Skip to content

Double-free in Argument Clinic str_converter generated code #99240

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
colorfulappl opened this issue Nov 8, 2022 · 7 comments
Closed

Double-free in Argument Clinic str_converter generated code #99240

colorfulappl opened this issue Nov 8, 2022 · 7 comments
Assignees
@gpshead
Labels
topic-argument-clinic type-bug An unexpected behavior, bug, or error

Comments

@colorfulappl
Copy link
Contributor

colorfulappl commented Nov 8, 2022
edited by bedevere-bot
Loading

Argument Clinic str_converter generate such code when encoding is set
(see function test_str_converter_encoding in file Lib/test/clinic.test):

    /* -- snip -- */
    if (!_PyArg_ParseStack(args, nargs, "esesetes#et#:test_str_converter_encoding",
        "idna", &a, "idna", &b, "idna", &c, "idna", &d, &d_length, "idna", &e, &e_length)) {
        goto exit;
    }
    return_value = test_str_converter_encoding_impl(module, a, b, c, d, d_length, e, e_length);

exit:
    /* Cleanup for a */
    if (a) {
       PyMem_FREE(a);
    }
    /* Cleanup for b */
    if (b) {
       PyMem_FREE(b);
    }
    /* Cleanup for c */
    if (c) {
       PyMem_FREE(c);
    }
    /* -- snip -- */

If parsing a successes, a will be assigned an address points to an allocated memory.
After that, if parsing b fails, the memory which a points to is freed by function _PyArg_ParseStack,
and _PyArg_ParseStack returns 0, then control flow goes to label "exit".
At this time, a is not NULL, so the memory it points to is freed again, which cause a double-free problem and a runtime crash.

This bug is found in #96178 "Argument Clinic functional test".
@colorfulappl colorfulappl added the type-bug An unexpected behavior, bug, or error label Nov 8, 2022
@colorfulappl colorfulappl changed the title Double-fre in Argument clinic str_converter generated code Double-free in Argument clinic str_converter generated code Nov 8, 2022
@colorfulappl colorfulappl changed the title Double-free in Argument clinic str_converter generated code Double-free in Argument Clinic str_converter generated code Nov 8, 2022
@colorfulappl colorfulappl mentioned this issue Nov 8, 2022
Merged
colorfulappl added a commit to colorfulappl/cpython that referenced this issue Nov 8, 2022
@colorfulappl
Add PoC of pythonGH-99240
2cc6c0a
@colorfulappl
Copy link
Contributor Author

There are two ways to fix this bug,

  1. Avoid free any parsed arguments if an error occurred in function _PyArg_ParseStack,
    as gh-99240: Fix double-free bug in Argument Clinic str_converter generated code #99241 have done.
  2. If function _PyArg_ParseStack parses failed, assign all the parsed arguments to "NULL" after they are freed, this should be done in _PyArg_ParseStack.

@gpshead gpshead self-assigned this Nov 9, 2022
miss-islington pushed a commit that referenced this issue Nov 24, 2022
@colorfulappl
gh-99240: Fix double-free bug in Argument Clinic str_converter genera…
8dbe08e 
…ted code (GH-99241)

Fix double-free bug mentioned at #99240,
by moving memory clean up out of "exit" label.

Automerge-Triggered-By: GH:erlend-aasland
@hauntsaninja
Copy link
Contributor

Thanks for reporting and fixing, looks like this has been completed

@erlend-aasland
Copy link
Contributor

We should consider backporting this, IMO.

@bedevere-bot bedevere-bot mentioned this issue Nov 30, 2022
Merged
@colorfulappl
Copy link
Contributor Author

We should consider backporting this, IMO.

Should we backport #96002 before backporting this?

And I made a new bug fix #99890 .

@hauntsaninja hauntsaninja reopened this Nov 30, 2022
@erlend-aasland
Copy link
Contributor

Should we backport #96002 before backporting this?

Yes, I think we should. Although that PR introduced a new C file, it expands the Argument Clinic coverage considerably, so I think it is definitely worth it.

And I made a new bug fix #99890 .

