Skip to content

Use After Free in list_richcompare_impl #120298

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
kcatss opened this issue Jun 9, 2024 · 1 comment
Closed

Use After Free in list_richcompare_impl #120298

kcatss opened this issue Jun 9, 2024 · 1 comment
Labels
3.12 only security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@kcatss
Copy link
Contributor

kcatss commented Jun 9, 2024
edited
Loading

Crash report

Bisect

bisect from 65e1cea

Build

 ./configure --with-pydebug --with-address-sanitizer

Root Cause

The list_richcompare_impl function calls arbitrary code while comparing nested list structures. This can cause vl->ob_item[i] and wl->ob_item[i] to have their reference counts decreased, triggering a use-after-free issue. This issue arises when called from bisect, deque and heapq(#115706) indices with improper validation.

static PyObject *
list_richcompare_impl(PyObject *v, PyObject *w, int op)
{
    PyListObject *vl, *wl;
    Py_ssize_t i;

    if (!PyList_Check(v) || !PyList_Check(w)) 
        Py_RETURN_NOTIMPLEMENTED;

    vl = (PyListObject *)v;
    wl = (PyListObject *)w;

    if (Py_SIZE(vl) != Py_SIZE(wl) && (op == Py_EQ || op == Py_NE)) {
        /* Shortcut: if the lengths differ, the lists differ */
        if (op == Py_EQ)
            Py_RETURN_FALSE;
        else
            Py_RETURN_TRUE;
    }

    /* Search for the first index where items are different */
    for (i = 0; i < Py_SIZE(vl) && i < Py_SIZE(wl); i++) {
        PyObject *vitem = vl->ob_item[i];
        PyObject *witem = wl->ob_item[i];
        if (vitem == witem) {
            continue;
        }

        Py_INCREF(vitem);
        Py_INCREF(witem);
        int k = PyObject_RichCompareBool(vitem, witem, Py_EQ);
        Py_DECREF(vitem);
        Py_DECREF(witem);
        if (k < 0)
            return NULL;
        if (!k)
            break;
    }

    if (i >= Py_SIZE(vl) || i >= Py_SIZE(wl)) {
        /* No more items to compare -- compare sizes */
        Py_RETURN_RICHCOMPARE(Py_SIZE(vl), Py_SIZE(wl), op);
    }

    /* We have an item that differs -- shortcuts for EQ/NE */
    if (op == Py_EQ) {
        Py_RETURN_FALSE;
    }
    if (op == Py_NE) {
        Py_RETURN_TRUE;
    }

    /* Compare the final item again using the proper operator */
    return PyObject_RichCompare(vl->ob_item[i], wl->ob_item[i], op); // <-- call arbitrary code in python
}

POC

import _bisect

class evil(object):
    def __lt__(self, other):
        other.clear()
        return NotImplemented

a =   [ [ evil()]]
_bisect.insort_left( a ,a  )
import collections

class evil(object):
    def __lt__(self, other):
        other.pop()
        return NotImplemented

a = [  [   [   evil() ]    ]  ]
collections.deque( a[0]  )  < collections.deque( a  )

asan

bisect asan 
=================================================================
==148257==ERROR: AddressSanitizer: heap-use-after-free on address 0x61300001ff78 at pc 0x55564b4e5fe2 bp 0x7ffe8b09d4b0 sp 0x7ffe8b09d4a0
READ of size 8 at 0x61300001ff78 thread T0
    #0 0x55564b4e5fe1 in Py_TYPE Include/object.h:249
    #1 0x55564b4e5fe1 in list_richcompare_impl Objects/listobject.c:3338
    #2 0x55564b4e6bcb in list_richcompare Objects/listobject.c:3393
    #3 0x55564b561388 in do_richcompare Objects/object.c:933
    #4 0x55564b561654 in PyObject_RichCompare Objects/object.c:976
    #5 0x55564b4e66c9 in list_richcompare_impl Objects/listobject.c:3385
    #6 0x55564b4e6bcb in list_richcompare Objects/listobject.c:3393
    #7 0x7fd307a05a2b in internal_bisect_left Modules/_bisectmodule.c:288
    #8 0x7fd307a063b6 in _bisect_insort_left_impl Modules/_bisectmodule.c:396
    #9 0x7fd307a06a74 in _bisect_insort_left Modules/clinic/_bisectmodule.c.h:432
    #10 0x55564b55224a in cfunction_vectorcall_FASTCALL_KEYWORDS Objects/methodobject.c:441
    #11 0x55564b45bbb9 in _PyObject_VectorcallTstate Include/internal/pycore_call.h:168
    #12 0x55564b45bd14 in PyObject_Vectorcall Objects/call.c:327
    #13 0x55564b7988c4 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:813
    #14 0x55564b7d0a7b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:119
    #15 0x55564b7d0a7b in _PyEval_Vector Python/ceval.c:1819
    #16 0x55564b7d0c9c in PyEval_EvalCode Python/ceval.c:599
    #17 0x55564b8e8c51 in run_eval_code_obj Python/pythonrun.c:1292
    #18 0x55564b8ebb96 in run_mod Python/pythonrun.c:1377
    #19 0x55564b8ec976 in pyrun_file Python/pythonrun.c:1210
    #20 0x55564b8eee55 in _PyRun_SimpleFileObject Python/pythonrun.c:459
    #21 0x55564b8ef349 in _PyRun_AnyFileObject Python/pythonrun.c:77
    #22 0x55564b950718 in pymain_run_file_obj Modules/main.c:357
    #23 0x55564b952fea in pymain_run_file Modules/main.c:376
    #24 0x55564b953bfb in pymain_run_python Modules/main.c:639
    #25 0x55564b953d8b in Py_RunMain Modules/main.c:718
    #26 0x55564b953f72 in pymain_main Modules/main.c:748
    #27 0x55564b9542ea in Py_BytesMain Modules/main.c:772
    #28 0x55564b2bdb15 in main Programs/python.c:15
    #29 0x7fd30a683d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
    #30 0x7fd30a683e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
    #31 0x55564b2bda44 in _start (/home/kcats/cpython/python+0x282a44)

0x61300001ff78 is located 56 bytes inside of 352-byte region [0x61300001ff40,0x6130000200a0)
freed by thread T0 here:
    #0 0x7fd30aa1e537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x55564b5689c5 in _PyMem_RawFree Objects/obmalloc.c:90
    #2 0x55564b56ac2f in _PyMem_DebugRawFree Objects/obmalloc.c:2754
    #3 0x55564b56b55d in _PyMem_DebugFree Objects/obmalloc.c:2891
    #4 0x55564b59f467 in PyObject_Free Objects/obmalloc.c:1323
    #5 0x55564b848285 in PyObject_GC_Del Python/gc.c:2123
    #6 0x55564b5c4af8 in object_dealloc Objects/typeobject.c:6324
    #7 0x55564b5ec8e4 in subtype_dealloc Objects/typeobject.c:2534
    #8 0x55564b55f3b1 in _Py_Dealloc Objects/object.c:2854
    #9 0x55564b83f056 in Py_DECREF Include/refcount.h:351
    #10 0x55564b83f056 in Py_XDECREF Include/refcount.h:459
    #11 0x55564b83f056 in _PyFrame_ClearLocals Python/frame.c:104
    #12 0x55564b83f21c in _PyFrame_ClearExceptCode Python/frame.c:129
    #13 0x55564b7819a6 in clear_thread_frame Python/ceval.c:1681
    #14 0x55564b78a486 in _PyEval_FrameClearAndPop Python/ceval.c:1708
    #15 0x55564b7c3ea5 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:5279
    #16 0x55564b7d0a7b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:119
    #17 0x55564b7d0a7b in _PyEval_Vector Python/ceval.c:1819
    #18 0x55564b45b20d in _PyFunction_Vectorcall Objects/call.c:413
    #19 0x55564b60196b in _PyObject_VectorcallTstate Include/internal/pycore_call.h:168
    #20 0x55564b60196b in vectorcall_unbound Objects/typeobject.c:2716
    #21 0x55564b60196b in slot_tp_richcompare Objects/typeobject.c:9812
    #22 0x55564b561280 in do_richcompare Objects/object.c:927
    #23 0x55564b561654 in PyObject_RichCompare Objects/object.c:976
    #24 0x55564b4e66c9 in list_richcompare_impl Objects/listobject.c:3385
    #25 0x55564b4e6bcb in list_richcompare Objects/listobject.c:3393
    #26 0x7fd307a05a2b in internal_bisect_left Modules/_bisectmodule.c:288
    #27 0x7fd307a063b6 in _bisect_insort_left_impl Modules/_bisectmodule.c:396
    #28 0x7fd307a06a74 in _bisect_insort_left Modules/clinic/_bisectmodule.c.h:432
    #29 0x55564b55224a in cfunction_vectorcall_FASTCALL_KEYWORDS Objects/methodobject.c:441
    #30 0x55564b45bbb9 in _PyObject_VectorcallTstate Include/internal/pycore_call.h:168
    #31 0x55564b45bd14 in PyObject_Vectorcall Objects/call.c:327
    #32 0x55564b7988c4 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:813
    #33 0x55564b7d0a7b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:119
    #34 0x55564b7d0a7b in _PyEval_Vector Python/ceval.c:1819
    #35 0x55564b7d0c9c in PyEval_EvalCode Python/ceval.c:599

previously allocated by thread T0 here:
    #0 0x7fd30aa1e887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x55564b56956c in _PyMem_RawMalloc Objects/obmalloc.c:62
    #2 0x55564b56889f in _PyMem_DebugRawAlloc Objects/obmalloc.c:2686
    #3 0x55564b568907 in _PyMem_DebugRawMalloc Objects/obmalloc.c:2719
    #4 0x55564b56b59f in _PyMem_DebugMalloc Objects/obmalloc.c:2876
    #5 0x55564b59f323 in PyObject_Malloc Objects/obmalloc.c:1294
    #6 0x55564b5e16bc in _PyObject_MallocWithType Include/internal/pycore_object_alloc.h:46
    #7 0x55564b5e16bc in _PyType_AllocNoTrack Objects/typeobject.c:2187
    #8 0x55564b5e1b9b in PyType_GenericAlloc Objects/typeobject.c:2216
    #9 0x55564b5da5bf in object_new Objects/typeobject.c:6314
    #10 0x55564b5e8851 in type_call Objects/typeobject.c:2131
    #11 0x55564b45b5e7 in _PyObject_MakeTpCall Objects/call.c:242
    #12 0x55564b45bce8 in _PyObject_VectorcallTstate Include/internal/pycore_call.h:166
    #13 0x55564b45bd14 in PyObject_Vectorcall Objects/call.c:327
    #14 0x55564b7988c4 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:813
    #15 0x55564b7d0a7b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:119
    #16 0x55564b7d0a7b in _PyEval_Vector Python/ceval.c:1819
    #17 0x55564b7d0c9c in PyEval_EvalCode Python/ceval.c:599
    #18 0x55564b8e8c51 in run_eval_code_obj Python/pythonrun.c:1292
    #19 0x55564b8ebb96 in run_mod Python/pythonrun.c:1377
    #20 0x55564b8ec976 in pyrun_file Python/pythonrun.c:1210
    #21 0x55564b8eee55 in _PyRun_SimpleFileObject Python/pythonrun.c:459
    #22 0x55564b8ef349 in _PyRun_AnyFileObject Python/pythonrun.c:77
    #23 0x55564b950718 in pymain_run_file_obj Modules/main.c:357
    #24 0x55564b952fea in pymain_run_file Modules/main.c:376
    #25 0x55564b953bfb in pymain_run_python Modules/main.c:639
    #26 0x55564b953d8b in Py_RunMain Modules/main.c:718
    #27 0x55564b953f72 in pymain_main Modules/main.c:748
    #28 0x55564b9542ea in Py_BytesMain Modules/main.c:772
    #29 0x55564b2bdb15 in main Programs/python.c:15
    #30 0x7fd30a683d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

