homepage

# _siftdown(PyListObject *heap, Py_ssize_t startpos, Py_ssize_t pos)
# ...
# while (pos > startpos){
# parentpos = (pos - 1) >> 1;
# parent = PyList_GET_ITEM(heap, parentpos);
# 1 cmp = PyObject_RichCompareBool(newitem, parent, Py_LT);
# ...
# 2 if (size != PyList_GET_SIZE(heap)) {
# Py_DECREF(newitem);
# PyErr_SetString(PyExc_RuntimeError,
# "list changed size during iteration");
# return -1;
# }
# if (cmp == 0)
# 3 break;
# ...
# }
# 4 Py_DECREF(PyList_GET_ITEM(heap, pos));
# 5 PyList_SET_ITEM(heap, pos, newitem);
# 
# 1. custom compare function replaces object at index "pos" with a fresh 
# instance with refcnt==1
# 2. check is ineffective, since mutation was done without altering size
# 3. break out of the loop
# 4. refcnt drops to 0 and __del__ method is called. Destructed clears the heap
# 5. SET_ITEM doesn't do any bounds checking and does a wild write. 
#
# "pos" is under our control and is restricted only by the amount of free 
# memory. pos==X requires heap of size X-1.
# 
# gX global var is necessary. Without it, python crashes in debug checks inside
# Py_ForgetReference. Seems like clearing L puts objects in a bad state.
#
# GDB
# ---
# Program received signal SIGSEGV, Segmentation fault.
# 0x4002ed73 in _siftdown (heap=0x4058edfc, startpos=0, pos=112233) at /home/p/Python-3.4.1/Modules/_heapqmodule.c:58
# 58 PyList_SET_ITEM(heap, pos, newitem);
# (gdb) print *heap
# 1ドル = {ob_base = {ob_base = {_ob_next = 0x405913f4, _ob_prev = 0x4058ee6c, ob_refcnt = 2, ob_type = 0x830e1c0 <PyList_Type>}, 
# ob_size = 0}, ob_item = 0x0, allocated = 0}
# (gdb) print pos
# 2ドル = 112233

Paul, this was nice work. Thanks.
Attaching a patch to make 3.4 match the Python 3.5 version of the code which rearranges the object pointers without changing their reference counts.
With that patch, your crasher no longer seg-faults, but gives this instead:
len(L): 112234
__del__
__del__
Exception ignored in: <bound method X.__del__ of <__main__.X object at 0x10efc9080>>
Traceback (most recent call last):
 File "heap_crasher.py", line 18, in __del__
IndexError: list index out of range

New changeset 813854f49f9d by Raymond Hettinger in branch '3.4':
Issues #24099, #24100, and #24101: Fix free-after-use bug in heapq.
https://hg.python.org/cpython/rev/813854f49f9d 

It would be nice to add tests based on provided demo scripts.

New changeset d356e68de236 by Raymond Hettinger in branch '2.7':
Issues #24099, #24100, and #24101: Fix free-after-use bug in heapq.
https://hg.python.org/cpython/rev/d356e68de236 

Go ahead and add tests if you like. I don't see the point.
The fix was to simply backport code that was already in Py3.5.
and the code exercised by the exploit scripts is no longer there.

I should add that the crasher scripts share common features and could perhaps be built into a unified test tool. Also, some care should be taken to make the tool mostly independent of non-guaranteed "del" behavior or CPython specific ref-counting logic to trigger a particular sequence of events. For example, pypy gives a different result than CPython 3.5 for for the various poc_sift* scripts. The reason is that the "__del__" method isn't reliably triggered in a gc-only environment.