From 64fd2a6b5796d2bba2afe90656bd49b951c4f21b Mon Sep 17 00:00:00 2001 From: Gregory Szorc Date: Mon, 27 Apr 2020 17:46:35 -0700 Subject: [PATCH 1/3] bpo-40412: Nullify inittab_copy during finalization Otherwise we leave a dangling pointer to free'd memory. If we then initialize a new interpreter in the same process and call PyImport_ExtendInittab, we will (likely) crash when calling PyMem_RawRealloc(inittab_copy, ...) since the pointer address is bogus. --- Python/import.c | 1 + 1 file changed, 1 insertion(+) diff --git a/Python/import.c b/Python/import.c index a8743458dd5c96..28688c9e87e6aa 100644 --- a/Python/import.c +++ b/Python/import.c @@ -299,6 +299,7 @@ _PyImport_Fini2(void) /* Free memory allocated by PyImport_ExtendInittab() */ PyMem_RawFree(inittab_copy); + inittab_copy = NULL; PyMem_SetAllocator(PYMEM_DOMAIN_RAW, &old_alloc); } From 7af7634dbed71b0b7f7070358d166f96f6f64dc8 Mon Sep 17 00:00:00 2001 From: "blurb-it[bot]" <43283697+blurb-it[bot]@users.noreply.github.com> Date: Fri, 1 May 2020 17:28:05 +0000 Subject: [PATCH 2/3] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20blu?= =?UTF-8?q?rb=5Fit.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Misc/NEWS.d/next/C API/2020-05-01-17-28-04.bpo-40412.dE0D8N.rst | 1 + 1 file changed, 1 insertion(+) create mode 100644 Misc/NEWS.d/next/C API/2020-05-01-17-28-04.bpo-40412.dE0D8N.rst diff --git a/Misc/NEWS.d/next/C API/2020-05-01-17-28-04.bpo-40412.dE0D8N.rst b/Misc/NEWS.d/next/C API/2020-05-01-17-28-04.bpo-40412.dE0D8N.rst new file mode 100644 index 00000000000000..ddf14acc976ff7 --- /dev/null +++ b/Misc/NEWS.d/next/C API/2020-05-01-17-28-04.bpo-40412.dE0D8N.rst @@ -0,0 +1 @@ +Nullify inittab_copy during finalization. Before, Python interpreter finalization would leave a pointer reference to released memory. If another interpreter were initialized in the same process, it would attempt to access this memory, likely leading to a crash. This was only reproducible if Python were embedded in a larger application and does not affect any application distributed by Python itself. Patch by Gregory Szorc. \ No newline at end of file From 3eea7db06876838940930b13dd9785d9c81d750a Mon Sep 17 00:00:00 2001 From: Brett Cannon Date: Fri, 1 May 2020 10:46:41 -0700 Subject: [PATCH 3/3] Shorten news entry --- Misc/NEWS.d/next/C API/2020-05-01-17-28-04.bpo-40412.dE0D8N.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/C API/2020-05-01-17-28-04.bpo-40412.dE0D8N.rst b/Misc/NEWS.d/next/C API/2020-05-01-17-28-04.bpo-40412.dE0D8N.rst index ddf14acc976ff7..92bfcddf115a68 100644 --- a/Misc/NEWS.d/next/C API/2020-05-01-17-28-04.bpo-40412.dE0D8N.rst +++ b/Misc/NEWS.d/next/C API/2020-05-01-17-28-04.bpo-40412.dE0D8N.rst @@ -1 +1 @@ -Nullify inittab_copy during finalization. Before, Python interpreter finalization would leave a pointer reference to released memory. If another interpreter were initialized in the same process, it would attempt to access this memory, likely leading to a crash. This was only reproducible if Python were embedded in a larger application and does not affect any application distributed by Python itself. Patch by Gregory Szorc. \ No newline at end of file +Nullify inittab_copy during finalization, preventing future interpreter initializations in an embedded situation from crashing. Patch by Gregory Szorc.