SUMMARY: AddressSanitizer: heap-use-after-free Include/object.h:249 in Py_TYPE
Shadow bytes around the buggy address:
  0x0c267fffbf90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fffbfa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fffbfb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fffbfc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fffbfd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c267fffbfe0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd[fd]
  0x0c267fffbff0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c267fffc000: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c267fffc010: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fffc020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fffc030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==148257==ABORTING
deque asan 
=================================================================
==144863==ERROR: AddressSanitizer: heap-use-after-free on address 0x6130000290b8 at pc 0x55ced2414fe2 bp 0x7ffd0b9be680 sp 0x7ffd0b9be670
READ of size 8 at 0x6130000290b8 thread T0
    #0 0x55ced2414fe1 in Py_TYPE Include/object.h:249
    #1 0x55ced2414fe1 in list_richcompare_impl Objects/listobject.c:3338
    #2 0x55ced2415bcb in list_richcompare Objects/listobject.c:3393
    #3 0x55ced2490388 in do_richcompare Objects/object.c:933
    #4 0x55ced2490654 in PyObject_RichCompare Objects/object.c:976
    #5 0x55ced24156c9 in list_richcompare_impl Objects/listobject.c:3385
    #6 0x55ced2415bcb in list_richcompare Objects/listobject.c:3393
    #7 0x55ced2490280 in do_richcompare Objects/object.c:927
    #8 0x55ced2490654 in PyObject_RichCompare Objects/object.c:976
    #9 0x55ced2490782 in PyObject_RichCompareBool Objects/object.c:998
    #10 0x55ced28eeca2 in deque_richcompare Modules/_collectionsmodule.c:1678
    #11 0x55ced2490280 in do_richcompare Objects/object.c:927
    #12 0x55ced2490654 in PyObject_RichCompare Objects/object.c:976
    #13 0x55ced26d50e9 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:2218
    #14 0x55ced26ffa7b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:119
    #15 0x55ced26ffa7b in _PyEval_Vector Python/ceval.c:1819
    #16 0x55ced26ffc9c in PyEval_EvalCode Python/ceval.c:599
    #17 0x55ced2817c51 in run_eval_code_obj Python/pythonrun.c:1292
    #18 0x55ced281ab96 in run_mod Python/pythonrun.c:1377
    #19 0x55ced281b976 in pyrun_file Python/pythonrun.c:1210
    #20 0x55ced281de55 in _PyRun_SimpleFileObject Python/pythonrun.c:459
    #21 0x55ced281e349 in _PyRun_AnyFileObject Python/pythonrun.c:77
    #22 0x55ced287f718 in pymain_run_file_obj Modules/main.c:357
    #23 0x55ced2881fea in pymain_run_file Modules/main.c:376
    #24 0x55ced2882bfb in pymain_run_python Modules/main.c:639
    #25 0x55ced2882d8b in Py_RunMain Modules/main.c:718
    #26 0x55ced2882f72 in pymain_main Modules/main.c:748
    #27 0x55ced28832ea in Py_BytesMain Modules/main.c:772
    #28 0x55ced21ecb15 in main Programs/python.c:15
    #29 0x7f384351dd8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
    #30 0x7f384351de3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
    #31 0x55ced21eca44 in _start (/home/kcats/cpython/python+0x282a44)

0x6130000290b8 is located 56 bytes inside of 352-byte region [0x613000029080,0x6130000291e0)
freed by thread T0 here:
    #0 0x7f38438b8537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x55ced24979c5 in _PyMem_RawFree Objects/obmalloc.c:90
    #2 0x55ced2499c2f in _PyMem_DebugRawFree Objects/obmalloc.c:2754
    #3 0x55ced249a55d in _PyMem_DebugFree Objects/obmalloc.c:2891
    #4 0x55ced24ce467 in PyObject_Free Objects/obmalloc.c:1323
    #5 0x55ced2777285 in PyObject_GC_Del Python/gc.c:2123
    #6 0x55ced24f3af8 in object_dealloc Objects/typeobject.c:6324
    #7 0x55ced251b8e4 in subtype_dealloc Objects/typeobject.c:2534
    #8 0x55ced248e3b1 in _Py_Dealloc Objects/object.c:2854
    #9 0x55ced276e056 in Py_DECREF Include/refcount.h:351
    #10 0x55ced276e056 in Py_XDECREF Include/refcount.h:459
    #11 0x55ced276e056 in _PyFrame_ClearLocals Python/frame.c:104
    #12 0x55ced276e21c in _PyFrame_ClearExceptCode Python/frame.c:129
    #13 0x55ced26b09a6 in clear_thread_frame Python/ceval.c:1681
    #14 0x55ced26b9486 in _PyEval_FrameClearAndPop Python/ceval.c:1708
    #15 0x55ced26f2ea5 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:5279
    #16 0x55ced26ffa7b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:119
    #17 0x55ced26ffa7b in _PyEval_Vector Python/ceval.c:1819
    #18 0x55ced238a20d in _PyFunction_Vectorcall Objects/call.c:413
    #19 0x55ced253096b in _PyObject_VectorcallTstate Include/internal/pycore_call.h:168
    #20 0x55ced253096b in vectorcall_unbound Objects/typeobject.c:2716
    #21 0x55ced253096b in slot_tp_richcompare Objects/typeobject.c:9812
    #22 0x55ced2490280 in do_richcompare Objects/object.c:927
    #23 0x55ced2490654 in PyObject_RichCompare Objects/object.c:976
    #24 0x55ced24156c9 in list_richcompare_impl Objects/listobject.c:3385
    #25 0x55ced2415bcb in list_richcompare Objects/listobject.c:3393
    #26 0x55ced2490280 in do_richcompare Objects/object.c:927
    #27 0x55ced2490654 in PyObject_RichCompare Objects/object.c:976
    #28 0x55ced2490782 in PyObject_RichCompareBool Objects/object.c:998
    #29 0x55ced28eeca2 in deque_richcompare Modules/_collectionsmodule.c:1678
    #30 0x55ced2490280 in do_richcompare Objects/object.c:927
    #31 0x55ced2490654 in PyObject_RichCompare Objects/object.c:976
    #32 0x55ced26d50e9 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:2218
    #33 0x55ced26ffa7b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:119
    #34 0x55ced26ffa7b in _PyEval_Vector Python/ceval.c:1819
    #35 0x55ced26ffc9c in PyEval_EvalCode Python/ceval.c:599

