[issue33742] Unsafe memory access in PyStructSequence_InitType

2018-06-20 Thread Xiang Zhang 


Change by Xiang Zhang :


--
resolution:  -> not a bug
stage:  -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue33742] Unsafe memory access in PyStructSequence_InitType

2018-06-20 Thread Xiang Zhang 


Xiang Zhang  added the comment:

I don't think here is a problem. It crashes because you preallocate the type 
object in a wrong way. You should not just does a malloc and then passes it to 
the API. In this way, you are able to crash many APIs. For example, malloc a 
dictobject and then pass it to PyDict_SetItem could highly possibly crash. You 
should use PyDict_New to allocate the dictobject. Also here, you need to use 
PyType_GenericAlloc(_Type, 0) to allocate the type object, not just a 
malloc.

--
nosy: +xiang.zhang

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue33742] Unsafe memory access in PyStructSequence_InitType

2018-06-04 Thread Pasha Stetsenko 


Pasha Stetsenko  added the comment:

The code is simple:
```
// first initialize PyStructSequence_Field* fields; then:
PyTypeObject* type = malloc(sizeof(PyTypeObject));
PyStructSequence_InitType(type, desc);
```

Of course, `malloc` can accidentally allocate memory that is already filled 
with 0s (especially if it is run at the start of the program). So in order to 
make the code exhibit the bug reliably, you can add
```
memset(type, 0xDA, sizeof(PyTypeObject));
```
after the `malloc`.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue33742] Unsafe memory access in PyStructSequence_InitType

2018-06-03 Thread Serhiy Storchaka 


Serhiy Storchaka  added the comment:

Could you please provide a C code that reproduces the crash?

--
components: +Interpreter Core
nosy: +serhiy.storchaka
versions: +Python 3.8 -Python 3.5

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue33742] Unsafe memory access in PyStructSequence_InitType

2018-06-03 Thread Pasha Stetsenko 


New submission from Pasha Stetsenko :

The documentation (https://docs.python.org/3/c-api/tuple.html) for 
`PyStructSequence_InitType` describes the function as follows:

> void PyStructSequence_InitType(PyTypeObject *type, PyStructSequence_Desc 
> *desc)
> Initializes a struct sequence type `type` from `desc` in place.

And most of the time it does just that.
However, when running under python compiled in debug mode, the body of the 
function will contain the following code at the very beginning:
```
if (type->ob_base.ob_base._ob_next) {
_Py_ForgetReference((PyObject*)type);
}
``` 
Since `type` here is a preallocated but an uninitialized piece of memory, it 
may contain garbage data that when interpreted as a "live" PyObject will result 
in memory corruption or process crash.

Thus, either the description for the `PyStructSequence_InitType` method has to 
document that the `type` object must be zeroed-out before being passed to the 
method, or the call to `_Py_ForgetReference` be removed.

--
messages: 318523
nosy: Pasha Stetsenko
priority: normal
severity: normal
status: open
title: Unsafe memory access in PyStructSequence_InitType
type: crash
versions: Python 3.5, Python 3.6, Python 3.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com