Skip to content

/ cpython

Branch: 3.6
Find file History
cpython/Modules/
Pull request Compare This branch is 2202 commits ahead, 8937 commits behind master.
@miss-islington @phi-gamma
miss-islington and phi-gamma closes bpo-39510: Fix use-after-free in BufferedReader.readinto() (GH… 
…-18350)

When called on a closed object, readinto() segfaults on account
of a write to a freed buffer:

    ==220553== Process terminating with default action of signal 11 (SIGSEGV): dumping core
    ==220553==  Access not within mapped region at address 0x2A
    ==220553==    at 0x48408A0: memmove (vg_replace_strmem.c:1272)
    ==220553==    by 0x58DB0C: _buffered_readinto_generic (bufferedio.c:972)
    ==220553==    by 0x58DCBA: _io__Buffered_readinto_impl (bufferedio.c:1053)
    ==220553==    by 0x58DCBA: _io__Buffered_readinto (bufferedio.c.h:253)

Reproducer:

    reader = open ("/dev/zero", "rb")
    _void  = reader.read (42)
    reader.close ()
    reader.readinto (bytearray (42)) GH-GH-GH- BANG!

The problem exists since 2012 when commit dc46945 added code
to free the read buffer on close().

Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com>
(cherry picked from commit cb1c074)

Co-authored-by: Philipp Gesang <phg@phi-gamma.net>

Co-authored-by: Philipp Gesang <phg@phi-gamma.net>
Latest commit c352e6c Feb 4, 2020
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
_blake2 [3.6] bpo-33729: Fix issues with arguments parsing in hashlib. (GH-8346 Oct 11, 2018
_ctypes bpo-35436: Add missing PyErr_NoMemory() calls and other minor bug fix… Dec 7, 2018
_decimal bpo-35059, libmpdec: Add missing EXTINLINE in mpdecimal.h (GH-10128) Oct 26, 2018
_io closes bpo-39510: Fix use-after-free in BufferedReader.readinto() (GH… Feb 4, 2020
_multiprocessing bpo-35436: Add missing PyErr_NoMemory() calls and other minor bug fix… Dec 7, 2018
_sha3 closes bpo-35643: Fix a SyntaxWarning: invalid escape sequence in Mod… Jan 7, 2019
_sqlite bpo-34052: Prevent SQLite functions from setting callbacks on excepti… Dec 5, 2018
cjkcodecs [3.6] bpo-33029: Fix signatures of getter and setter functions. (GH-1… Nov 27, 2018
clinic [3.6]bpo-29341: Backport b942707 3.6 (GH-10299) Nov 2, 2018
expat [3.6] closes bpo-38174: Update vendored expat library to 2.2.8. (GH-1… Sep 26, 2019
zlib
README Issue #18093: Factor out the programs that embed the runtime Jul 25, 2014
Setup.config.in
Setup.dist closes bpo-35139: The `pyexpat` module's macros in `Modules/Setup` no… Nov 2, 2018
_asynciomodule.c [3.6] bpo-33029: Fix signatures of getter and setter functions. (GH-1… Nov 27, 2018
_bisectmodule.c The return type of a rich comparison is an int Feb 14, 2016
_bz2module.c bpo-35090: Fix potential division by zero in allocator wrappers (GH-1… Oct 28, 2018
_codecsmodule.c
_collectionsmodule.c bpo-33012: Fix signatures of METH_NOARGS functions. (GH-10736) (GH-10748 Nov 27, 2018
_cryptmodule.c Issue #27332: Fixed the type of the first argument of module-level fu… Jul 7, 2016
_csv.c [3.6] bpo-33029: Fix signatures of getter and setter functions. (GH-1… Nov 27, 2018
_curses_panel.c Issue #25745: Fixed leaking a userptr in curses panel destructor. May 8, 2016
_cursesmodule.c bpo-33012: Fix signatures of METH_NOARGS functions. (GH-10736) (GH-10748 Nov 27, 2018
_datetimemodule.c bpo-22005: Fixed unpickling instances of datetime classes pickled by … Dec 7, 2018
_dbmmodule.c
_elementtree.c [3.6] bpo-35454: Fix miscellaneous minor issues in error handling. (G… Dec 11, 2018
_functoolsmodule.c bpo-31095: fix potential crash during GC (GH-3195) Sep 4, 2017
_gdbmmodule.c [3.6] bpo-32922: dbm.open() now encodes filename with the filesystem … Feb 27, 2018
_hashopenssl.c [3.6] bpo-20216: Correct docstrings of digest() methods in hashlib. (G… Oct 28, 2018
_heapqmodule.c bpo-39421: Fix posible crash in heapq with custom comparison operators ( Jan 23, 2020
_json.c
_localemodule.c bpo-35441: Remove dead and buggy code related to PyList_SetItem(). (G… Dec 8, 2018
_lsprof.c Fix docstring of Profiler class (GH-8651) Aug 3, 2018
_lzmamodule.c bpo-35090: Fix potential division by zero in allocator wrappers (GH-1… Oct 28, 2018
_math.c Fix typo. Oct 28, 2014
_math.h
_opcode.c Issue #27332: Fixed the type of the first argument of module-level fu… Jul 7, 2016
_operator.c bpo-35303: Fix a reference leak in _operator.c's methodcaller_repr(). ( Nov 23, 2018
_pickle.c bpo-35444: Fix error handling when fail to look up builtin "getattr". ( Dec 11, 2018
_posixsubprocess.c bpo-35214: Add _Py_ prefix to MEMORY_SANITIZER def. (GH-10503) Nov 13, 2018
_randommodule.c [3.6] bpo-31478: Fix an assertion failure in random.seed() in case a … Sep 28, 2017
_scproxy.c
_sre.c [3.6] bpo-33029: Fix signatures of getter and setter functions. (GH-1… Nov 27, 2018
_ssl.c bpo-35746: Fix segfault in ssl's cert parser (GH-11569) (GH-11573) Jan 16, 2019
_ssl_data.h Issue #23248: Update ssl error codes from latest OpenSSL git master. Jan 18, 2015
_stat.c Issue #21741: Add st_file_attributes to os.stat_result on Windows. Jun 19, 2014
_struct.c [3.6] bpo-30246: fix several error messages which only mention bytes … Sep 14, 2017
_testbuffer.c
_testcapimodule.c bpo-33012: Fix signatures of METH_NOARGS functions. (GH-10736) (GH-10748 Nov 27, 2018
_testimportmultiple.c Remove compile warnings for _testimportmodule Dec 15, 2012
_testmultiphase.c Make two PyModuleDef_Slot symbols static in _testmultiphase. (GH-8147) Jul 7, 2018
_threadmodule.c [3.6] bpo-35454: Fix miscellaneous minor issues in error handling. (G… Dec 11, 2018
_tkinter.c [3.6] bpo-33029: Fix signatures of getter and setter functions. (GH-1… Nov 27, 2018
_tracemalloc.c bpo-29564:_PyMem_DumpTraceback() suggests enabling tracemalloc (GH-10510 Nov 13, 2018
_weakref.c Issue #28427: old keys should not remove new values from Dec 27, 2016
_winapi.c [3.6] bpo-34563: Fix for invalid assert on big output of multiprocess… Sep 7, 2018
addrinfo.h
ar_beos Moved BeOS/ar-fake and BeOS/linkmodule to Modules/ar_beos and Feb 16, 2001
arraymodule.c bpo-35441: Remove dead and buggy code related to PyList_SetItem(). (G… Dec 8, 2018
atexitmodule.c [3.6] bpo-28994: Fixed errors handling in atexit._run_exitfuncs(). (G… Jun 12, 2017
audioop.c
binascii.c Issue #29004: Merge crc_hqx() doc from 3.5 Dec 24, 2016