Great :)

kumaraditya303 added a commit that referenced this issue Dec 17, 2022
@colorfulappl @kumaraditya303 @erlend-aasland
gh-99240: Reset pointer to NULL when the pointed memory is freed in a…
a6f82f1 
…rgument parsing (#99890)

Co-authored-by: Kumar Aditya <59607654+kumaraditya303@users.noreply.github.com>
Co-authored-by: Erlend E. Aasland <erlend.aasland@protonmail.com>
kumaraditya303 added a commit to kumaraditya303/cpython that referenced this issue Dec 17, 2022
@colorfulappl @kumaraditya303 @erlend-aasland
pythongh-99240: Reset pointer to NULL when the pointed memory is free…
efbb1eb 
…d in argument parsing (python#99890)

Co-authored-by: Kumar Aditya <59607654+kumaraditya303@users.noreply.github.com>
Co-authored-by: Erlend E. Aasland <erlend.aasland@protonmail.com>
shihai1991 added a commit to shihai1991/cpython that referenced this issue Dec 18, 2022
@shihai1991
Merge remote-tracking branch 'origin/main' into bpo_34697
2878571 
* origin/main: (1306 commits)
  Correct CVE-2020-10735 documentation (python#100306)
  pythongh-100272: Fix JSON serialization of OrderedDict (pythonGH-100273)
  pythongh-93649: Split tracemalloc tests from _testcapimodule.c (python#99551)
  Docs: Use `PY_VERSION_HEX` for version comparison (python#100179)
  pythongh-97909: Fix markup for `PyMethodDef` members (python#100089)
  pythongh-99240: Reset pointer to NULL when the pointed memory is freed in argument parsing (python#99890)
  pythongh-99240: Reset pointer to NULL when the pointed memory is freed in argument parsing (python#99890)
  pythonGH-98831: Add DECREF_INPUTS(), expanding to DECREF() each stack input (python#100205)
  pythongh-78707: deprecate passing >1 argument to `PurePath.[is_]relative_to()` (pythonGH-94469)
  pythongh-99540: Constant hash for _PyNone_Type to aid reproducibility (pythonGH-99541)
  pythongh-100039: enhance __signature__ to work with str and callables (pythonGH-100168)
  pythongh-99830: asyncio: Document returns of remove_{reader,writer} (python#100302)
  "Compound statement" docs: Fix with-statement step indexing (python#100286)
  pythonGH-90043: Handle NaNs in COMPARE_OP_FLOAT_JUMP (pythonGH-100278)
  Improve stats presentation for calls. (pythonGH-100274)
  Better stats for `LOAD_ATTR` and `STORE_ATTR` (pythonGH-100295)
  pythongh-81057: Move the Cached Parser Dummy Name to _PyRuntimeState (python#100277)
  Document that zipfile's pwd parameter is a `bytes` object (python#100209)
  pythongh-99767: mark `PyTypeObject.tp_watched` as internal use only in table (python#100271)
  Fix typo in introduction.rst (python#100266)
  ...
carljm added a commit to carljm/cpython that referenced this issue Dec 19, 2022
@carljm
Merge branch 'main' into fastmock
a9af20a 
* main:
  pythongh-89727: Fix os.walk RecursionError on deep trees (python#99803)
  Docs: Don't upload CI artifacts (python#100330)
  pythongh-94912: Added marker for non-standard coroutine function detection (python#99247)
  Correct CVE-2020-10735 documentation (python#100306)
  pythongh-100272: Fix JSON serialization of OrderedDict (pythonGH-100273)
  pythongh-93649: Split tracemalloc tests from _testcapimodule.c (python#99551)
  Docs: Use `PY_VERSION_HEX` for version comparison (python#100179)
  pythongh-97909: Fix markup for `PyMethodDef` members (python#100089)
  pythongh-99240: Reset pointer to NULL when the pointed memory is freed in argument parsing (python#99890)
  pythongh-99240: Reset pointer to NULL when the pointed memory is freed in argument parsing (python#99890)
  pythonGH-98831: Add DECREF_INPUTS(), expanding to DECREF() each stack input (python#100205)
  pythongh-78707: deprecate passing >1 argument to `PurePath.[is_]relative_to()` (pythonGH-94469)
colorfulappl added a commit to colorfulappl/cpython that referenced this issue Dec 20, 2022
@colorfulappl
[3.11] pythongh-99240: Fix double-free bug in Argument Clinic str_con…
32f7fad 
…verter generated code (pythonGH-99241)

(cherry picked from commit 8dbe08e)

Fix double-free bug mentioned at pythonGH-99240, by moving memory clean up out of "exit" label.
@colorfulappl colorfulappl mentioned this issue Dec 20, 2022
Merged
colorfulappl added a commit to colorfulappl/cpython that referenced this issue Dec 20, 2022
@colorfulappl
[3.10] pythongh-99240: Fix double-free bug in Argument Clinic str_con…
0c00e33 
…verter generated code (pythonGH-99241)

(cherry picked from commit 8dbe08e)

Fix double-free bug mentioned at pythonGH-99240, by moving memory clean up out of "exit" label.
@colorfulappl colorfulappl mentioned this issue Dec 20, 2022
Merged
kumaraditya303 pushed a commit that referenced this issue Dec 20, 2022
@colorfulappl
[3.11] gh-99240: Fix double-free bug in Argument Clinic str_converter…
ba8e30c 
… generated code (GH-99241) (#100352)

(cherry picked from commit 8dbe08e)

Fix double-free bug mentioned at GH-99240, by moving memory clean up out of "exit" label.
kumaraditya303 pushed a commit that referenced this issue Dec 20, 2022
@colorfulappl
[3.10] gh-99240: Fix double-free bug in Argument Clinic str_converter…
53063b7 
… generated code (GH-99241) (#100353)

(cherry picked from commit 8dbe08e)

Fix double-free bug mentioned at GH-99240, by moving memory clean up out of "exit" label.
colorfulappl added a commit to colorfulappl/cpython that referenced this issue Dec 21, 2022
@colorfulappl @kumaraditya303 @erlend-aasland
[3.11] pythongh-99240: Reset pointer to NULL when the pointed memory …
62c4a95 
…is freed in argument parsing (pythonGH-99890)

(cherry picked from commit efbb1eb)

Co-authored-by: Kumar Aditya <59607654+kumaraditya303@users.noreply.github.com>
Co-authored-by: Erlend E. Aasland <erlend.aasland@protonmail.com>
@bedevere-bot bedevere-bot mentioned this issue Dec 21, 2022
Merged
colorfulappl added a commit to colorfulappl/cpython that referenced this issue Dec 21, 2022
@colorfulappl @kumaraditya303 @erlend-aasland
[3.10] pythongh-99240: Reset pointer to NULL when the pointed memory …
e02b61b 
…is freed in argument parsing (pythonGH-99890)

(cherry picked from commit efbb1eb)

Co-authored-by: Kumar Aditya <59607654+kumaraditya303@users.noreply.github.com>
Co-authored-by: Erlend E. Aasland <erlend.aasland@protonmail.com>
@bedevere-bot bedevere-bot mentioned this issue Dec 21, 2022
Merged
kumaraditya303 added a commit that referenced this issue Dec 21, 2022
@colorfulappl @kumaraditya303 @erlend-aasland
[3.11] gh-99240: Reset pointer to NULL when the pointed memory is fre…
bed1d14 
…ed in argument parsing (GH-99890) (#100385)

(cherry picked from commit efbb1eb)

Co-authored-by: Kumar Aditya <59607654+kumaraditya303@users.noreply.github.com>
Co-authored-by: Erlend E. Aasland <erlend.aasland@protonmail.com>
kumaraditya303 added a commit that referenced this issue Dec 21, 2022
@colorfulappl @kumaraditya303 @erlend-aasland
[3.10] gh-99240: Reset pointer to NULL when the pointed memory is fre…
591365c 
…ed in argument parsing (GH-99890) (#100386)

(cherry picked from commit efbb1eb)

Co-authored-by: Kumar Aditya <59607654+kumaraditya303@users.noreply.github.com>
Co-authored-by: Erlend E. Aasland <erlend.aasland@protonmail.com>
@kumaraditya303
Copy link
Contributor

Thanks for working on this, all PRs have been merged.

@erlend-aasland
Copy link
Contributor

Yes, thanks for all your good work on argument clinic, @colorfulappl! And thank you Kumar for landing these PRs; I've had a hard time keeping up with CPython dev lately.

rwgk pushed a commit to rwgk/cpython that referenced this issue Mar 11, 2023
@colorfulappl @kumaraditya303
@erlend-aasland @rwgk
pythongh-99240: Reset pointer to NULL when the pointed memory is free…
9aad32a 
…d in argument parsing (python#99890)

Co-authored-by: Kumar Aditya <59607654+kumaraditya303@users.noreply.github.com>
Co-authored-by: Erlend E. Aasland <erlend.aasland@protonmail.com>
@jiridanek jiridanek mentioned this issue Jan 2, 2024
Open
edo38 pushed a commit to edo38/python-clinic that referenced this issue Apr 24, 2024
@colorfulappl
gh-99240: Fix double-free bug in Argument Clinic str_converter genera…
b4b59d1 
…ted code (GH-99241)

Fix double-free bug mentioned at python/cpython#99240,
by moving memory clean up out of "exit" label.

Automerge-Triggered-By: GH:erlend-aasland
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@gpshead gpshead

Labels
topic-argument-clinic type-bug An unexpected behavior, bug, or error
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@gpshead @hauntsaninja @erlend-aasland @colorfulappl @kumaraditya303