heap-use-after-free in find_maxchar_surrogates

[sys]

BPO	23022
Nosy	@pitrou, @vstinner

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2014-12-11.11:36:40.440>
created_at = <Date 2014-12-10.09:43:38.285>
labels = ['type-security', 'ctypes', 'invalid']
title = 'heap-use-after-free in find_maxchar_surrogates'
updated_at = <Date 2014-12-11.11:57:06.563>
user = 'https://bugs.python.org/sys'

bugs.python.org fields:

activity = <Date 2014-12-11.11:57:06.563>
actor = 'sys'
assignee = 'none'
closed = True
closed_date = <Date 2014-12-11.11:36:40.440>
closer = 'vstinner'
components = ['ctypes']
creation = <Date 2014-12-10.09:43:38.285>
creator = 'sys'
dependencies = []
files = []
hgrepos = []
issue_num = 23022
keywords = []
message_count = 2.0
messages = ['232417', '232470']
nosy_count = 3.0
nosy_names = ['pitrou', 'vstinner', 'sys']
pr_nums = []
priority = 'normal'
resolution = 'not a bug'
stage = None
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue23022'
versions = ['Python 3.5']

[sys]

Line 27-29 trigger use-after-free.

=================================================================
==18203== ERROR: AddressSanitizer: heap-use-after-free on address 0x60080003b2e0 at pc 0x5e844f bp 0x7ffff5351750 sp 0x7ffff5351748
READ of size 4 at 0x60080003b2e0 thread T0
#0 0x5e844e in find_maxchar_surrogates ./cpython/Objects/unicodeobject.c:1428
#1 0x5ed62e in PyUnicode_FromUnicode ./cpython/Objects/unicodeobject.c:1822
#2 0x5f57cd in PyUnicode_FromWideChar ./cpython/Objects/unicodeobject.c:2311
#3 0x7f4ebbd00976 in Z_get /media/truecrypt1/bounty/cpython/Modules/_ctypes/cfield.c:1429
#4 0x7f4ebbcde48b in PyCData_get /media/truecrypt1/bounty/cpython/Modules/_ctypes/_ctypes.c:2756
#5 0x7f4ebbcf90b8 in PyCField_get /media/truecrypt1/bounty/cpython/Modules/_ctypes/cfield.c:230
#6 0x56ff34 in _PyObject_GenericGetAttrWithDict ./cpython/Objects/object.c:1059
#7 0x5704ee in PyObject_GenericGetAttr ./cpython/Objects/object.c:1119
#8 0x56f169 in PyObject_GetAttr ./cpython/Objects/object.c:889
#9 0x70ef2d in PyEval_EvalFrameEx ./cpython/Python/ceval.c:2442
#10 0x723c20 in fast_function ./cpython/Python/ceval.c:4368
#11 0x7234ea in call_function ./cpython/Python/ceval.c:4294
#12 0x715433 in PyEval_EvalFrameEx ./cpython/Python/ceval.c:2860
#13 0x71e164 in _PyEval_EvalCodeWithName ./cpython/Python/ceval.c:3610
#14 0x71e354 in PyEval_EvalCodeEx ./cpython/Python/ceval.c:3631
#15 0x6f7af3 in PyEval_EvalCode ./cpython/Python/ceval.c:773
#16 0x42ea99 in run_mod ./cpython/Python/pythonrun.c:968
#17 0x42e69f in PyRun_FileExFlags ./cpython/Python/pythonrun.c:921
#18 0x42b456 in PyRun_SimpleFileExFlags ./cpython/Python/pythonrun.c:394
#19 0x429ac3 in PyRun_AnyFileExFlags ./cpython/Python/pythonrun.c:80
#20 0x45624b in run_file ./cpython/Modules/main.c:318
#21 0x457717 in Py_Main ./cpython/Modules/main.c:767
#22 0x41b845 in main ./cpython/./Programs/python.c:69
#23 0x7f4ebc741ed4 in __libc_start_main ??:?
#24 0x41b438 in _start /glibc-tmp-c47113ea580c02d806fd2bb53621c6f5/glibc-2.20/csu/../sysdeps/x86_64/start.S:122
0x60080003b2e0 is located 16 bytes inside of 37-byte region [0x60080003b2d0,0x60080003b2f5)
freed by thread T0 here:
#0 0x7f4ebd41d34a in __interceptor_free ??:?
#1 0x41b9b5 in _PyMem_RawFree ./cpython/Objects/obmalloc.c:90
#2 0x41f4aa in _PyMem_DebugFree ./cpython/Objects/obmalloc.c:1892
#3 0x41c3db in PyMem_Free ./cpython/Objects/obmalloc.c:349
#4 0x502f7a in float_repr ./cpython/Objects/floatobject.c:275
#5 0x56d68a in PyObject_Str ./cpython/Objects/object.c:535
#6 0x500926 in PyFile_WriteObject ./cpython/Objects/fileobject.c:141
#7 0x6efe19 in builtin_print ./cpython/Python/bltinmodule.c:2243
#8 0x564fb5 in PyCFunction_Call ./cpython/Objects/methodobject.c:100
#9 0x72310c in call_function ./cpython/Python/ceval.c:4269 (discriminator 2)
#10 0x715433 in PyEval_EvalFrameEx ./cpython/Python/ceval.c:2860
#11 0x723c20 in fast_function ./cpython/Python/ceval.c:4368
#12 0x7234ea in call_function ./cpython/Python/ceval.c:4294
#13 0x715433 in PyEval_EvalFrameEx ./cpython/Python/ceval.c:2860
#14 0x71e164 in _PyEval_EvalCodeWithName ./cpython/Python/ceval.c:3610
#15 0x71e354 in PyEval_EvalCodeEx ./cpython/Python/ceval.c:3631
#16 0x6f7af3 in PyEval_EvalCode ./cpython/Python/ceval.c:773
#17 0x42ea99 in run_mod ./cpython/Python/pythonrun.c:968
#18 0x42e69f in PyRun_FileExFlags ./cpython/Python/pythonrun.c:921
#19 0x42b456 in PyRun_SimpleFileExFlags ./cpython/Python/pythonrun.c:394
#20 0x429ac3 in PyRun_AnyFileExFlags ./cpython/Python/pythonrun.c:80
#21 0x45624b in run_file ./cpython/Modules/main.c:318
#22 0x457717 in Py_Main ./cpython/Modules/main.c:767
#23 0x41b845 in main ./cpython/./Programs/python.c:69
#24 0x7f4ebc741ed4 in __libc_start_main ??:?
previously allocated by thread T0 here:
#0 0x7f4ebd41d42a in malloc ??:?
#1 0x41b918 in _PyMem_RawMalloc ./cpython/Objects/obmalloc.c:62
#2 0x41efe9 in _PyMem_DebugAlloc ./cpython/Objects/obmalloc.c:1838
#3 0x41f29e in _PyMem_DebugMalloc ./cpython/Objects/obmalloc.c:1861
#4 0x41c256 in PyMem_Malloc ./cpython/Objects/obmalloc.c:325
#5 0x78b7c0 in format_float_short ./cpython/Python/pystrtod.c:1094
#6 0x78c224 in PyOS_double_to_string ./cpython/Python/pystrtod.c:1231
#7 0x502ecb in float_repr ./cpython/Objects/floatobject.c:268
#8 0x56d68a in PyObject_Str ./cpython/Objects/object.c:535
#9 0x500926 in PyFile_WriteObject ./cpython/Objects/fileobject.c:141
#10 0x6efe19 in builtin_print ./cpython/Python/bltinmodule.c:2243
#11 0x564fb5 in PyCFunction_Call ./cpython/Objects/methodobject.c:100
#12 0x72310c in call_function ./cpython/Python/ceval.c:4269 (discriminator 2)
#13 0x715433 in PyEval_EvalFrameEx ./cpython/Python/ceval.c:2860
#14 0x723c20 in fast_function ./cpython/Python/ceval.c:4368
#15 0x7234ea in call_function ./cpython/Python/ceval.c:4294
#16 0x715433 in PyEval_EvalFrameEx ./cpython/Python/ceval.c:2860
#17 0x71e164 in _PyEval_EvalCodeWithName ./cpython/Python/ceval.c:3610
#18 0x71e354 in PyEval_EvalCodeEx ./cpython/Python/ceval.c:3631
#19 0x6f7af3 in PyEval_EvalCode ./cpython/Python/ceval.c:773
#20 0x42ea99 in run_mod ./cpython/Python/pythonrun.c:968
#21 0x42e69f in PyRun_FileExFlags ./cpython/Python/pythonrun.c:921
#22 0x42b456 in PyRun_SimpleFileExFlags ./cpython/Python/pythonrun.c:394
#23 0x429ac3 in PyRun_AnyFileExFlags ./cpython/Python/pythonrun.c:80
#24 0x45624b in run_file ./cpython/Modules/main.c:318
#25 0x457717 in Py_Main ./cpython/Modules/main.c:767
#26 0x41b845 in main ./cpython/./Programs/python.c:69
#27 0x7f4ebc741ed4 in __libc_start_main ??:?
Shadow bytes around the buggy address:
0x0c017ffff600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c017ffff610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c017ffff620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c017ffff630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c017ffff640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c017ffff650: fa fa fa fa fa fa fa fa fa fa fd fd[fd]fd fd fa
0x0c017ffff660: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x0c017ffff670: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x0c017ffff680: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
0x0c017ffff690: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 04
0x0c017ffff6a0: fa fa 00 00 00 00 00 04 fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==18203== ABORTING

[vstinner]

Your code is strange. It exchanges pointer between processes if I understand correctly:

  class Berbagi(ctypes.Structure):
    _fields_ = [('a', ctypes.c_wchar_p), ('b', ctypes.c_double) ]
  nilai = multiprocessing.Array(Berbagi, [Berbagi() for x in range(9)] )

You must not do that. Instead, Berbagi.a must be an array of c_wchar characters with a fixed size. Try for example:

  class Berbagi(ctypes.Structure):
    _fields_ = [('a', ctypes.c_wchar * 10), ('b', ctypes.c_double) ]

Note: I'm not sure that ctypes is the most efficient module to serialize data, but maybe you have to use ctypes for a reason not explained in your issue.

The bug is in your code, not in Python.