segfault in optimize_code()

[kristjanvalur]

BPO	1451641
Nosy	@mwhudson, @rhettinger, @kristjanvalur

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2006-03-16.23:27:44.000>
created_at = <Date 2006-03-16.20:43:41.000>
labels = ['interpreter-core', 'invalid']
title = 'segfault in optimize_code()'
updated_at = <Date 2006-03-16.23:27:44.000>
user = 'https://github.com/kristjanvalur'

bugs.python.org fields:

activity = <Date 2006-03-16.23:27:44.000>
actor = 'rhettinger'
assignee = 'none'
closed = True
closed_date = None
closer = None
components = ['Interpreter Core']
creation = <Date 2006-03-16.20:43:41.000>
creator = 'kristjan.jonsson'
dependencies = []
files = []
hgrepos = []
issue_num = 1451641
keywords = []
message_count = 3.0
messages = ['27805', '27806', '27807']
nosy_count = 3.0
nosy_names = ['mwh', 'rhettinger', 'kristjan.jonsson']
pr_nums = []
priority = 'normal'
resolution = 'not a bug'
stage = None
status = 'closed'
superseder = None
type = None
url = 'https://bugs.python.org/issue1451641'
versions = ['Python 2.4']

[kristjanvalur]

The function optimize_code() is called, for example
when unpickling code objects. However, with corrupt
data it can cause segfaults.

This is because of code such as:
tgt = GETJUMPTGT(codestr, (i+1))
if (codestr[tgt])
continue;

tgt can in this case easily be some nonsense and
cause access violation when used as an index into
codestr. This behaviour has been observed.

My particular patch is this:
#define CHECK_I(i) do {if ((i)<0 || (i)>=codelen) 
goto exitError;}while(0)
#define CHECKARG(i) do {CHECK_I(i+1); CHECK_I(i+2);}
while(0)
#define CHECKJUMPTGT(i) do{CHECKARG(i); CHECK_I(i);}
while(0)

then, adding tests such as
CHECKJUMPTGT(j);
before code that looks like
tgt = GETJUMPTGT(j);
and
CHECK_I(tgt);
before
codestr[tgt] = foo;

Also, this function needs to be able to raise an
exception. jcompile() must be able to deal with this
case.

Finally, this is also an issue in 2.3 (actually, I
discovered it there, but a quick look seems to
indicate it being a problem in 2.4 too.

[mwhudson]

Logged In: YES
user_id=6656

I don't *think* optimize_code is called for unmarshalled code objects any more
(i.e. in 2.4 and 2.5/SVN HEAD). But I could be wrong.

If not, and so optimize_code is only called with code freshly generated from the
compiler, this isn't really an issue, is it?

[rhettinger]

Logged In: YES
user_id=80475

For 2.4, Michael is correct and the optimizer only applied
to internally generated code.

Also, FWIW, in Py2.5, I'm planning to move the optimizer
to appear before the assembler instead of after -- this
will both speed it up and simplify it.

Also, discussions on python-dev have noted that there are
a number of ways to make bad things happen if you execute
corrupt byte-code. IIRC, there is a proposal for a Java
style byte-code verifier to be put in place someday.