Use After Free in list_richcompare_impl #120298
Description
Crash report
Bisect
bisect from 65e1cea
Build
./configure --with-pydebug --with-address-sanitizer
Root Cause
The list_richcompare_impl function calls arbitrary code while comparing nested list structures. This can cause vl->ob_item[i] and wl->ob_item[i] to have their reference counts decreased, triggering a use-after-free issue. This issue arises when called from bisect, deque and heapq(#115706) indices with improper validation.
static PyObject *
list_richcompare_impl(PyObject *v, PyObject *w, int op)
{
PyListObject *vl, *wl;
Py_ssize_t i;
if (!PyList_Check(v) || !PyList_Check(w))
Py_RETURN_NOTIMPLEMENTED;
vl = (PyListObject *)v;
wl = (PyListObject *)w;
if (Py_SIZE(vl) != Py_SIZE(wl) && (op == Py_EQ || op == Py_NE)) {
/* Shortcut: if the lengths differ, the lists differ */
if (op == Py_EQ)
Py_RETURN_FALSE;
else
Py_RETURN_TRUE;
}
/* Search for the first index where items are different */
for (i = 0; i < Py_SIZE(vl) && i < Py_SIZE(wl); i++) {
PyObject *vitem = vl->ob_item[i];
PyObject *witem = wl->ob_item[i];
if (vitem == witem) {
continue;
}
Py_INCREF(vitem);
Py_INCREF(witem);
int k = PyObject_RichCompareBool(vitem, witem, Py_EQ);
Py_DECREF(vitem);
Py_DECREF(witem);
if (k < 0)
return NULL;
if (!k)
break;
}
if (i >= Py_SIZE(vl) || i >= Py_SIZE(wl)) {
/* No more items to compare -- compare sizes */
Py_RETURN_RICHCOMPARE(Py_SIZE(vl), Py_SIZE(wl), op);
}
/* We have an item that differs -- shortcuts for EQ/NE */
if (op == Py_EQ) {
Py_RETURN_FALSE;
}
if (op == Py_NE) {
Py_RETURN_TRUE;
}
/* Compare the final item again using the proper operator */
return PyObject_RichCompare(vl->ob_item[i], wl->ob_item[i], op); // <-- call arbitrary code in python
}
POC
import _bisect
class evil(object):
def __lt__(self, other):
other.clear()
return NotImplemented
a = [ [ evil()]]
_bisect.insort_left( a ,a )import collections
class evil(object):
def __lt__(self, other):
other.pop()
return NotImplemented
a = [ [ [ evil() ] ] ]
collections.deque( a[0] ) < collections.deque( a )asan
bisect asan
=================================================================
==148257==ERROR: AddressSanitizer: heap-use-after-free on address 0x61300001ff78 at pc 0x55564b4e5fe2 bp 0x7ffe8b09d4b0 sp 0x7ffe8b09d4a0
READ of size 8 at 0x61300001ff78 thread T0
#0 0x55564b4e5fe1 in Py_TYPE Include/object.h:249
#1 0x55564b4e5fe1 in list_richcompare_impl Objects/listobject.c:3338
#2 0x55564b4e6bcb in list_richcompare Objects/listobject.c:3393
#3 0x55564b561388 in do_richcompare Objects/object.c:933
#4 0x55564b561654 in PyObject_RichCompare Objects/object.c:976
#5 0x55564b4e66c9 in list_richcompare_impl Objects/listobject.c:3385
#6 0x55564b4e6bcb in list_richcompare Objects/listobject.c:3393
#7 0x7fd307a05a2b in internal_bisect_left Modules/_bisectmodule.c:288
#8 0x7fd307a063b6 in _bisect_insort_left_impl Modules/_bisectmodule.c:396
#9 0x7fd307a06a74 in _bisect_insort_left Modules/clinic/_bisectmodule.c.h:432
#10 0x55564b55224a in cfunction_vectorcall_FASTCALL_KEYWORDS Objects/methodobject.c:441
#11 0x55564b45bbb9 in _PyObject_VectorcallTstate Include/internal/pycore_call.h:168
#12 0x55564b45bd14 in PyObject_Vectorcall Objects/call.c:327
#13 0x55564b7988c4 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:813
#14 0x55564b7d0a7b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:119
#15 0x55564b7d0a7b in _PyEval_Vector Python/ceval.c:1819
#16 0x55564b7d0c9c in PyEval_EvalCode Python/ceval.c:599
#17 0x55564b8e8c51 in run_eval_code_obj Python/pythonrun.c:1292
#18 0x55564b8ebb96 in run_mod Python/pythonrun.c:1377
#19 0x55564b8ec976 in pyrun_file Python/pythonrun.c:1210
#20 0x55564b8eee55 in _PyRun_SimpleFileObject Python/pythonrun.c:459
#21 0x55564b8ef349 in _PyRun_AnyFileObject Python/pythonrun.c:77
#22 0x55564b950718 in pymain_run_file_obj Modules/main.c:357
#23 0x55564b952fea in pymain_run_file Modules/main.c:376
#24 0x55564b953bfb in pymain_run_python Modules/main.c:639
#25 0x55564b953d8b in Py_RunMain Modules/main.c:718
#26 0x55564b953f72 in pymain_main Modules/main.c:748
#27 0x55564b9542ea in Py_BytesMain Modules/main.c:772
#28 0x55564b2bdb15 in main Programs/python.c:15
#29 0x7fd30a683d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
#30 0x7fd30a683e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
#31 0x55564b2bda44 in _start (/home/kcats/cpython/python+0x282a44)
0x61300001ff78 is located 56 bytes inside of 352-byte region [0x61300001ff40,0x6130000200a0)
freed by thread T0 here:
#0 0x7fd30aa1e537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
#1 0x55564b5689c5 in _PyMem_RawFree Objects/obmalloc.c:90
#2 0x55564b56ac2f in _PyMem_DebugRawFree Objects/obmalloc.c:2754
#3 0x55564b56b55d in _PyMem_DebugFree Objects/obmalloc.c:2891
#4 0x55564b59f467 in PyObject_Free Objects/obmalloc.c:1323
#5 0x55564b848285 in PyObject_GC_Del Python/gc.c:2123
#6 0x55564b5c4af8 in object_dealloc Objects/typeobject.c:6324
#7 0x55564b5ec8e4 in subtype_dealloc Objects/typeobject.c:2534
#8 0x55564b55f3b1 in _Py_Dealloc Objects/object.c:2854
#9 0x55564b83f056 in Py_DECREF Include/refcount.h:351
#10 0x55564b83f056 in Py_XDECREF Include/refcount.h:459
#11 0x55564b83f056 in _PyFrame_ClearLocals Python/frame.c:104
#12 0x55564b83f21c in _PyFrame_ClearExceptCode Python/frame.c:129
#13 0x55564b7819a6 in clear_thread_frame Python/ceval.c:1681
#14 0x55564b78a486 in _PyEval_FrameClearAndPop Python/ceval.c:1708
#15 0x55564b7c3ea5 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:5279
#16 0x55564b7d0a7b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:119
#17 0x55564b7d0a7b in _PyEval_Vector Python/ceval.c:1819
#18 0x55564b45b20d in _PyFunction_Vectorcall Objects/call.c:413
#19 0x55564b60196b in _PyObject_VectorcallTstate Include/internal/pycore_call.h:168
#20 0x55564b60196b in vectorcall_unbound Objects/typeobject.c:2716
#21 0x55564b60196b in slot_tp_richcompare Objects/typeobject.c:9812
#22 0x55564b561280 in do_richcompare Objects/object.c:927
#23 0x55564b561654 in PyObject_RichCompare Objects/object.c:976
#24 0x55564b4e66c9 in list_richcompare_impl Objects/listobject.c:3385
#25 0x55564b4e6bcb in list_richcompare Objects/listobject.c:3393
#26 0x7fd307a05a2b in internal_bisect_left Modules/_bisectmodule.c:288
#27 0x7fd307a063b6 in _bisect_insort_left_impl Modules/_bisectmodule.c:396
#28 0x7fd307a06a74 in _bisect_insort_left Modules/clinic/_bisectmodule.c.h:432
#29 0x55564b55224a in cfunction_vectorcall_FASTCALL_KEYWORDS Objects/methodobject.c:441
#30 0x55564b45bbb9 in _PyObject_VectorcallTstate Include/internal/pycore_call.h:168
#31 0x55564b45bd14 in PyObject_Vectorcall Objects/call.c:327
#32 0x55564b7988c4 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:813
#33 0x55564b7d0a7b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:119
#34 0x55564b7d0a7b in _PyEval_Vector Python/ceval.c:1819
#35 0x55564b7d0c9c in PyEval_EvalCode Python/ceval.c:599
previously allocated by thread T0 here:
#0 0x7fd30aa1e887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55564b56956c in _PyMem_RawMalloc Objects/obmalloc.c:62
#2 0x55564b56889f in _PyMem_DebugRawAlloc Objects/obmalloc.c:2686
#3 0x55564b568907 in _PyMem_DebugRawMalloc Objects/obmalloc.c:2719
#4 0x55564b56b59f in _PyMem_DebugMalloc Objects/obmalloc.c:2876
#5 0x55564b59f323 in PyObject_Malloc Objects/obmalloc.c:1294
#6 0x55564b5e16bc in _PyObject_MallocWithType Include/internal/pycore_object_alloc.h:46
#7 0x55564b5e16bc in _PyType_AllocNoTrack Objects/typeobject.c:2187
#8 0x55564b5e1b9b in PyType_GenericAlloc Objects/typeobject.c:2216
#9 0x55564b5da5bf in object_new Objects/typeobject.c:6314
#10 0x55564b5e8851 in type_call Objects/typeobject.c:2131
#11 0x55564b45b5e7 in _PyObject_MakeTpCall Objects/call.c:242
#12 0x55564b45bce8 in _PyObject_VectorcallTstate Include/internal/pycore_call.h:166
#13 0x55564b45bd14 in PyObject_Vectorcall Objects/call.c:327
#14 0x55564b7988c4 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:813
#15 0x55564b7d0a7b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:119
#16 0x55564b7d0a7b in _PyEval_Vector Python/ceval.c:1819
#17 0x55564b7d0c9c in PyEval_EvalCode Python/ceval.c:599
#18 0x55564b8e8c51 in run_eval_code_obj Python/pythonrun.c:1292
#19 0x55564b8ebb96 in run_mod Python/pythonrun.c:1377
#20 0x55564b8ec976 in pyrun_file Python/pythonrun.c:1210
#21 0x55564b8eee55 in _PyRun_SimpleFileObject Python/pythonrun.c:459
#22 0x55564b8ef349 in _PyRun_AnyFileObject Python/pythonrun.c:77
#23 0x55564b950718 in pymain_run_file_obj Modules/main.c:357
#24 0x55564b952fea in pymain_run_file Modules/main.c:376
#25 0x55564b953bfb in pymain_run_python Modules/main.c:639
#26 0x55564b953d8b in Py_RunMain Modules/main.c:718
#27 0x55564b953f72 in pymain_main Modules/main.c:748
#28 0x55564b9542ea in Py_BytesMain Modules/main.c:772
#29 0x55564b2bdb15 in main Programs/python.c:15
#30 0x7fd30a683d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
SUMMARY: AddressSanitizer: heap-use-after-free Include/object.h:249 in Py_TYPE
Shadow bytes around the buggy address:
0x0c267fffbf90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fffbfa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fffbfb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fffbfc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fffbfd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c267fffbfe0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd[fd]
0x0c267fffbff0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c267fffc000: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c267fffc010: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fffc020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fffc030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==148257==ABORTING
deque asan
=================================================================
==144863==ERROR: AddressSanitizer: heap-use-after-free on address 0x6130000290b8 at pc 0x55ced2414fe2 bp 0x7ffd0b9be680 sp 0x7ffd0b9be670
READ of size 8 at 0x6130000290b8 thread T0
#0 0x55ced2414fe1 in Py_TYPE Include/object.h:249
#1 0x55ced2414fe1 in list_richcompare_impl Objects/listobject.c:3338
#2 0x55ced2415bcb in list_richcompare Objects/listobject.c:3393
#3 0x55ced2490388 in do_richcompare Objects/object.c:933
#4 0x55ced2490654 in PyObject_RichCompare Objects/object.c:976
#5 0x55ced24156c9 in list_richcompare_impl Objects/listobject.c:3385
#6 0x55ced2415bcb in list_richcompare Objects/listobject.c:3393
#7 0x55ced2490280 in do_richcompare Objects/object.c:927
#8 0x55ced2490654 in PyObject_RichCompare Objects/object.c:976
#9 0x55ced2490782 in PyObject_RichCompareBool Objects/object.c:998
#10 0x55ced28eeca2 in deque_richcompare Modules/_collectionsmodule.c:1678
#11 0x55ced2490280 in do_richcompare Objects/object.c:927
#12 0x55ced2490654 in PyObject_RichCompare Objects/object.c:976
#13 0x55ced26d50e9 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:2218
#14 0x55ced26ffa7b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:119
#15 0x55ced26ffa7b in _PyEval_Vector Python/ceval.c:1819
#16 0x55ced26ffc9c in PyEval_EvalCode Python/ceval.c:599
#17 0x55ced2817c51 in run_eval_code_obj Python/pythonrun.c:1292
#18 0x55ced281ab96 in run_mod Python/pythonrun.c:1377
#19 0x55ced281b976 in pyrun_file Python/pythonrun.c:1210
#20 0x55ced281de55 in _PyRun_SimpleFileObject Python/pythonrun.c:459
#21 0x55ced281e349 in _PyRun_AnyFileObject Python/pythonrun.c:77
#22 0x55ced287f718 in pymain_run_file_obj Modules/main.c:357
#23 0x55ced2881fea in pymain_run_file Modules/main.c:376
#24 0x55ced2882bfb in pymain_run_python Modules/main.c:639
#25 0x55ced2882d8b in Py_RunMain Modules/main.c:718
#26 0x55ced2882f72 in pymain_main Modules/main.c:748
#27 0x55ced28832ea in Py_BytesMain Modules/main.c:772
#28 0x55ced21ecb15 in main Programs/python.c:15
#29 0x7f384351dd8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
#30 0x7f384351de3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
#31 0x55ced21eca44 in _start (/home/kcats/cpython/python+0x282a44)
0x6130000290b8 is located 56 bytes inside of 352-byte region [0x613000029080,0x6130000291e0)
freed by thread T0 here:
#0 0x7f38438b8537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
#1 0x55ced24979c5 in _PyMem_RawFree Objects/obmalloc.c:90
#2 0x55ced2499c2f in _PyMem_DebugRawFree Objects/obmalloc.c:2754
#3 0x55ced249a55d in _PyMem_DebugFree Objects/obmalloc.c:2891
#4 0x55ced24ce467 in PyObject_Free Objects/obmalloc.c:1323
#5 0x55ced2777285 in PyObject_GC_Del Python/gc.c:2123
#6 0x55ced24f3af8 in object_dealloc Objects/typeobject.c:6324
#7 0x55ced251b8e4 in subtype_dealloc Objects/typeobject.c:2534
#8 0x55ced248e3b1 in _Py_Dealloc Objects/object.c:2854
#9 0x55ced276e056 in Py_DECREF Include/refcount.h:351
#10 0x55ced276e056 in Py_XDECREF Include/refcount.h:459
#11 0x55ced276e056 in _PyFrame_ClearLocals Python/frame.c:104
#12 0x55ced276e21c in _PyFrame_ClearExceptCode Python/frame.c:129
#13 0x55ced26b09a6 in clear_thread_frame Python/ceval.c:1681
#14 0x55ced26b9486 in _PyEval_FrameClearAndPop Python/ceval.c:1708
#15 0x55ced26f2ea5 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:5279
#16 0x55ced26ffa7b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:119
#17 0x55ced26ffa7b in _PyEval_Vector Python/ceval.c:1819
#18 0x55ced238a20d in _PyFunction_Vectorcall Objects/call.c:413
#19 0x55ced253096b in _PyObject_VectorcallTstate Include/internal/pycore_call.h:168
#20 0x55ced253096b in vectorcall_unbound Objects/typeobject.c:2716
#21 0x55ced253096b in slot_tp_richcompare Objects/typeobject.c:9812
#22 0x55ced2490280 in do_richcompare Objects/object.c:927
#23 0x55ced2490654 in PyObject_RichCompare Objects/object.c:976
#24 0x55ced24156c9 in list_richcompare_impl Objects/listobject.c:3385
#25 0x55ced2415bcb in list_richcompare Objects/listobject.c:3393
#26 0x55ced2490280 in do_richcompare Objects/object.c:927
#27 0x55ced2490654 in PyObject_RichCompare Objects/object.c:976
#28 0x55ced2490782 in PyObject_RichCompareBool Objects/object.c:998
