not casue OOB reads.
msg277469 - (view)	Author: Berker Peksag (berker.peksag) * (Python committer)	Date: 2016年09月26日 20:53
Please note that Python/Python-ast.c is automatically generated by Parser/asdl_c.py.
msg277504 - (view)	Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer)	Date: 2016年09月27日 08:19
Bad things happen not only when a list shrinks, but also when it grows during iteration. The one solution is to check if the size is changed on every iteration. The other solution is to convert a list to a tuple for iterating.
msg278261 - (view)	Author: Roundup Robot (python-dev) (Python triager)	Date: 2016年10月07日 18:57
New changeset 47d5bf5a846f by Serhiy Storchaka in branch '2.7': Issue #24098: Fixed possible crash when AST is changed in process of https://hg.python.org/cpython/rev/47d5bf5a846f New changeset f575710b5f56 by Serhiy Storchaka in branch '3.5': Issue #24098: Fixed possible crash when AST is changed in process of https://hg.python.org/cpython/rev/f575710b5f56 New changeset 7528154cadaa by Serhiy Storchaka in branch '3.6': Issue #24098: Fixed possible crash when AST is changed in process of https://hg.python.org/cpython/rev/7528154cadaa New changeset def217aaad2f by Serhiy Storchaka in branch 'default': Issue #24098: Fixed possible crash when AST is changed in process of https://hg.python.org/cpython/rev/def217aaad2f

History
Date	User	Action	Args
2022年04月11日 14:58:16	admin	set	github: 68286
2017年03月31日 16:36:27	dstufft	set	pull_requests: + pull_request1008
2016年10月07日 20:37:29	serhiy.storchaka	set	status: open -> closed resolution: fixed stage: patch review -> resolved
2016年10月07日 18:57:47	python-dev	set	nosy: + python-dev messages: + msg278261
2016年10月05日 08:05:05	serhiy.storchaka	set	assignee: serhiy.storchaka
2016年09月27日 08:19:21	serhiy.storchaka	set	files: + issue24098-iterate-tuple.patch
2016年09月27日 08:19:02	serhiy.storchaka	set	files: + issue24098-check-size.patch messages: + msg277504 versions: + Python 2.7, - Python 3.4
2016年09月26日 20:53:22	berker.peksag	set	nosy: + berker.peksag, benjamin.peterson messages: + msg277469
2016年09月26日 13:44:04	christian.heimes	set	priority: normal -> high stage: needs patch -> patch review versions: + Python 3.6, Python 3.7
2016年09月26日 13:40:22	pkt	set	files: + issue24098.patch keywords: + patch messages: + msg277419
2015年07月03日 07:46:07	pkt	set	messages: + msg246147
2015年07月02日 10:26:20	pkt	set	messages: + msg246066
2015年05月12日 15:42:17	pkt	set	messages: + msg242980
2015年05月08日 08:14:42	pkt	set	messages: + msg242750
2015年05月03日 06:48:04	Arfrever	set	nosy: + Arfrever
2015年05月02日 04:49:57	serhiy.storchaka	set	nosy: + serhiy.storchaka
2015年05月01日 14:13:35	christian.heimes	set	nosy: + christian.heimes
2015年05月01日 14:13:06	christian.heimes	set	stage: needs patch components: + Extension Modules versions: + Python 3.5
2015年05月01日 14:10:29	pkt	create

homepage