previously allocated by thread T0 here:
    #0 0x7f38438b8887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x55ced249856c in _PyMem_RawMalloc Objects/obmalloc.c:62
    #2 0x55ced249789f in _PyMem_DebugRawAlloc Objects/obmalloc.c:2686
    #3 0x55ced2497907 in _PyMem_DebugRawMalloc Objects/obmalloc.c:2719
    #4 0x55ced249a59f in _PyMem_DebugMalloc Objects/obmalloc.c:2876
    #5 0x55ced24ce323 in PyObject_Malloc Objects/obmalloc.c:1294
    #6 0x55ced25106bc in _PyObject_MallocWithType Include/internal/pycore_object_alloc.h:46
    #7 0x55ced25106bc in _PyType_AllocNoTrack Objects/typeobject.c:2187
    #8 0x55ced2510b9b in PyType_GenericAlloc Objects/typeobject.c:2216
    #9 0x55ced25095bf in object_new Objects/typeobject.c:6314
    #10 0x55ced2517851 in type_call Objects/typeobject.c:2131
    #11 0x55ced238a5e7 in _PyObject_MakeTpCall Objects/call.c:242
    #12 0x55ced238ace8 in _PyObject_VectorcallTstate Include/internal/pycore_call.h:166
    #13 0x55ced238ad14 in PyObject_Vectorcall Objects/call.c:327
    #14 0x55ced26c78c4 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:813
    #15 0x55ced26ffa7b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:119
    #16 0x55ced26ffa7b in _PyEval_Vector Python/ceval.c:1819
    #17 0x55ced26ffc9c in PyEval_EvalCode Python/ceval.c:599
    #18 0x55ced2817c51 in run_eval_code_obj Python/pythonrun.c:1292
    #19 0x55ced281ab96 in run_mod Python/pythonrun.c:1377
    #20 0x55ced281b976 in pyrun_file Python/pythonrun.c:1210
    #21 0x55ced281de55 in _PyRun_SimpleFileObject Python/pythonrun.c:459
    #22 0x55ced281e349 in _PyRun_AnyFileObject Python/pythonrun.c:77
    #23 0x55ced287f718 in pymain_run_file_obj Modules/main.c:357
    #24 0x55ced2881fea in pymain_run_file Modules/main.c:376
    #25 0x55ced2882bfb in pymain_run_python Modules/main.c:639
    #26 0x55ced2882d8b in Py_RunMain Modules/main.c:718
    #27 0x55ced2882f72 in pymain_main Modules/main.c:748
    #28 0x55ced28832ea in Py_BytesMain Modules/main.c:772
    #29 0x55ced21ecb15 in main Programs/python.c:15
    #30 0x7f384351dd8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

SUMMARY: AddressSanitizer: heap-use-after-free Include/object.h:249 in Py_TYPE
Shadow bytes around the buggy address:
  0x0c267fffd1c0: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c267fffd1d0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c267fffd1e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c267fffd1f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c267fffd200: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c267fffd210: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
  0x0c267fffd220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c267fffd230: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c267fffd240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fffd250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fffd260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==144863==ABORTING

CPython versions tested on:

CPython main branch

Operating systems tested on:

Linux

Output from running 'python -VV' on the command line:

Python 3.14.0a0 (heads/main:34f5ae69fe, Jun 9 2024, 21:27:54) [GCC 11.4.0]

Linked PRs
@kcatss kcatss added the type-crash A hard crash of the interpreter, possibly with a core dump label Jun 9, 2024
@Eclips4
Copy link
Member

Eclips4 commented Jun 10, 2024

Thanks for the report!
Confirmed on current main.

sobolevn added a commit to sobolevn/cpython that referenced this issue Jun 10, 2024
@sobolevn
pythongh-120298: Fix use-after-free in list_richcompare_impl

Verified

This commit was signed with the committer’s verified signature.
sobolevn
GPG key ID: FF672D568AE3C73E
Verified
Learn about vigilant mode
Loading
Loading status checks…
256bc2b
@bedevere-app bedevere-app bot mentioned this issue Jun 10, 2024
Merged
sobolevn added a commit that referenced this issue Jun 11, 2024
@sobolevn @serhiy-storchaka
gh-120298: Fix use-after-free in list_richcompare_impl (#120303)

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode
Loading
Loading status checks…
141baba 
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Jun 11, 2024
@sobolevn @serhiy-storchaka @miss-islington
pythongh-120298: Fix use-after-free in list_richcompare_impl (pytho…
Loading
Loading status checks…
ade2838 
…nGH-120303)

(cherry picked from commit 141baba)

Co-authored-by: Nikita Sobolev <mail@sobolevn.me>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@bedevere-app bedevere-app bot mentioned this issue Jun 11, 2024
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Jun 11, 2024
@sobolevn @serhiy-storchaka @miss-islington
pythongh-120298: Fix use-after-free in list_richcompare_impl (pytho…
Loading
Loading status checks…
5a2001c 
…nGH-120303)

(cherry picked from commit 141baba)

Co-authored-by: Nikita Sobolev <mail@sobolevn.me>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@bedevere-app bedevere-app bot mentioned this issue Jun 11, 2024
Merged
sobolevn added a commit that referenced this issue Jun 11, 2024
@miss-islington @sobolevn @serhiy-storchaka
[3.12] gh-120298: Fix use-after-free in list_richcompare_impl (GH-1…

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode
Loading
Loading status checks…
b884536 
…20303) (#120339)

gh-120298: Fix use-after-free in `list_richcompare_impl` (GH-120303)
(cherry picked from commit 141baba)

Co-authored-by: Nikita Sobolev <mail@sobolevn.me>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
sobolevn added a commit that referenced this issue Jun 11, 2024
@miss-islington @sobolevn @serhiy-storchaka
[3.13] gh-120298: Fix use-after-free in list_richcompare_impl (GH-1…

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode
Loading
Loading status checks…
52225c6 
…20303) (#120340)

gh-120298: Fix use-after-free in `list_richcompare_impl` (GH-120303)
(cherry picked from commit 141baba)

Co-authored-by: Nikita Sobolev <mail@sobolevn.me>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
mrahtz pushed a commit to mrahtz/cpython that referenced this issue Jun 30, 2024
@sobolevn @serhiy-storchaka @mrahtz
pythongh-120298: Fix use-after-free in list_richcompare_impl (pytho…
06a131d 
…n#120303)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
gpshead added a commit to gpshead/cpython that referenced this issue Jul 3, 2024
@gpshead
Backport pythongh-120298 list_richcompare use after free
Loading
Loading status checks…
391eb41 
This backports the fix to python#120298.
commit id b884536
@gpshead gpshead mentioned this issue Jul 3, 2024
Draft
noahbkim pushed a commit to hudson-trading/cpython that referenced this issue Jul 11, 2024
@sobolevn @serhiy-storchaka @noahbkim
pythongh-120298: Fix use-after-free in list_richcompare_impl (pytho…
2cdbc2f 
…n#120303)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@serhiy-storchaka serhiy-storchaka added 3.12 only security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes labels Jul 17, 2024
estyxx pushed a commit to estyxx/cpython that referenced this issue Jul 17, 2024
@sobolevn @serhiy-storchaka @estyxx
pythongh-120298: Fix use-after-free in list_richcompare_impl (pytho…

Unverified

This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
Learn about vigilant mode
baa7cdb 
…n#120303)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3.12 only security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes type-crash A hard crash of the interpreter, possibly with a core dump
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@serhiy-storchaka @sobolevn @kcatss @Eclips4