#29 0x55ced28eeca2 in deque_richcompare Modules/_collectionsmodule.c:1678
#30 0x55ced2490280 in do_richcompare Objects/object.c:927
#31 0x55ced2490654 in PyObject_RichCompare Objects/object.c:976
#32 0x55ced26d50e9 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:2218
#33 0x55ced26ffa7b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:119
#34 0x55ced26ffa7b in _PyEval_Vector Python/ceval.c:1819
#35 0x55ced26ffc9c in PyEval_EvalCode Python/ceval.c:599
previously allocated by thread T0 here:
#0 0x7f38438b8887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55ced249856c in _PyMem_RawMalloc Objects/obmalloc.c:62
#2 0x55ced249789f in _PyMem_DebugRawAlloc Objects/obmalloc.c:2686
#3 0x55ced2497907 in _PyMem_DebugRawMalloc Objects/obmalloc.c:2719
#4 0x55ced249a59f in _PyMem_DebugMalloc Objects/obmalloc.c:2876
#5 0x55ced24ce323 in PyObject_Malloc Objects/obmalloc.c:1294
#6 0x55ced25106bc in _PyObject_MallocWithType Include/internal/pycore_object_alloc.h:46
#7 0x55ced25106bc in _PyType_AllocNoTrack Objects/typeobject.c:2187
#8 0x55ced2510b9b in PyType_GenericAlloc Objects/typeobject.c:2216
#9 0x55ced25095bf in object_new Objects/typeobject.c:6314
#10 0x55ced2517851 in type_call Objects/typeobject.c:2131
#11 0x55ced238a5e7 in _PyObject_MakeTpCall Objects/call.c:242
#12 0x55ced238ace8 in _PyObject_VectorcallTstate Include/internal/pycore_call.h:166
#13 0x55ced238ad14 in PyObject_Vectorcall Objects/call.c:327
#14 0x55ced26c78c4 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:813
#15 0x55ced26ffa7b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:119
#16 0x55ced26ffa7b in _PyEval_Vector Python/ceval.c:1819
#17 0x55ced26ffc9c in PyEval_EvalCode Python/ceval.c:599
#18 0x55ced2817c51 in run_eval_code_obj Python/pythonrun.c:1292
#19 0x55ced281ab96 in run_mod Python/pythonrun.c:1377
#20 0x55ced281b976 in pyrun_file Python/pythonrun.c:1210
#21 0x55ced281de55 in _PyRun_SimpleFileObject Python/pythonrun.c:459
#22 0x55ced281e349 in _PyRun_AnyFileObject Python/pythonrun.c:77
#23 0x55ced287f718 in pymain_run_file_obj Modules/main.c:357
#24 0x55ced2881fea in pymain_run_file Modules/main.c:376
#25 0x55ced2882bfb in pymain_run_python Modules/main.c:639
#26 0x55ced2882d8b in Py_RunMain Modules/main.c:718
#27 0x55ced2882f72 in pymain_main Modules/main.c:748
#28 0x55ced28832ea in Py_BytesMain Modules/main.c:772
#29 0x55ced21ecb15 in main Programs/python.c:15
#30 0x7f384351dd8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
SUMMARY: AddressSanitizer: heap-use-after-free Include/object.h:249 in Py_TYPE
Shadow bytes around the buggy address:
0x0c267fffd1c0: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c267fffd1d0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c267fffd1e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c267fffd1f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c267fffd200: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c267fffd210: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
0x0c267fffd220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c267fffd230: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x0c267fffd240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fffd250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fffd260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==144863==ABORTING
CPython versions tested on:
CPython main branch
Operating systems tested on:
Linux
Output from running 'python -VV' on the command line:
Python 3.14.0a0 (heads/main:34f5ae69fe, Jun 9 2024, 21:27:54) [GCC 11.4.0]