Segmentation Fault in pthread_getcpuclockid function in time module

[kcatss]

What happened?

Version

Python 3.13.0a3+ (heads/main:b3f0b698da, Feb 12 2024, 03:56:25) [GCC 11.4.0]
bisect from commit e14679c

Root Cause

the time_pthread_getcpuclockid function retrieves an element from the user input. but improper validation of the thread id trigger segmentation fault

time_pthread_getcpuclockid(PyObject *self, PyObject *args)
{
    unsigned long thread_id;
    int err;
    clockid_t clk_id;
    if (!PyArg_ParseTuple(args, "k:pthread_getcpuclockid", &thread_id)) {
        return NULL;
    }
    err = pthread_getcpuclockid((pthread_t)thread_id, &clk_id); // <-- thread_id from args
    if (err) {
        errno = err;
        PyErr_SetFromErrno(PyExc_OSError);
        return NULL;
    }
#ifdef _Py_MEMORY_SANITIZER
    __msan_unpoison(&clk_id, sizeof(clk_id));
#endif
    return PyLong_FromLong(clk_id);
}

POC

import time
time.pthread_getcpuclockid(-1)

asan

AddressSanitizer:DEADLYSIGNAL
=================================================================
==9985==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000002ce (pc 0x7f5176af3159 bp 0x7ffcb8437230 sp 0x7ffcb8437178 T0)
==9985==The signal is caused by a READ memory access.
==9985==Hint: address points to the zero page.
    #0 0x7f5176af3159 in __pthread_getcpuclockid nptl/pthread_getcpuclockid.c:32
    #1 0x564afa3983a1 in time_pthread_getcpuclockid Modules/timemodule.c:380
    #2 0x564af9eafacf in cfunction_call Objects/methodobject.c:551
    #3 0x564af9dc0393 in _PyObject_MakeTpCall Objects/call.c:242
    #4 0x564af9dc0a94 in _PyObject_VectorcallTstate Include/internal/pycore_call.h:166
    #5 0x564af9dc0ac0 in PyObject_Vectorcall Objects/call.c:327
    #6 0x564afa0cd313 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:815
    #7 0x564afa11a855 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:115
    #8 0x564afa11a855 in _PyEval_Vector Python/ceval.c:1788
    #9 0x564afa11aa76 in PyEval_EvalCode Python/ceval.c:592
    #10 0x564afa2245d9 in run_eval_code_obj Python/pythonrun.c:1294
    #11 0x564afa227522 in run_mod Python/pythonrun.c:1379
    #12 0x564afa228302 in pyrun_file Python/pythonrun.c:1215
    #13 0x564afa22a8f0 in _PyRun_SimpleFileObject Python/pythonrun.c:464
    #14 0x564afa22ac8c in _PyRun_AnyFileObject Python/pythonrun.c:77
    #15 0x564afa2872c0 in pymain_run_file_obj Modules/main.c:357
    #16 0x564afa289a71 in pymain_run_file Modules/main.c:376
    #17 0x564afa28a682 in pymain_run_python Modules/main.c:628
    #18 0x564afa28a812 in Py_RunMain Modules/main.c:707
    #19 0x564afa28a9f9 in pymain_main Modules/main.c:737
    #20 0x564afa28ad71 in Py_BytesMain Modules/main.c:761
    #21 0x564af9c24b05 in main Programs/python.c:15
    #22 0x7f5176a86d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #23 0x7f5176a86e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #24 0x564af9c24a34 in _start (/cpython/python+0x26fa34)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV nptl/pthread_getcpuclockid.c:32 in __pthread_getcpuclockid
==9985==ABORTING

CPython versions tested on:

CPython main branch

Operating systems tested on:

Linux

Output from running 'python -VV' on the command line:

Python 3.13.0a3+ (heads/main:b3f0b698da, Feb 12 2024, 03:56:25) [GCC 11.4.0]

[chgnrdv]

This is a documented behaviour, as there is nothing we can do here.
https://docs.python.org/3/library/time.html#time.pthread_getcpuclockid
SEGV happens in pthread_getcpuclockid function in libc, and it's because of improper thread id validation on its side. As I understand, it suffers from the same problem as pthread_kill; according to source code, both of them use INVALID_TD_P macro that accepts thread id casted to struct pthread * and attempts to dereference it, which can cause segfault.