incorrect use of released memory in Python/pystate.c line 284 #80174

wjq-security · 2019-02-14T06:21:26Z

BPO	35993
Nosy	@vstinner, @ericsnowcurrently, @matrixise, @eamanu
PRs	bpo-35993: Fix an incorrect use of released memory #11852

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = 'https://github.com/matrixise'
closed_at = <Date 2019-02-20.14:30:15.802>
created_at = <Date 2019-02-14.06:21:26.451>
labels = ['type-security', 'interpreter-core', '3.8']
title = 'incorrect use of released memory in Python/pystate.c line 284'
updated_at = <Date 2019-02-20.14:30:15.801>
user = 'https://bugs.python.org/wjq-security'

bugs.python.org fields:

activity = <Date 2019-02-20.14:30:15.801>
actor = 'vstinner'
assignee = 'matrixise'
closed = True
closed_date = <Date 2019-02-20.14:30:15.802>
closer = 'vstinner'
components = ['Interpreter Core']
creation = <Date 2019-02-14.06:21:26.451>
creator = 'wjq-security'
dependencies = []
files = []
hgrepos = []
issue_num = 35993
keywords = ['patch']
message_count = 6.0
messages = ['335501', '335509', '335584', '336083', '336088', '336089']
nosy_count = 5.0
nosy_names = ['vstinner', 'eric.snow', 'matrixise', 'eamanu', 'wjq-security']
pr_nums = ['11852']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue35993'
versions = ['Python 3.8']

wjq-security · 2019-02-14T06:38:01Z

the code is trying to visit a link list in a loop, it tries to visit the next node in line 284 "interp = interp->next" while the current node is freed in line 296 "PyMem_RawFree(interp);"

matrixise · 2019-02-14T08:16:51Z

What do you think of this solution?

wjq-security · 2019-02-15T05:24:31Z

Just create a temporary node points to the next node before release the current node. change the loop condition if necessary.

matrixise · 2019-02-20T13:02:39Z

@eric Could you help me for the tests of my PR?

Thank you

vstinner · 2019-02-20T14:27:25Z

New changeset b5409da by Victor Stinner (Stéphane Wirtel) in branch 'master':
bpo-35993: Fix _PyInterpreterState_DeleteExceptMain() (GH-11852)
b5409da

vstinner · 2019-02-20T14:30:16Z

Thanks wangjiangqiang for the bug report and thanks Stéphane Wirtel for the fix!

wjq-security mannequin added the type-security A security issue label Feb 14, 2019

matrixise self-assigned this Feb 14, 2019

vstinner added interpreter-core (Objects, Python, Grammar, and Parser dirs) 3.8 only security fixes labels Feb 20, 2019

vstinner closed this as completed Feb 20, 2019

ezio-melotti transferred this issue from another repository Apr 10, 2022

incorrect use of released memory in Python/pystate.c line 284 #80174

incorrect use of released memory in Python/pystate.c line 284 #80174

wjq-security mannequin commented Feb 14, 2019

wjq-security mannequin commented Feb 14, 2019

matrixise commented Feb 14, 2019

wjq-security mannequin commented Feb 15, 2019

matrixise commented Feb 20, 2019

vstinner commented Feb 20, 2019

vstinner commented Feb 20, 2019

incorrect use of released memory in Python/pystate.c line 284 #80174

incorrect use of released memory in Python/pystate.c line 284 #80174

Comments

wjq-security mannequin commented Feb 14, 2019

wjq-security mannequin commented Feb 14, 2019

matrixise commented Feb 14, 2019

wjq-security mannequin commented Feb 15, 2019

matrixise commented Feb 20, 2019

vstinner commented Feb 20, 2019

vstinner commented Feb 20, 2019