cmathmodule.c Issue 23229: add cmath.inf, cmath.nan, cmath.infj and cmath.nanj. Aug 29, 2016
config.c.in PEP 489: Multi-phase extension module initialization May 23, 2015
errnomodule.c Fix #13210. Port the Windows build from VS2008 to VS2010. May 13, 2012
faulthandler.c [3.6] bpo-35214: Initial clang MemorySanitizer support (GH-10479) (GH… Nov 13, 2018
fcntlmodule.c [3.7] bpo-35189: Retry fnctl calls on EINTR (GH-10413) (GH-10678) (GH… Nov 23, 2018
fpectlmodule.c Issue #16136: Remove VMS support and VMS-related code Dec 21, 2013
fpetestmodule.c Recorded merge of revisions 81032 via svnmerge from May 9, 2010
gc_weakref.txt
gcmodule.c [3.6] bpo-33622: Fix issues with handling errors in the GC. (GH-7078) ( May 24, 2018
getaddrinfo.c
getbuildinfo.c [3.6] bpo-27593: Get SCM build info from git instead of hg. (#446) (#454 Mar 4, 2017
getnameinfo.c Issue #15538: Fix compilation of the getnameinfo() / getaddrinfo() em… Aug 2, 2012
getpath.c [3.6] closes bpo-31532: Fix memory corruption due to allocator mix (G… Sep 21, 2017
grpmodule.c bpo-34604: Use %R because of invisible characters or trailing whitesp… Dec 5, 2018
hashlib.h Issue #26798: Add BLAKE2 (blake2b and blake2s) to hashlib. Sep 6, 2016
hashtable.c
hashtable.h Issue #28126: Replace Py_MEMCPY with memcpy(). Visual Studio can prop… Sep 13, 2016
itertoolsmodule.c [3.6] bpo-30347: Stop crashes when concurrently iterate over itertool… Sep 26, 2017
ld_so_aix.in Issue #10656: Fix out-of-tree building on AIX Nov 20, 2016
ld_so_beos Remove a hard coded Python version, and a now incorrect relative path… Feb 16, 2001
main.c bpo-17232: Clarify docs for -O and -OO command line options (GH-5839) Feb 25, 2018
makesetup generate spaces instead of tabs into config.c Jan 16, 2017
makexp_aix - Changes donated by Elemental Security to make it work on AIX 5.3 Sep 14, 2005
mathmodule.c
md5module.c [3.6] bpo-20216: Correct docstrings of digest() methods in hashlib. (G… Oct 28, 2018
mmapmodule.c [3.6] bpo-33029: Fix signatures of getter and setter functions. (GH-1… Nov 27, 2018
nismodule.c
ossaudiodev.c [3.6] Fix misleading mentions of tp_size in comments (GH-9137) Sep 10, 2018
overlapped.c [3.6] bpo-30708: Check for null characters in PyUnicode_AsWideCharStr… Jun 27, 2017
parsermodule.c bpo-33308: Fix a crash in the parser module when convert an ST object. ( Apr 19, 2018
posixmodule.c bpo-35436: Add missing PyErr_NoMemory() calls and other minor bug fix… Dec 7, 2018
posixmodule.h
pwdmodule.c bpo-34604: Use %R because of invisible characters or trailing whitesp… Dec 5, 2018
pyexpat.c
readline.c bpo-35441: Remove dead and buggy code related to PyList_SetItem(). (G… Dec 8, 2018
resource.c Issue #20191: Fixed a crash in resource.prlimit() when pass a sequenc… Dec 19, 2016
rotatingtree.c Recorded merge of revisions 81032 via svnmerge from May 9, 2010
rotatingtree.h Much-needed merge (using svnmerge.py this time) of trunk changes into… May 27, 2006
selectmodule.c bpo-35441: Remove dead and buggy code related to PyList_SetItem(). (G… Dec 8, 2018
sha1module.c [3.6] bpo-20216: Correct docstrings of digest() methods in hashlib. (G… Oct 28, 2018
sha256module.c [3.6] bpo-20216: Correct docstrings of digest() methods in hashlib. (G… Oct 28, 2018
sha512module.c [3.6] bpo-20216: Correct docstrings of digest() methods in hashlib. (G… Oct 28, 2018
signalmodule.c
socketmodule.c
socketmodule.h [3.6] bpo-31927: Fix bugs in socketmodule.c on NetBSD and other issue… Nov 9, 2017
spwdmodule.c
sre.h Issue #17381: Fixed handling of case-insensitive ranges in regular ex… Oct 31, 2014
sre_constants.h
sre_lib.h replace Py_(u)intptr_t with the c99 standard types Sep 6, 2016
symtablemodule.c Issue #27985: Implement PEP 526 -- Syntax for Variable Annotations. Sep 9, 2016
syslogmodule.c Replaced outdated macros _PyUnicode_AsString and _PyUnicode_AsStringA… Nov 20, 2016
termios.c Fix a possible "double decref" in termios.tcgetattr(). (GH-10194) Oct 29, 2018
testcapi_long.h Issue #9530: Fix undefined behaviour due to signed overflow in testca… Nov 19, 2011
timemodule.c [3.7] bpo-35373: Fix PyInit_timezone() error handling (GH-10864) Dec 3, 2018
tkappinit.c
tkinter.h Issue #16840. Turn off bignum support in tkinter with with Tcl earlie… Apr 22, 2015
unicodedata.c bpo-29456: Fix bugs in unicodedata.normalize: u1176, u11a7 and u11c3 (G… Jun 15, 2018
unicodedata_db.h
unicodename_db.h
winreparse.h Issue #17599: Use unique _Py_REPARSE_DATA_BUFFER etc names to avoid c… Aug 4, 2016
xxlimited.c
xxmodule.c Issue #25923: Added more const qualifiers to signatures of static and… Dec 25, 2015
xxsubtype.c [3.6] bpo-33029: Fix signatures of getter and setter functions. (GH-1… Nov 27, 2018
zipimport.c [3.6] bpo-31291: Fixed an assertion failure in zipimport.zipimporter.… Aug 30, 2017
zlibmodule.c bpo-35090: Fix potential division by zero in allocator wrappers (GH-1… Oct 28, 2018

README 

Source files for standard library extension modules,
and former extension modules that are now builtin modules.
You can’t perform that action at this time.