Double DECREF in TextIOWrapper

[thatch]

BPO	22849
Nosy	@ncoghlan, @benjaminp, @thatch, @serhiy-storchaka
Files	segv.py: Reproduction for crasher

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2014-11-12.15:24:13.152>
created_at = <Date 2014-11-11.22:55:26.016>
labels = ['library', 'type-crash']
title = 'Double DECREF in TextIOWrapper'
updated_at = <Date 2014-11-12.15:24:13.150>
user = 'https://github.com/thatch'

bugs.python.org fields:

activity = <Date 2014-11-12.15:24:13.150>
actor = 'python-dev'
assignee = 'none'
closed = True
closed_date = <Date 2014-11-12.15:24:13.152>
closer = 'python-dev'
components = ['Library (Lib)']
creation = <Date 2014-11-11.22:55:26.016>
creator = 'thatch'
dependencies = []
files = ['37183']
hgrepos = []
issue_num = 22849
keywords = []
message_count = 3.0
messages = ['231054', '231081', '231082']
nosy_count = 5.0
nosy_names = ['ncoghlan', 'benjamin.peterson', 'thatch', 'python-dev', 'serhiy.storchaka']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'crash'
url = 'https://bugs.python.org/issue22849'
versions = ['Python 3.3', 'Python 3.4', 'Python 3.5']

[thatch]

There's a reproducible bug in textio.c that causes a double DECREF on codecs. The conditions to trigger are probably rare in real life, so not remotely exploitable (sandbox escape is the worst I can think of on its own, and I'm not aware of any on 3.x):

• You need to create a TextIOWrapper wrapping a file-like object that only partially supports the protocol. For example, supporting readable(), writable(), and seekable() but not tell().

The crash I experience most of the time appears to be that the memory being reused, such that the PyObject ob_type field is no longer a valid pointer.

Affected:
Source 3.5.0a0 (latest default branch yesterday, 524a004e93dd)
Archlinux: 3.3.5 and 3.4.2
Ubuntu: 3.4.0
Unaffected:
Centos: 3.3.2
All 2.7 branch (doesn't contain the faulty commit)

Here's where it's introduced -- https://hg.python.org/cpython/rev/f3ec00d2b75e/#l5.76

/* Modules/_io/textio.c line 1064 */

Py_DECREF(codec_info); 
/* does not set codec_info = NULL; */
...
if(...) goto error;
...
error:
  Py_XDECREF(codec_info);

The attached script is close to minimal -- I think at most you can reduce by one TextIOWrapper instantiation. Sample stacktrace follows (which is after the corruption occurs, on subsequent access to v->ob_type (which is invalid).

#0  0x00000000004c8829 in PyObject_GetAttr (v=<unknown at remote 0x7ffff7eb9688>, 
    name='_is_text_encoding') at Objects/object.c:872
#1  0x00000000004c871d in _PyObject_GetAttrId (v=<unknown at remote 0x7ffff7eb9688>, 
    name=0x945d50 <PyId__is_text_encoding.10143>) at Objects/object.c:835
#2  0x00000000005c6674 in _PyCodec_LookupTextEncoding (
    encoding=0x7ffff6f40220 "utf-8", alternate_command=0x6c2fcd "codecs.open()")
    at Python/codecs.c:541
#3  0x000000000064286e in textiowrapper_init (self=0x7ffff7f9ecb8, 
    args=(<F at remote 0x7ffff6f40a18>,), kwds={'encoding': 'utf-8'})
    at ./Modules/_io/textio.c:965

[benjaminp]

Thanks for the excellent bug report!

[python-dev]

New changeset ec1948191461 by Benjamin Peterson in branch '3.4':
fix possible double free in TextIOWrapper.__init__ (closes bpo-22849)
https://hg.python.org/cpython/rev/ec1948191461

New changeset a664b150b6c2 by Benjamin Peterson in branch 'default':
merge 3.4 (bpo-22849)
https://hg.python.org/cpython/rev/a664b150b6c2