-
-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use After Free at _heapreplace_max #115706
Labels
type-crash
A hard crash of the interpreter, possibly with a core dump
Comments
kcatss
added
the
type-crash
A hard crash of the interpreter, possibly with a core dump
label
Feb 20, 2024
Confirmed on current main. |
Add the asan log of this uaf |
Looks like this was also fixed by #120303 Python 3.14.0a0 (heads/main:141babad9b4, Jun 11 2024, 10:06:51) [Clang 15.0.0 (clang-1500.3.9.4)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import heapq
...
... class test():
... def __lt__(self, other):
... heapq._heappop_max(other)
... return NotImplemented
...
... a = [0, [test()]]
... heapq._heapreplace_max(a, a)
Traceback (most recent call last):
File "<python-input-0>", line 9, in <module>
heapq._heapreplace_max(a, a)
~~~~~~~~~~~~~~~~~~~~~~^^^^^^
TypeError: '<' not supported between instances of 'test' and 'list' Thanks a lot for useful bug reports and reproductions! 👍 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Crash report
What happened?
Version
Python 3.13.0a3+ (heads/main:b3f0b698da, Feb 12 2024, 03:56:25) [GCC 11.4.0]
bisect from commit f95a1b3
Root Cause
The improper validation in
headq._heapreplace_max
allows the list to contain itself.And
headq._heapreplace_max
finally calllist_richcompare
if the elements are both list type.At that time, the self argument of
__lt__
is an element of the other argument.In the
__lt__
function, the other argument can decrease the reference count of the self argument by using functions such as pop or remove. This action could potentially modify the list that self is part of while it is being compared, leading to unexpected behavior or errors such as use after free.POC
Asan
asan
CPython versions tested on:
CPython main branch
Operating systems tested on:
Linux
Output from running 'python -VV' on the command line:
Python 3.13.0a3+ (heads/v3.13.0a2:e2c4038924, Feb 10 2024, 12:05:47) [GCC 11.4.0]
The text was updated successfully, but these errors were encountered: