On Fri, Jan 7, 2022 at 1:59 AM lxr1210--- via Python-Dev <python-dev@python.org> wrote: > > Hi all, > > I am currently doing some research on the security of CPython. I used the > open source vulnerability analysis engine, Infer(https://fbinfer.com/), to > scan the native code of CPython 3.10.0. > > The scan results show that there are still a number of vulnerabilities in the > CPython native code, such as Null dereference, Uninitialized variable, > Resource/Memory leak, etc. Moreover, I found that some of the vulnerabilities > are related to Python/C API. I enclose the vulnerability report for your > reference. >
Tool needs some improvements. Py_CLEAR is documented as doing nothing if given a null pointer. All of the "value not used" complaints seem to be places where something is coded in a consistent way, such as repeatedly incrementing a value and comparing it to something, so it would be a code maintenance hassle to do things differently on the last one. I checked a few of the null dereference complaints. The tool seems concerned that PyUnicode_DATA(str) might return NULL, that assert(state != NULL) won't stop the function, and that PyThreadState_Get might return NULL (it's documented as bombing with a fatal error in such a situation, so you specifically don't have to check). The complaint about unicodedata.c line 168 is a bit subtler, but the tool isn't able to recognize that rc is always initialized (either have_old will be set and rc is set, or if have_old isn't set, then rc will be set). It would make validation a LOT easier if the complaints could be grouped. ChrisA _______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-le...@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/KIM5KZIFEFQK7VZT3ZF2WTPLCAYOGQI6/ Code of Conduct: http://python.org/psf/codeofconduct/
