Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

incorrect use of released memory in Python/pystate.c line 284 #80174

Closed
wjq-security mannequin opened this issue Feb 14, 2019 · 6 comments
Closed

incorrect use of released memory in Python/pystate.c line 284 #80174

wjq-security mannequin opened this issue Feb 14, 2019 · 6 comments
Assignees
Labels
3.8 (EOL) end of life interpreter-core (Objects, Python, Grammar, and Parser dirs) type-security A security issue

Comments

@wjq-security
Copy link
Mannequin

wjq-security mannequin commented Feb 14, 2019

BPO 35993
Nosy @vstinner, @ericsnowcurrently, @matrixise, @eamanu
PRs
  • bpo-35993: Fix an incorrect use of released memory #11852
  • Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/matrixise'
    closed_at = <Date 2019-02-20.14:30:15.802>
    created_at = <Date 2019-02-14.06:21:26.451>
    labels = ['type-security', 'interpreter-core', '3.8']
    title = 'incorrect use of released memory in Python/pystate.c line 284'
    updated_at = <Date 2019-02-20.14:30:15.801>
    user = 'https://bugs.python.org/wjq-security'

    bugs.python.org fields:

    activity = <Date 2019-02-20.14:30:15.801>
    actor = 'vstinner'
    assignee = 'matrixise'
    closed = True
    closed_date = <Date 2019-02-20.14:30:15.802>
    closer = 'vstinner'
    components = ['Interpreter Core']
    creation = <Date 2019-02-14.06:21:26.451>
    creator = 'wjq-security'
    dependencies = []
    files = []
    hgrepos = []
    issue_num = 35993
    keywords = ['patch']
    message_count = 6.0
    messages = ['335501', '335509', '335584', '336083', '336088', '336089']
    nosy_count = 5.0
    nosy_names = ['vstinner', 'eric.snow', 'matrixise', 'eamanu', 'wjq-security']
    pr_nums = ['11852']
    priority = 'normal'
    resolution = 'fixed'
    stage = 'resolved'
    status = 'closed'
    superseder = None
    type = 'security'
    url = 'https://bugs.python.org/issue35993'
    versions = ['Python 3.8']

    @wjq-security wjq-security mannequin added the type-security A security issue label Feb 14, 2019
    @wjq-security
    Copy link
    Mannequin Author

    wjq-security mannequin commented Feb 14, 2019

    the code is trying to visit a link list in a loop, it tries to visit the next node in line 284 "interp = interp->next" while the current node is freed in line 296 "PyMem_RawFree(interp);"

    @matrixise matrixise self-assigned this Feb 14, 2019
    @matrixise
    Copy link
    Member

    What do you think of this solution?

    @wjq-security
    Copy link
    Mannequin Author

    wjq-security mannequin commented Feb 15, 2019

    Just create a temporary node points to the next node before release the current node. change the loop condition if necessary.

    @matrixise
    Copy link
    Member

    @eric Could you help me for the tests of my PR?

    Thank you

    @vstinner
    Copy link
    Member

    New changeset b5409da by Victor Stinner (Stéphane Wirtel) in branch 'master':
    bpo-35993: Fix _PyInterpreterState_DeleteExceptMain() (GH-11852)
    b5409da

    @vstinner
    Copy link
    Member

    Thanks wangjiangqiang for the bug report and thanks Stéphane Wirtel for the fix!

    @vstinner vstinner added interpreter-core (Objects, Python, Grammar, and Parser dirs) 3.8 (EOL) end of life labels Feb 20, 2019
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Labels
    3.8 (EOL) end of life interpreter-core (Objects, Python, Grammar, and Parser dirs) type-security A security issue
    Projects
    None yet
    Development

    No branches or pull requests

    2 participants