heap-use-after-free in pickle posix #140651
Description
Crash report
What happened?
import pickle
import posix
param = posix.sched_param(9223372036854775807)
for proto in range(pickle.HIGHEST_PROTOCOL + 1):
newparam = pickle.loads(pickle.dumps(param, proto))=================================================================
==1834045==ERROR: AddressSanitizer: heap-use-after-free on address 0x50400004ff98 at pc 0x7d7f93f59597 bp 0x7ffd817a7cb0 sp 0x7ffd817a7ca0
READ of size 8 at 0x50400004ff98 thread T0
#0 0x7d7f93f59596 in _Py_TYPE ../Include/object.h:277
#1 0x7d7f93f59596 in save ../Modules/_pickle.c:4368
#2 0x7d7f93f65b8a in store_tuple_elements ../Modules/_pickle.c:2785
#3 0x7d7f93f65b8a in save_tuple ../Modules/_pickle.c:2838
#4 0x7d7f93f59210 in save ../Modules/_pickle.c:4427
#5 0x7d7f93f5b66c in save_reduce ../Modules/_pickle.c:4266
#6 0x7d7f93f58990 in save ../Modules/_pickle.c:4548
#7 0x7d7f93f639f6 in dump ../Modules/_pickle.c:4611
#8 0x7d7f93f6505a in _pickle_dumps_impl ../Modules/_pickle.c:7807
#9 0x7d7f93f6505a in _pickle_dumps ../Modules/clinic/_pickle.c.h:829
#10 0x5755f19c1e79 in _PyEval_EvalFrameDefault ../Python/generated_cases.c.h:2361
#11 0x5755f1e7f386 in _PyEval_EvalFrame ../Include/internal/pycore_ceval.h:121
#12 0x5755f1e7f386 in _PyEval_Vector ../Python/ceval.c:2001
#13 0x5755f1e7f386 in PyEval_EvalCode ../Python/ceval.c:884
#14 0x5755f203df0e in run_eval_code_obj ../Python/pythonrun.c:1365
#15 0x5755f203df0e in run_mod ../Python/pythonrun.c:1459
#16 0x5755f2042bb7 in pyrun_file ../Python/pythonrun.c:1293
#17 0x5755f2042bb7 in _PyRun_SimpleFileObject ../Python/pythonrun.c:521
#18 0x5755f20436dc in _PyRun_AnyFileObject ../Python/pythonrun.c:81
#19 0x5755f20b6afc in pymain_run_file_obj ../Modules/main.c:410
#20 0x5755f20b6afc in pymain_run_file ../Modules/main.c:429
#21 0x5755f20b6afc in pymain_run_python ../Modules/main.c:691
#22 0x5755f20b83de in Py_RunMain ../Modules/main.c:772
#23 0x5755f20b83de in pymain_main ../Modules/main.c:802
#24 0x5755f20b83de in Py_BytesMain ../Modules/main.c:826
#25 0x7d7f94aab1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 282c2c16e7b6600b0b22ea0c99010d2795752b5f)
#26 0x7d7f94aab28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 282c2c16e7b6600b0b22ea0c99010d2795752b5f)
0x50400004ff98 is located 8 bytes inside of 36-byte region [0x50400004ff90,0x50400004ffb4)
freed by thread T0 here:
#0 0x7d7f94e784d8 in free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
#1 0x5755f1c1bd51 in _Py_Dealloc ../Objects/object.c:3200
#2 0x5755f1c8628d in Py_DECREF ../Include/refcount.h:420
#3 0x5755f1c8628d in Py_XDECREF ../Include/refcount.h:513
#4 0x5755f1c8628d in tuple_dealloc ../Objects/tupleobject.c:231
#5 0x5755f1c1bd51 in _Py_Dealloc ../Objects/object.c:3200
#6 0x7d7f93f3f1bc in Py_DECREF ../Include/refcount.h:420
#7 0x7d7f93f3f1bc in Py_XDECREF ../Include/refcount.h:513
#8 0x7d7f93f3f1bc in PyMemoTable_Clear ../Modules/_pickle.c:780
#9 0x7d7f93f3f1bc in PyMemoTable_Del ../Modules/_pickle.c:792
#10 0x7d7f93f3f1bc in PyMemoTable_Del ../Modules/_pickle.c:788
#11 0x7d7f93f3f1bc in Pickler_clear ../Modules/_pickle.c:4745
#12 0x7d7f93f3f385 in Pickler_dealloc ../Modules/_pickle.c:4755
#13 0x5755f1c1bd51 in _Py_Dealloc ../Objects/object.c:3200
#14 0x7d7f93f654a7 in Py_DECREF ../Include/refcount.h:420
#15 0x7d7f93f654a7 in _pickle_dumps_impl ../Modules/_pickle.c:7811
#16 0x7d7f93f654a7 in _pickle_dumps ../Modules/clinic/_pickle.c.h:829
#17 0x5755f19c1e79 in _PyEval_EvalFrameDefault ../Python/generated_cases.c.h:2361
#18 0x5755f1e7f386 in _PyEval_EvalFrame ../Include/internal/pycore_ceval.h:121
#19 0x5755f1e7f386 in _PyEval_Vector ../Python/ceval.c:2001
#20 0x5755f1e7f386 in PyEval_EvalCode ../Python/ceval.c:884
#21 0x5755f203df0e in run_eval_code_obj ../Python/pythonrun.c:1365
#22 0x5755f203df0e in run_mod ../Python/pythonrun.c:1459
#23 0x5755f2042bb7 in pyrun_file ../Python/pythonrun.c:1293
#24 0x5755f2042bb7 in _PyRun_SimpleFileObject ../Python/pythonrun.c:521
#25 0x5755f20436dc in _PyRun_AnyFileObject ../Python/pythonrun.c:81
#26 0x5755f20b6afc in pymain_run_file_obj ../Modules/main.c:410
#27 0x5755f20b6afc in pymain_run_file ../Modules/main.c:429
#28 0x5755f20b6afc in pymain_run_python ../Modules/main.c:691
#29 0x5755f20b83de in Py_RunMain ../Modules/main.c:772
#30 0x5755f20b83de in pymain_main ../Modules/main.c:802
#31 0x5755f20b83de in Py_BytesMain ../Modules/main.c:826
#32 0x7d7f94aab1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 282c2c16e7b6600b0b22ea0c99010d2795752b5f)
#33 0x7d7f94aab28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 282c2c16e7b6600b0b22ea0c99010d2795752b5f)
previously allocated by thread T0 here:
#0 0x7d7f94e799c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x5755f1ba306b in long_alloc ../Objects/longobject.c:180
#2 0x5755f1ba306b in PyLong_FromLong ../Objects/longobject.c:403
#3 0x5755f19d373d in parsenumber_raw ../Parser/pegen.c:640
#4 0x5755f19d71f9 in parsenumber ../Parser/pegen.c:668
#5 0x5755f19d71f9 in _PyPegen_number_token ../Parser/pegen.c:707
#6 0x5755f19f4749 in atom_rule ../Parser/parser.c:15160
#7 0x5755f19f9f2f in primary_raw ../Parser/parser.c:14779
#8 0x5755f19f9f2f in primary_rule ../Parser/parser.c:14577
#9 0x5755f19fae89 in await_primary_rule ../Parser/parser.c:14531
#10 0x5755f19fbde7 in power_rule ../Parser/parser.c:14407
#11 0x5755f19fbde7 in factor_rule ../Parser/parser.c:14357
#12 0x5755f19fd55f in term_raw ../Parser/parser.c:14198
#13 0x5755f19fd55f in term_rule ../Parser/parser.c:13941
#14 0x5755f19ff044 in sum_raw ../Parser/parser.c:13894
#15 0x5755f19ff044 in sum_rule ../Parser/parser.c:13773
#16 0x5755f1a00307 in shift_expr_raw ../Parser/parser.c:13733
#17 0x5755f1a00307 in shift_expr_rule ../Parser/parser.c:13593
#18 0x5755f1a01964 in bitwise_and_raw ../Parser/parser.c:13553
#19 0x5755f1a01964 in bitwise_and_rule ../Parser/parser.c:13471
#20 0x5755f1a02594 in bitwise_xor_raw ../Parser/parser.c:13431
#21 0x5755f1a02594 in bitwise_xor_rule ../Parser/parser.c:13349
#22 0x5755f1a031c4 in bitwise_or_raw ../Parser/parser.c:13309
#23 0x5755f1a031c4 in bitwise_or_rule ../Parser/parser.c:13227
#24 0x5755f1a03e90 in comparison_rule ../Parser/parser.c:12467
#25 0x5755f1a03e90 in inversion_rule ../Parser/parser.c:12418
#26 0x5755f1a07125 in conjunction_rule ../Parser/parser.c:12295
#27 0x5755f1a08125 in disjunction_rule ../Parser/parser.c:12207
#28 0x5755f1a1b084 in expression_rule ../Parser/parser.c:11495
#29 0x5755f1a1eb6c in _tmp_87_rule ../Parser/parser.c:33082
#30 0x5755f1a29712 in genexp_rule ../Parser/parser.c:18127
#31 0x5755f1a0e679 in t_primary_raw ../Parser/parser.c:19845
#32 0x5755f1a0e679 in t_primary_rule ../Parser/parser.c:19714
#33 0x5755f1a2c38d in target_with_star_atom_rule ../Parser/parser.c:19214
#34 0x5755f1a2f229 in star_target_rule ../Parser/parser.c:19157
#35 0x5755f1a2f944 in star_targets_rule ../Parser/parser.c:18899
#36 0x5755f1a3fa99 in _tmp_156_rule ../Parser/parser.c:37289
#37 0x5755f1a3fa99 in _loop1_12_rule ../Parser/parser.c:28298
#38 0x5755f1a3fa99 in assignment_rule ../Parser/parser.c:2209
#39 0x5755f1a11bbc in simple_stmt_rule ../Parser/parser.c:1592
#40 0x5755f1a1a4c2 in simple_stmts_rule ../Parser/parser.c:1487
#41 0x5755f1a73786 in statement_rule ../Parser/parser.c:1269
#42 0x5755f1a73786 in _loop1_2_rule ../Parser/parser.c:27691
#43 0x5755f1a73786 in statements_rule ../Parser/parser.c:1202
#44 0x5755f1a7fb3a in file_rule ../Parser/parser.c:1004
#45 0x5755f1a7fb3a in _PyPegen_parse ../Parser/parser.c:38324
#46 0x5755f19d809c in _PyPegen_run_parser ../Parser/pegen.c:942
SUMMARY: AddressSanitizer: heap-use-after-free ../Include/object.h:277 in _Py_TYPE
Shadow bytes around the buggy address:
0x50400004fd00: fa fa 00 00 00 00 06 fa fa fa fd fd fd fd fd fd
0x50400004fd80: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 06 fa
0x50400004fe00: fa fa 00 00 00 00 00 06 fa fa fd fd fd fd fd fd
0x50400004fe80: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 06 fa
0x50400004ff00: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 04
=>0x50400004ff80: fa fa fd[fd]fd fd fd fa fa fa 00 00 00 00 04 fa
0x504000050000: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x504000050080: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x504000050100: fa fa 00 00 00 00 04 fa fa fa 00 00 00 00 06 fa
0x504000050180: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 03 fa
0x504000050200: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 06 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1834045==ABORTING
CPython versions tested on:
CPython main branch
Operating systems tested on:
Linux
Output from running 'python -VV' on the command line:
No response