-
-
Notifications
You must be signed in to change notification settings - Fork 30.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use After Free in deque_index_impl #115243
Comments
Good catch! |
By the way, on all versions except 3.13 with this PoC we won't get segfault: python3.12 example.py
Traceback (most recent call last):
File "/home/eclips4/CLionProjects/cpython/example.py", line 10, in <module>
deq.index(3)
RuntimeError: deque mutated during iteration |
yes. me too. However, the ASAN build of Python 3.13 can be crashed. The build instruction is followed.
In my opinion, it will be exploited before RuntimeError is called, due to the use-after-free being triggered already. |
Yep, we definitely have to fix it. Here's what the fix should look like: diff --git a/Modules/_collectionsmodule.c b/Modules/_collectionsmodule.c
index ef77d34b10..4fa76d62bc 100644
--- a/Modules/_collectionsmodule.c
+++ b/Modules/_collectionsmodule.c
@@ -1218,8 +1218,9 @@ deque_index_impl(dequeobject *deque, PyObject *v, Py_ssize_t start,
n = stop - i;
while (--n >= 0) {
CHECK_NOT_END(b);
- item = b->data[index];
+ item = Py_NewRef(b->data[index]);
cmp = PyObject_RichCompareBool(item, v, Py_EQ);
+ Py_DECREF(item);
if (cmp > 0)
return PyLong_FromSsize_t(stop - n - 1);
if (cmp < 0) Would you like to send a PR with this fix? We also need to add a test for this case. |
The segfault reproducible on 3.11 & 3.12 debug builds (but not on their release builds) |
…ently modified (pythonGH-115247) (cherry picked from commit 6713601) Co-authored-by: kcatss <[email protected]>
…ently modified (pythonGH-115247) (cherry picked from commit 6713601) Co-authored-by: kcatss <[email protected]>
…rently modified (GH-115247) (GH-115465) (cherry picked from commit 6713601) Co-authored-by: kcatss <[email protected]>
…rently modified (GH-115247) (GH-115466) (cherry picked from commit 6713601) Co-authored-by: kcatss <[email protected]>
…concurrently modified (pythonGH-115247) (pythonGH-115466) (cherry picked from commit 6713601) Co-authored-by: kcatss <[email protected]>
…concurrently modified (pythonGH-115247) (pythonGH-115466) (cherry picked from commit 6713601) Co-authored-by: kcatss <[email protected]>
…concurrently modified (pythonGH-115247) (pythonGH-115466) (cherry picked from commit 6713601) Co-authored-by: kcatss <[email protected]>
…concurrently modified (pythonGH-115247) (pythonGH-115466) (cherry picked from commit 6713601) Co-authored-by: kcatss <[email protected]>
Crash report
What happened?
Version
Python 3.13.0a3+ (heads/v3.13.0a2:e2c4038924, Feb 10 2024, 12:05:47) [GCC 11.4.0]
bisect from commit 32ea165
Root cause
the
deque_index_impl
function retrieves an element from the deque usingb→data
. However, the reference count of the item may decrease due toPyObject_RichCompareBool
, leading to a use-after-freePOC
ASAN
asan
CPython versions tested on:
CPython main branch
Operating systems tested on:
Linux
Output from running 'python -VV' on the command line:
Python 3.13.0a3+ (heads/v3.13.0a2:e2c4038924, Feb 10 2024, 12:05:47) [GCC 11.4.0]
Linked PRs
The text was updated successfully, but these errors were encountered: