New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use-After-Free in PyString_FromStringAndSize() of stringobject.c #73214
Comments
Recently I started doing some research related to language interpreters Repro file looks like this:
If you have ASAN build then you'll see this:
|
The proposed patch fixes this, not sure if a regression test is appropriate here. Here's a more minimal example that demonstrates the exact problem:
The problem doesn't show up when doing buffer[x:Index()] or [Index():x] because this syntax calls the sq_slice method implemented by buffer object which is passed the indexes as numbers. However when using slice notation with three arguments, the equivilant of these lines of code is executed:
During the I took a quick look at listobject, stringobject, unicodeobject, tupleobject and bytearrayobject's subscript methods and it seems they all only access their members after the call to PySlice_GetIndices, so I think they should be fine. memoryview objects cause a |
LGTM |
Updated patch based on Rietveld review |
There a problem with PySlice_GetIndicesEx() (see bpo-27867). Buffer length shouldn't be evaluated before PySlice_GetIndicesEx() since it can call user code that can change buffer length. This issue can't be solved without first solving bpo-27867. get_buf() is called twice. First for getting the size, and later in buffer_item() or after PySlice_GetIndicesEx() for getting a pointer. I think it can be called once. Ammar, please write a unittest for this issue. It should also cover bugs in the first two versions of the patch. |
Proposed patch fixes the issue. But it is hard to write a reliable patch. |
New changeset 8cfa6d3065b3 by Serhiy Storchaka in branch '2.7': |
Did you forget to close this or is this not fixed, Serhiy? |
I wanted first to finish bpo-27867 (expose new API as public). But this is not needed for this issue. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: