Skip to content

ctypes.Pointer.get_contents doesn't hold the object's lock for long enough #131974

New issue
New issue
Closed
Closed
ctypes.Pointer.get_contents doesn't hold the object's lock for long enough#131974
Assignees
ZeroIntensity
Labels
topic-ctypestopic-free-threadingtype-bugAn unexpected behavior, bug, or error
@ZeroIntensity

Description

@ZeroIntensity
ZeroIntensity
opened on Apr 1, 2025

Bug report

Bug description:

As @kumaraditya303 mentioned, ctypes.Pointer.get_contents has a thread safety bug that I missed when I originally fixed it.

cpython/Modules/_ctypes/_ctypes.c

Lines 5413 to 5430 in 3b3720f

Pointer_get_contents(PyObject *self, void *closure)
{
void *deref = locked_deref(_CDataObject_CAST(self));
if (deref == NULL) {
PyErr_SetString(PyExc_ValueError,
"NULL pointer access");
return NULL;
}
ctypes_state *st = get_module_state_by_def(Py_TYPE(Py_TYPE(self)));
StgInfo *stginfo;
if (PyStgInfo_FromObject(st, self, &stginfo) < 0) {
return NULL;
}
assert(stginfo); /* Cannot be NULL for pointer instances */
return PyCData_FromBaseObj(st, stginfo->proto, self, 0, deref);
}

Dereferencing the pointer is locked, but it's unsafe to call PyCData_FromBaseObj without holding the lock, because the pointer might be invalidated concurrently. I suspect this kind of bug exists with other uses of locked_deref too.

CPython versions tested on:

CPython main branch

Operating systems tested on:

Linux

Linked PRs

Metadata

Metadata

Assignees

Labels

topic-ctypestopic-free-threadingtype-bugAn unexpected behavior, bug, or error

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions