Thanks to visit codestin.com
Credit goes to github.com

Skip to content

gh-108253: Fix bug in func version cache #108296

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 22, 2023
Merged

gh-108253: Fix bug in func version cache #108296

merged 1 commit into from
Aug 22, 2023
+22 −22

Conversation

gvanrossum
Copy link
Member

When a function object changed its version, a stale pointer might remain in the cache.

Now, test_opcache just fails when run with -Xuops instead of accessing freed memory. This fixes gh-108253.

@gvanrossum
Fix bug in func version cache
472ed9f 
When a function object changed its version, a stale pointer
might remain in the cache.
@gvanrossum gvanrossum requested a review from markshannon August 22, 2023 14:21
@gvanrossum gvanrossum merged commit b8f96b5 into python:main Aug 22, 2023
@gvanrossum gvanrossum deleted the fix-func-cache branch August 22, 2023 15:29
@alex
Copy link
Member

alex commented Aug 23, 2023

This PR introduces a use of uninitialized memory.

  • A new PyFunctionObject is allocated here
  • And then here _PyFunction_SetVersion is called
  • Which reads from ->func_version here
  • However, ->func_version was never initialized

This was detected by OSS-Fuzz: https://oss-fuzz.com/testcase-detail/5086904889245696

@gvanrossum
Copy link
Member Author

This PR introduces a use of uninitialized memory.

Interesting, since it also definitely fixed a case of free-after-use. I will try to understand the report.

@gvanrossum
Copy link
Member Author

Ah, I was over-zealous. That is the one place where ...->func_version = 0 is correct instead of going through the call. :-( PR coming up.

@alex
Copy link
Member

alex commented Aug 23, 2023

Thanks!

@gvanrossum gvanrossum mentioned this pull request Aug 23, 2023
Merged
@gvanrossum
Copy link
Member Author

This is a great service! Surprised though that address-sanitizer didn't catch this.

@alex
Copy link
Member

alex commented Aug 23, 2023

ASAN doesn't catch unitialized memory, only MSAN does. (And MSAN is kind of a pain in the neck to setup.)

@llooFlashooll
Copy link

This PR introduces a use of uninitialized memory.

  • A new PyFunctionObject is allocated here
  • And then here _PyFunction_SetVersion is called
  • Which reads from ->func_version here
  • However, ->func_version was never initialized

This was detected by OSS-Fuzz: https://oss-fuzz.com/testcase-detail/5086904889245696

Dear Alex @alex ,

Could you please give me an access to this issue? I am a security Ph.D. student, and I am analyzing some issues to summarize some patterns. I would be very grateful if you could help me.

Best regards,
Zeyang ([email protected], or [email protected])

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@markshannon markshannon Awaiting requested review from markshannon

Assignees
No one assigned
Labels
skip news
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

heap-use-after-free in _PyFunction_LookupByVersion
4 participants
@gvanrossum @alex @llooFlashooll @bedevere-bot