Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Result of multiprocessing.heap.BufferWrapper.create_memoryview can point to freed memory #85839

Open
EricWieser mannequin opened this issue Aug 31, 2020 · 2 comments
Open

Result of multiprocessing.heap.BufferWrapper.create_memoryview can point to freed memory #85839

EricWieser mannequin opened this issue Aug 31, 2020 · 2 comments
Labels
3.9 only security fixes 3.10 only security fixes stdlib Python modules in the Lib dir topic-ctypes topic-multiprocessing

Comments

@EricWieser
Copy link
Mannequin

EricWieser mannequin commented Aug 31, 2020

BPO 41673

Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

Show more details

GitHub fields:

assignee = None
closed_at = None
created_at = <Date 2020-08-31.12:56:22.474>
labels = ['ctypes', 'library', '3.9', '3.10']
title = 'Result of multiprocessing.heap.BufferWrapper.create_memoryview can point to freed memory'
updated_at = <Date 2020-08-31.12:57:18.235>
user = 'https://bugs.python.org/EricWieser'

bugs.python.org fields:

activity = <Date 2020-08-31.12:57:18.235>
actor = 'Eric Wieser'
assignee = 'none'
closed = False
closed_date = None
closer = None
components = ['Library (Lib)', 'ctypes']
creation = <Date 2020-08-31.12:56:22.474>
creator = 'Eric Wieser'
dependencies = []
files = []
hgrepos = []
issue_num = 41673
keywords = []
message_count = 2.0
messages = ['376149', '376150']
nosy_count = 1.0
nosy_names = ['Eric Wieser']
pr_nums = []
priority = 'normal'
resolution = None
stage = None
status = 'open'
superseder = None
type = None
url = 'https://bugs.python.org/issue41673'
versions = ['Python 3.9', 'Python 3.10']
@EricWieser
Copy link
Mannequin Author

EricWieser mannequin commented Aug 31, 2020

The full definition of multiprocessing.heap.BufferWrapper is:

    class BufferWrapper(object):

        _heap = Heap()

        def __init__(self, size):
            if size < 0:
                raise ValueError("Size {0:n} out of range".format(size))
            if sys.maxsize <= size:
                raise OverflowError("Size {0:n} too large".format(size))
            block = BufferWrapper._heap.malloc(size)
            self._state = (block, size)
            util.Finalize(self, BufferWrapper._heap.free, args=(block,))

        def create_memoryview(self):
            (arena, start, stop), size = self._state
            return memoryview(arena.buffer)[start:start+size]

But this means that a memoryview can be constructed that point to free'd "memory",

>>> b = BufferWrapper(10)
>>> m = b.create_memoryview()
>>> del b  # free is called
>>> b[0]  # making this invalid

It would be better if m would keep a reference to b so that it remains alive.
RawArray works around this by placing a reference to b in ctypes_obj._wrapper, but this results in b being lost again if m2 = memoryview(ctypes_obj); del ctypes_obj is used.

@EricWieser EricWieser mannequin added 3.9 only security fixes 3.10 only security fixes stdlib Python modules in the Lib dir topic-ctypes labels Aug 31, 2020
@EricWieser
Copy link
Mannequin Author

EricWieser mannequin commented Aug 31, 2020 

Whoops, typo. `>>> b[0]` should read `m[0]`.

@ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3.9 only security fixes 3.10 only security fixes stdlib Python modules in the Lib dir topic-ctypes topic-multiprocessing
Projects
Multiprocessing issues
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@vstinner