Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Double-free in Argument Clinic str_converter generated code #99240

Closed
colorfulappl opened this issue Nov 8, 2022 · 7 comments
Closed

Double-free in Argument Clinic str_converter generated code #99240

colorfulappl opened this issue Nov 8, 2022 · 7 comments
Assignees
@gpshead
Labels
topic-argument-clinic type-bug An unexpected behavior, bug, or error

Comments

@colorfulappl
Copy link
Contributor

colorfulappl commented Nov 8, 2022
edited by bedevere-bot
Loading

Argument Clinic str_converter generate such code when encoding is set
(see function test_str_converter_encoding in file Lib/test/clinic.test):

    /* -- snip -- */
    if (!_PyArg_ParseStack(args, nargs, "esesetes#et#:test_str_converter_encoding",
        "idna", &a, "idna", &b, "idna", &c, "idna", &d, &d_length, "idna", &e, &e_length)) {
        goto exit;
    }
    return_value = test_str_converter_encoding_impl(module, a, b, c, d, d_length, e, e_length);

exit:
    /* Cleanup for a */
    if (a) {
       PyMem_FREE(a);
    }
    /* Cleanup for b */
    if (b) {
       PyMem_FREE(b);
    }
    /* Cleanup for c */
    if (c) {
       PyMem_FREE(c);
    }
    /* -- snip -- */

If parsing a successes, a will be assigned an address points to an allocated memory.
After that, if parsing b fails, the memory which a points to is freed by function _PyArg_ParseStack,
and _PyArg_ParseStack returns 0, then control flow goes to label "exit".
At this time, a is not NULL, so the memory it points to is freed again, which cause a double-free problem and a runtime crash.

This bug is found in #96178 "Argument Clinic functional test".
@colorfulappl colorfulappl added the type-bug An unexpected behavior, bug, or error label Nov 8, 2022
@colorfulappl colorfulappl changed the title Double-fre in Argument clinic str_converter generated code Double-free in Argument clinic str_converter generated code Nov 8, 2022
@colorfulappl colorfulappl changed the title Double-free in Argument clinic str_converter generated code Double-free in Argument Clinic str_converter generated code Nov 8, 2022
@colorfulappl colorfulappl mentioned this issue Nov 8, 2022
Merged
colorfulappl added a commit to colorfulappl/cpython that referenced this issue Nov 8, 2022
@colorfulappl
Add PoC of pythonGH-99240
2cc6c0a
@colorfulappl
Copy link
Contributor Author

There are two ways to fix this bug,

  1. Avoid free any parsed arguments if an error occurred in function _PyArg_ParseStack,
    as gh-99240: Fix double-free bug in Argument Clinic str_converter generated code #99241 have done.
  2. If function _PyArg_ParseStack parses failed, assign all the parsed arguments to "NULL" after they are freed, this should be done in _PyArg_ParseStack.

@gpshead gpshead self-assigned this Nov 9, 2022
miss-islington pushed a commit that referenced this issue Nov 24, 2022
@colorfulappl
gh-99240: Fix double-free bug in Argument Clinic str_converter genera…
8dbe08e 
…ted code (GH-99241)

Fix double-free bug mentioned at #99240,
by moving memory clean up out of "exit" label.

Automerge-Triggered-By: GH:erlend-aasland
@hauntsaninja
Copy link
Contributor

Thanks for reporting and fixing, looks like this has been completed

@erlend-aasland
Copy link
Contributor

We should consider backporting this, IMO.

@bedevere-bot bedevere-bot mentioned this issue Nov 30, 2022
Merged
@colorfulappl
Copy link
Contributor Author

We should consider backporting this, IMO.

Should we backport #96002 before backporting this?

And I made a new bug fix #99890 .

@hauntsaninja hauntsaninja reopened this Nov 30, 2022
@erlend-aasland
Copy link
Contributor

Should we backport #96002 before backporting this?

Yes, I think we should. Although that PR introduced a new C file, it expands the Argument Clinic coverage considerably, so I think it is definitely worth it.

And I made a new bug fix #99890 .

Great :)

kumaraditya303 added a commit that referenced this issue Dec 17, 2022
@colorfulappl @kumaraditya303 @erlend-aasland
gh-99240: Reset pointer to NULL when the pointed memory is freed in a…
a6f82f1 
…rgument parsing (#99890)

Co-authored-by: Kumar Aditya <59607654+kumaraditya303@users.noreply.github.com>
Co-authored-by: Erlend E. Aasland <erlend.aasland@protonmail.com>
kumaraditya303 added a commit to kumaraditya303/cpython that referenced this issue Dec 17, 2022
@colorfulappl @kumaraditya303 @erlend-aasland
pythongh-99240: Reset pointer to NULL when the pointed memory is free…
efbb1eb 
…d in argument parsing (python#99890)

Co-authored-by: Kumar Aditya <59607654+kumaraditya303@users.noreply.github.com>
Co-authored-by: Erlend E. Aasland <erlend.aasland@protonmail.com>
shihai1991 added a commit to shihai1991/cpython that referenced this issue Dec 18, 2022
@shihai1991
Merge remote-tracking branch 'origin/main' into bpo_34697
2878571 
* origin/main: (1306 commits)
  Correct CVE-2020-10735 documentation (python#100306)
  pythongh-100272: Fix JSON serialization of OrderedDict (pythonGH-100273)
  pythongh-93649: Split tracemalloc tests from _testcapimodule.c (python#99551)
  Docs: Use `PY_VERSION_HEX` for version comparison (python#100179)
  pythongh-97909: Fix markup for `PyMethodDef` members (python#100089)
  pythongh-99240: Reset pointer to NULL when the pointed memory is freed in argument parsing (python#99890)
  pythongh-99240: Reset pointer to NULL when the pointed memory is freed in argument parsing (python#99890)
  pythonGH-98831: Add DECREF_INPUTS(), expanding to DECREF() each stack input (python#100205)
  pythongh-78707: deprecate passing >1 argument to `PurePath.[is_]relative_to()` (pythonGH-94469)
  pythongh-99540: Constant hash for _PyNone_Type to aid reproducibility (pythonGH-99541)
  pythongh-100039: enhance __signature__ to work with str and callables (pythonGH-100168)
  pythongh-99830: asyncio: Document returns of remove_{reader,writer} (python#100302)
  "Compound statement" docs: Fix with-statement step indexing (python#100286)
  pythonGH-90043: Handle NaNs in COMPARE_OP_FLOAT_JUMP (pythonGH-100278)
  Improve stats presentation for calls. (pythonGH-100274)
  Better stats for `LOAD_ATTR` and `STORE_ATTR` (pythonGH-100295)
  pythongh-81057: Move the Cached Parser Dummy Name to _PyRuntimeState (python#100277)
  Document that zipfile's pwd parameter is a `bytes` object (python#100209)
  pythongh-99767: mark `PyTypeObject.tp_watched` as internal use only in table (python#100271)
  Fix typo in introduction.rst (python#100266)
  ...
carljm added a commit to carljm/cpython that referenced this issue Dec 19, 2022
@carljm
Merge branch 'main' into fastmock
a9af20a 
* main:
  pythongh-89727: Fix os.walk RecursionError on deep trees (python#99803)
  Docs: Don't upload CI artifacts (python#100330)
  pythongh-94912: Added marker for non-standard coroutine function detection (python#99247)
  Correct CVE-2020-10735 documentation (python#100306)
  pythongh-100272: Fix JSON serialization of OrderedDict (pythonGH-100273)
  pythongh-93649: Split tracemalloc tests from _testcapimodule.c (python#99551)
  Docs: Use `PY_VERSION_HEX` for version comparison (python#100179)
  pythongh-97909: Fix markup for `PyMethodDef` members (python#100089)
  pythongh-99240: Reset pointer to NULL when the pointed memory is freed in argument parsing (python#99890)
  pythongh-99240: Reset pointer to NULL when the pointed memory is freed in argument parsing (python#99890)
  pythonGH-98831: Add DECREF_INPUTS(), expanding to DECREF() each stack input (python#100205)
  pythongh-78707: deprecate passing >1 argument to `PurePath.[is_]relative_to()` (pythonGH-94469)
colorfulappl added a commit to colorfulappl/cpython that referenced this issue Dec 20, 2022
@colorfulappl
[3.11] pythongh-99240: Fix double-free bug in Argument Clinic str_con…
32f7fad 
…verter generated code (pythonGH-99241)

(cherry picked from commit 8dbe08e)

Fix double-free bug mentioned at pythonGH-99240, by moving memory clean up out of "exit" label.
@colorfulappl colorfulappl mentioned this issue Dec 20, 2022
Merged
colorfulappl added a commit to colorfulappl/cpython that referenced this issue Dec 20, 2022
@colorfulappl
[3.10] pythongh-99240: Fix double-free bug in Argument Clinic str_con…
0c00e33 
…verter generated code (pythonGH-99241)

(cherry picked from commit 8dbe08e)

Fix double-free bug mentioned at pythonGH-99240, by moving memory clean up out of "exit" label.
@colorfulappl colorfulappl mentioned this issue Dec 20, 2022
Merged
kumaraditya303 pushed a commit that referenced this issue Dec 20, 2022
@colorfulappl
[3.11] gh-99240: Fix double-free bug in Argument Clinic str_converter…
ba8e30c 
… generated code (GH-99241) (#100352)

(cherry picked from commit 8dbe08e)

Fix double-free bug mentioned at GH-99240, by moving memory clean up out of "exit" label.
kumaraditya303 pushed a commit that referenced this issue Dec 20, 2022
@colorfulappl
[3.10] gh-99240: Fix double-free bug in Argument Clinic str_converter…
53063b7 
… generated code (GH-99241) (#100353)

(cherry picked from commit 8dbe08e)

Fix double-free bug mentioned at GH-99240, by moving memory clean up out of "exit" label.
colorfulappl added a commit to colorfulappl/cpython that referenced this issue Dec 21, 2022
@colorfulappl @kumaraditya303 @erlend-aasland
[3.11] pythongh-99240: Reset pointer to NULL when the pointed memory …
62c4a95 
…is freed in argument parsing (pythonGH-99890)

(cherry picked from commit efbb1eb)

Co-authored-by: Kumar Aditya <59607654+kumaraditya303@users.noreply.github.com>
Co-authored-by: Erlend E. Aasland <erlend.aasland@protonmail.com>
@bedevere-bot bedevere-bot mentioned this issue Dec 21, 2022
Merged
colorfulappl added a commit to colorfulappl/cpython that referenced this issue Dec 21, 2022
@colorfulappl @kumaraditya303 @erlend-aasland
[3.10] pythongh-99240: Reset pointer to NULL when the pointed memory …
e02b61b 
…is freed in argument parsing (pythonGH-99890)

(cherry picked from commit efbb1eb)

Co-authored-by: Kumar Aditya <59607654+kumaraditya303@users.noreply.github.com>
Co-authored-by: Erlend E. Aasland <erlend.aasland@protonmail.com>
@bedevere-bot bedevere-bot mentioned this issue Dec 21, 2022
Merged
kumaraditya303 added a commit that referenced this issue Dec 21, 2022
@colorfulappl @kumaraditya303 @erlend-aasland
[3.11] gh-99240: Reset pointer to NULL when the pointed memory is fre…
bed1d14 
…ed in argument parsing (GH-99890) (#100385)

(cherry picked from commit efbb1eb)

Co-authored-by: Kumar Aditya <59607654+kumaraditya303@users.noreply.github.com>
Co-authored-by: Erlend E. Aasland <erlend.aasland@protonmail.com>
kumaraditya303 added a commit that referenced this issue Dec 21, 2022
@colorfulappl @kumaraditya303 @erlend-aasland
[3.10] gh-99240: Reset pointer to NULL when the pointed memory is fre…
591365c 
…ed in argument parsing (GH-99890) (#100386)

(cherry picked from commit efbb1eb)

Co-authored-by: Kumar Aditya <59607654+kumaraditya303@users.noreply.github.com>
Co-authored-by: Erlend E. Aasland <erlend.aasland@protonmail.com>
@kumaraditya303
Copy link
Contributor

Thanks for working on this, all PRs have been merged.

@erlend-aasland
Copy link
Contributor

Yes, thanks for all your good work on argument clinic, @colorfulappl! And thank you Kumar for landing these PRs; I've had a hard time keeping up with CPython dev lately.

rwgk pushed a commit to rwgk/cpython that referenced this issue Mar 11, 2023
@colorfulappl @kumaraditya303 @erlend-aasland
pythongh-99240: Reset pointer to NULL when the pointed memory is free…
9aad32a 
…d in argument parsing (python#99890)

Co-authored-by: Kumar Aditya <59607654+kumaraditya303@users.noreply.github.com>
Co-authored-by: Erlend E. Aasland <erlend.aasland@protonmail.com>
@jiridanek jiridanek mentioned this issue Jan 2, 2024
Open
edo38 pushed a commit to edo38/python-clinic that referenced this issue Apr 24, 2024
@colorfulappl
gh-99240: Fix double-free bug in Argument Clinic str_converter genera…
b4b59d1 
…ted code (GH-99241)

Fix double-free bug mentioned at python/cpython#99240,
by moving memory clean up out of "exit" label.

Automerge-Triggered-By: GH:erlend-aasland
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gpshead gpshead

Labels
topic-argument-clinic type-bug An unexpected behavior, bug, or error
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@gpshead @hauntsaninja @erlend-aasland @colorfulappl @kumaraditya303