Thanks to visit codestin.com
Credit goes to github.com

Skip to content

gh-125010: Fix use-after-free in AST repr()#125015

Merged
JelleZijlstra merged 7 commits intopython:mainfrom
tomasr8:ast-repr-fix
Oct 6, 2024
Merged

gh-125010: Fix use-after-free in AST repr()#125015
JelleZijlstra merged 7 commits intopython:mainfrom
tomasr8:ast-repr-fix

Conversation

@tomasr8
Copy link
Member

@tomasr8 tomasr8 commented Oct 5, 2024
edited by bedevere-app bot
Loading

@bedevere-app bedevere-app bot mentioned this pull request Oct 5, 2024
Closed
@Eclips4
Copy link
Member

Eclips4 commented Oct 5, 2024

Could you add a test case for that? I think testing that the initial reproducer doesn't crash would be enough

@tomasr8
Copy link
Member Author

tomasr8 commented Oct 5, 2024

Could you add a test case for that? I think testing that the initial reproducer doesn't crash would be enough

Yep, but maybe I'll try to make the reproducer a bit smaller first, it's quite big 😅 :

>>> s = open("reproducer.txt").read()
>>> len(s)
782813

@Eclips4
Copy link
Member

Eclips4 commented Oct 6, 2024
edited
Loading

Could you add a test case for that? I think testing that the initial reproducer doesn't crash would be enough

Yep, but maybe I'll try to make the reproducer a bit smaller first, it's quite big 😅 :

>>> s = open("reproducer.txt").read()
>>> len(s)
782813

Here's how it can be reduced to avoid using the file:

import ast
repro = "{0x0" + "e" * 250_000 + "%" + "e" * 250_000 + "1j}"
print(ast.literal_eval(repro))

@tomasr8
Copy link
Member Author

tomasr8 commented Oct 6, 2024

Test added :)

picnixz
picnixz reviewed Oct 6, 2024
View reviewed changes
Eclips4
Eclips4 reviewed Oct 6, 2024
View reviewed changes
Eclips4
Eclips4 reviewed Oct 6, 2024
View reviewed changes
AlexWaygood
AlexWaygood reviewed Oct 6, 2024
View reviewed changes
Copy link
Member

@AlexWaygood AlexWaygood left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The bug doesn't really have anything to do with ast.literal_eval, so I think the test would be clearer if it didn't use ast.literal_eval. I can trigger a crash with a simpler repro that only uses ast.parse (and with a shorter source snippet passed to ast.parse()):

~/dev/cpython (main)⚡ [134] % ./python.exe -c 'import ast; repr(ast.parse("0x0" + "e" * 4_000, mode="eval"))' 
./Include/refcount.h:474: _Py_NegativeRefcount: Assertion failed: object has negative ref count
<object at 0x1398df420 is freed>
Fatal Python error: _PyObject_AssertFailed: _PyObject_AssertFailed
Python runtime state: initialized
ValueError: Exceeds the limit (4300 digits) for integer string conversion; use sys.set_int_max_str_digits() to increase the limit

Current thread 0x00000001f39d4f40 (most recent call first):
  File "<string>", line 1 in <module>
zsh: abort      ./python.exe -c

@AlexWaygood
Copy link
Member

AlexWaygood commented Oct 6, 2024

Ah, in fact, here's a repro without even ast.parse():

~/dev/cpython (main)⚡ % ./python.exe -c 'import ast; repr(ast.Constant(value=eval("0x0" + "e" * 4_000)))'
./Include/refcount.h:474: _Py_NegativeRefcount: Assertion failed: object has negative ref count
<object at 0x15a858220 is freed>
Fatal Python error: _PyObject_AssertFailed: _PyObject_AssertFailed
Python runtime state: initialized
ValueError: Exceeds the limit (4300 digits) for integer string conversion; use sys.set_int_max_str_digits() to increase the limit

Current thread 0x00000001f39d4f40 (most recent call first):
  File "<string>", line 1 in <module>
zsh: abort      ./python.exe -c

@tomasr8
Copy link
Member Author

tomasr8 commented Oct 6, 2024
edited
Loading

I simplified the test to use Alex's smaller reproducer and removed the note about sys.set_int_max_str_digits since the source is now a valid syntax and does not raise the other ValueError anymore.

AlexWaygood
AlexWaygood approved these changes Oct 6, 2024
View reviewed changes
Copy link
Member

@AlexWaygood AlexWaygood left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! The test looks great and I confirmed it segfaults on main. I'll let one of the AST experts subscribed to this PR approve and merge, though.

Eclips4
Eclips4 approved these changes Oct 6, 2024
View reviewed changes
Copy link
Member

@Eclips4 Eclips4 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thank you Tomas.

ZeroIntensity
ZeroIntensity reviewed Oct 6, 2024
View reviewed changes
ZeroIntensity
ZeroIntensity approved these changes Oct 6, 2024
View reviewed changes
Copy link
Member

@ZeroIntensity ZeroIntensity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@Eclips4
Copy link
Member

Eclips4 commented Oct 6, 2024
edited
Loading

If @JelleZijlstra has no further comments, I'll merge this tomorrow.

@JelleZijlstra JelleZijlstra merged commit a1be83d into python:main Oct 6, 2024
@tomasr8 tomasr8 deleted the ast-repr-fix branch October 6, 2024 20:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@picnixz picnixz picnixz left review comments

@AlexWaygood AlexWaygood AlexWaygood approved these changes

@Eclips4 Eclips4 Eclips4 approved these changes

@JelleZijlstra JelleZijlstra JelleZijlstra approved these changes

@ZeroIntensity ZeroIntensity ZeroIntensity approved these changes

@isidentical isidentical Awaiting requested review from isidentical

Assignees

No one assigned

Labels

skip news

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@tomasr8 @Eclips4 @AlexWaygood @JelleZijlstra @picnixz @ZeroIntensity