-
-
Notifications
You must be signed in to change notification settings - Fork 31.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CVE-2022-48560] Use-after-free in heappushpop() of heapq module #83602
Comments
The variable cmp = PyObject_RichCompareBool(PyList_GET_ITEM(heap, 0), item, Py_LT);
if (cmp < 0)
return NULL;
if (cmp == 0) {
Py_INCREF(item);
return item;
} POC: import heapq
class h(int):
def __lt__(self, o):
list1.clear()
return NotImplemented
list1 = []
heapq.heappush(list1, h(0))
heapq.heappushpop(list1, 1) Crash detail with asan: ==62141==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060000fd778 at pc 0x00000049cdce bp 0x7ffe9690f650 sp 0x7ffe9690f640 0x6060000fd778 is located 24 bytes inside of 56-byte region [0x6060000fd760,0x6060000fd798) previously allocated by thread T0 here: SUMMARY: AddressSanitizer: heap-use-after-free Objects/longobject.c:3047 long_richcompare |
To be honest, given how many ways this bug happens I think its time to consider msg359023. |
+1 to me also |
AS this discussion will take a while and likely will have deeper consequences, in the meantime I created PR18118 to specifically fix this. |
I agree with hotfix is needed and also for discussion. |
CVE-2022-48560 was assigned to this issue: GHSA-pvw5-cvp6-cv92 |
Security fix for CVE-2022-48560: python3: use after free in heappushpop() of heapq module Resolved upstream: python#83602 Backported from Python 3.6.11. Co-authored-by: Pablo Galindo <Pablogsal@gmail.com> Co-authored-by: Lumír Balhar <lbalhar@redhat.com>
Security fix for CVE-2022-48560: python3: use after free in heappushpop() of heapq module Resolved upstream: python#83602 Backported from Python 3.6.11. Co-authored-by: Pablo Galindo <Pablogsal@gmail.com> Co-authored-by: Lumír Balhar <lbalhar@redhat.com>
Security fix for CVE-2022-48560: python3: use after free in heappushpop() of heapq module Resolved upstream: python#83602 Backported from Python 3.6.11. Co-authored-by: Pablo Galindo <Pablogsal@gmail.com> Co-authored-by: Lumír Balhar <lbalhar@redhat.com>
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: