bpo-37012: Fix a possible crash due to PyType_FromSpecWithBases() by ZackerySpytz · Pull Request #10304 · python/cpython

ZackerySpytz · 2018-11-02T21:22:49Z

If the PyObject_MALLOC() call failed in PyType_FromSpecWithBases(),
PyObject_Free() would be called on a static string in type_dealloc().

https://bugs.python.org/issue37012

If the PyObject_MALLOC() call failed in PyType_FromSpecWithBases(), PyObject_Free() would be called on a static string in type_dealloc().

andresdelfino · 2018-11-14T18:40:16Z

@ZackerySpytz the "skip issue" label (and any other label for that matter) can only be added by developers. I was also confused when I started doing PRs, and tried adding "skip issue" in several places myself :) I mention this just to let you know why it didn't work.

Mariatta · 2018-11-14T18:52:59Z

I think this might require issue and news entry.

serhiy-storchaka · 2018-11-14T21:25:55Z

            size_t len = strlen(old_doc)+1;
            char *tp_doc = PyObject_MALLOC(len);
            if (tp_doc == NULL) {
+                type->tp_doc = NULL;


In what circumstances it is not NULL? PyType_GenericAlloc() fills the type object with zeros.

vstinner · 2019-01-10T16:01:40Z

I removed the " needs backport to 3.6" label, the 3.6 branch no longer accept bugfixes (only security fixes are accepted): https://devguide.python.org/#status-of-python-branches

encukou · 2019-05-08T20:17:32Z

I believe Serhyi's question is valid. If you have an answer, please re-open the PR.

(Is this silencing some static analyzer? )

ZackerySpytz · 2019-05-08T22:04:21Z

@encukou Please reopen this PR.

*(void**)(res_start + slotoffsets[slot->slot]) = slot->pfunc; sets type->tp_doc to a pointer to a static string. A copy of the docstring is then made, but if the PyObject_MALLOC() call fails, type->tp_doc still points to the static string (e.g. SSLError_doc) when the type is decrefed.

encukou · 2019-05-09T15:07:30Z

My apologies, you're right.

miss-islington · 2019-05-09T18:33:34Z

Thanks @ZackerySpytz for the PR, and @encukou for merging it 🌮🎉.. I'm working now to backport this PR to: 2.7, 3.7.
🐍🍒⛏🤖

If the PyObject_MALLOC() call failed in PyType_FromSpecWithBases(), PyObject_Free() would be called on a static string in type_dealloc(). (cherry picked from commit 0613c1e) Co-authored-by: Zackery Spytz <zspytz@gmail.com>

bedevere-bot · 2019-05-09T18:33:46Z

GH-13223 is a backport of this pull request to the 3.7 branch.

miss-islington · 2019-05-09T18:33:48Z

Sorry, @ZackerySpytz and @encukou, I could not cleanly backport this to 2.7 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker 0613c1e481440aa8f54ba7f6056924c175fbcc13 2.7

vstinner · 2019-05-10T01:36:07Z

Instead of reverting the change that we just made, what about not writing into tp_doc if it's value makes the type inconsistent? What about this patch:

diff --git a/Objects/typeobject.c b/Objects/typeobject.c
index b28f494962..59d8a9d15f 100644
--- a/Objects/typeobject.c
+++ b/Objects/typeobject.c
@@ -2986,7 +2986,6 @@ PyType_FromSpecWithBases(PyType_Spec *spec, PyObject *bases)
         if (slot->slot == Py_tp_base || slot->slot == Py_tp_bases)
             /* Processed above */
             continue;
-        *(void**)(res_start + slotoffsets[slot->slot]) = slot->pfunc;
 
         /* need to make a copy of the docstring slot, which usually
            points to a static string literal */
@@ -2995,13 +2994,15 @@ PyType_FromSpecWithBases(PyType_Spec *spec, PyObject *bases)
             size_t len = strlen(old_doc)+1;
             char *tp_doc = PyObject_MALLOC(len);
             if (tp_doc == NULL) {
-                type->tp_doc = NULL;
                 PyErr_NoMemory();
                 goto fail;
             }
             memcpy(tp_doc, old_doc, len);
             type->tp_doc = tp_doc;
         }
+        else {
+            *(void**)(res_start + slotoffsets[slot->slot]) = slot->pfunc;
+        }
 
         /* Move the slots to the heap type itself */
         if (slot->slot == Py_tp_members) {

If the PyObject_MALLOC() call failed in PyType_FromSpecWithBases(), PyObject_Free() would be called on a static string in type_dealloc(). (cherry picked from commit 0613c1e) Co-authored-by: Zackery Spytz <zspytz@gmail.com>

…signments The main slot assignment loop is now if-else if ladder, making the control flow clearer. Based on suggestion by Victor Stinner in: python#10304

… (GH-13495) If the PyObject_MALLOC() call failed in PyType_FromSpecWithBases(), PyObject_Free() would be called on a static string in type_dealloc(). (cherry picked from commit 0613c1e) Co-authored-by: Zackery Spytz <zspytz@gmail.com>

…signments (GH-13496) The main slot assignment loop is now if-else if ladder, making the control flow clearer. Based on suggestion by Victor Stinner in: #10304

…signments (pythonGH-13496) The main slot assignment loop is now if-else if ladder, making the control flow clearer. Based on suggestion by Victor Stinner in: python#10304

Fix a possible crash due to PyType_FromSpecWithBases()

9376dae

If the PyObject_MALLOC() call failed in PyType_FromSpecWithBases(), PyObject_Free() would be called on a static string in type_dealloc().

the-knights-who-say-ni added the CLA signed label Nov 2, 2018

bedevere-bot added the awaiting review label Nov 2, 2018

serhiy-storchaka self-requested a review November 3, 2018 06:56

serhiy-storchaka added needs backport to 3.6 skip issue skip news labels Nov 3, 2018

serhiy-storchaka reviewed Nov 14, 2018

View reviewed changes

vstinner removed the needs backport to 3.6 label Jan 10, 2019

encukou closed this May 8, 2019

encukou reopened this May 9, 2019

encukou merged commit 0613c1e into python:master May 9, 2019

bedevere-bot removed the awaiting review label May 9, 2019

bedevere-bot removed the needs backport to 3.7 label May 9, 2019

miss-islington assigned encukou May 9, 2019

encukou removed the needs backport to 2.7 label May 22, 2019

encukou changed the title ~~[Skip Issue] Fix a possible crash due to PyType_FromSpecWithBases()~~ bpo-37012: Fix a possible crash due to PyType_FromSpecWithBases() May 22, 2019

encukou mentioned this pull request May 22, 2019

bpo-37012: Clean up special cases in PyType_FromSpecWithBases slot assignments #13496

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

bpo-37012: Fix a possible crash due to PyType_FromSpecWithBases()#10304

bpo-37012: Fix a possible crash due to PyType_FromSpecWithBases()#10304
encukou merged 1 commit into
python:masterfrom
ZackerySpytz:type_dealloc_crash

ZackerySpytz commented Nov 2, 2018 •

edited by bedevere-bot

Loading

Uh oh!

andresdelfino commented Nov 14, 2018 •

edited

Loading

Uh oh!

Mariatta commented Nov 14, 2018

Uh oh!

serhiy-storchaka Nov 14, 2018

Uh oh!

vstinner commented Jan 10, 2019

Uh oh!

encukou commented May 8, 2019

Uh oh!

ZackerySpytz commented May 8, 2019

Uh oh!

encukou commented May 9, 2019

Uh oh!

miss-islington commented May 9, 2019

Uh oh!

bedevere-bot commented May 9, 2019

Uh oh!

miss-islington commented May 9, 2019

Uh oh!

vstinner commented May 10, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

9 participants

Uh oh!

Conversation

ZackerySpytz commented Nov 2, 2018 • edited by bedevere-bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

andresdelfino commented Nov 14, 2018 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Mariatta commented Nov 14, 2018

Uh oh!

serhiy-storchaka Nov 14, 2018

Choose a reason for hiding this comment

Uh oh!

vstinner commented Jan 10, 2019

Uh oh!

encukou commented May 8, 2019

Uh oh!

ZackerySpytz commented May 8, 2019

Uh oh!

encukou commented May 9, 2019

Uh oh!

miss-islington commented May 9, 2019

Uh oh!

bedevere-bot commented May 9, 2019

Uh oh!

miss-islington commented May 9, 2019

Uh oh!

vstinner commented May 10, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

9 participants

ZackerySpytz commented Nov 2, 2018 •

edited by bedevere-bot

Loading

andresdelfino commented Nov 14, 2018 •

edited

Loading