Closed
Description
Crash report
What happened?
Version
Python 3.13.0a3+ (heads/v3.13.0a2:e2c4038924, Feb 10 2024, 12:05:47) [GCC 11.4.0]
bisect from commit 32ea165
Root cause
the deque_index_impl function retrieves an element from the deque using b→data. However, the reference count of the item may decrease due to PyObject_RichCompareBool, leading to a use-after-free
static PyObject * deque_index_impl(dequeobject *deque, PyObject *v, Py_ssize_t start, Py_ssize_t stop){ ... while (n--) { CHECK_NOT_END(b); item = b->data[index]; // <--- don't raise reference count using Py_NewRef cmp = PyObject_RichCompareBool(item, v, Py_EQ); // <--- arbitrary call to __eq__ if (cmp > 0) return PyLong_FromSsize_t(stop - (n + 1)); else if (cmp < 0) return NULL; if (start_state != deque->state) { PyErr_SetString(PyExc_RuntimeError, "deque mutated during iteration"); return NULL; } }POC
import collections class evil_pre1(object): def __eq__(self,o): deq.clear() return NotImplemented deq = collections.deque([evil_pre1()]) deq.index(3)ASAN
asan
================================================================= ==246599==ERROR: AddressSanitizer: heap-use-after-free on address 0xffffb086b3c8 at pc 0xaaaabb857308 bp 0xffffc5757c40 sp 0xffffc5757c50 READ of size 8 at 0xffffb086b3c8 thread T0 #0 0xaaaabb857304 in Py_TYPE Include/object.h:333 #1 0xaaaabb857304 in long_richcompare Objects/longobject.c:3265 #2 0xaaaabb8c1158 in do_richcompare Objects/object.c:922 #3 0xaaaabb8c1438 in PyObject_RichCompare Objects/object.c:965 #4 0xaaaabb8c1578 in PyObject_RichCompareBool Objects/object.c:987 #5 0xaaaabbcc1a5c in deque_index_impl Modules/_collectionsmodule.c:1222 #6 0xaaaabbcc1c94 in deque_index Modules/clinic/_collectionsmodule.c.h:248 #7 0xaaaabb7f4ee4 in method_vectorcall_FASTCALL Objects/descrobject.c:401 #8 0xaaaabb7ccb84 in _PyObject_VectorcallTstate Include/internal/pycore_call.h:168 #9 0xaaaabb7cccc0 in PyObject_Vectorcall Objects/call.c:327 #10 0xaaaabbab73e4 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:815 #11 0xaaaabbb008f4 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:115 #12 0xaaaabbb008f4 in _PyEval_Vector Python/ceval.c:1788 #13 0xaaaabbb00abc in PyEval_EvalCode Python/ceval.c:592 #14 0xaaaabbc02aec in run_eval_code_obj Python/pythonrun.c:1294 #15 0xaaaabbc059e0 in run_mod Python/pythonrun.c:1379 #16 0xaaaabbc0677c in pyrun_file Python/pythonrun.c:1215 #17 0xaaaabbc08c3c in _PyRun_SimpleFileObject Python/pythonrun.c:464 #18 0xaaaabbc08ff4 in _PyRun_AnyFileObject Python/pythonrun.c:77 #19 0xaaaabbc66e68 in pymain_run_file_obj Modules/main.c:357 #20 0xaaaabbc693d8 in pymain_run_file Modules/main.c:376 #21 0xaaaabbc69de0 in pymain_run_python Modules/main.c:628 #22 0xaaaabbc6a084 in Py_RunMain Modules/main.c:707 #23 0xaaaabbc6a274 in pymain_main Modules/main.c:737 #24 0xaaaabbc6a5b0 in Py_BytesMain Modules/main.c:761 #25 0xaaaabb63145c in main Programs/python.c:15 #26 0xffffb93d73f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #27 0xffffb93d74c8 in __libc_start_main_impl ../csu/libc-start.c:392 #28 0xaaaabb63136c in _start (/home/kk/projects/cpython/python+0x27136c) 0xffffb086b3c8 is located 56 bytes inside of 72-byte region [0xffffb086b390,0xffffb086b3d8) freed by thread T0 here: #0 0xffffb96a9fe8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127 #1 0xaaaabb8c9744 in _PyMem_RawFree Objects/obmalloc.c:84 #2 0xaaaabb8cc580 in _PyMem_DebugRawFree Objects/obmalloc.c:2398 #3 0xaaaabb8ccd74 in _PyMem_DebugFree Objects/obmalloc.c:2531 #4 0xaaaabb8f0f78 in PyObject_Free Objects/obmalloc.c:995 #5 0xaaaabbb7087c in PyObject_GC_Del Python/gc.c:1903 #6 0xaaaabb914e1c in object_dealloc Objects/typeobject.c:5569 #7 0xaaaabb938da8 in subtype_dealloc Objects/typeobject.c:2092 #8 0xaaaabb8bf0b8 in _Py_Dealloc Objects/object.c:2889 #9 0xaaaabbb69bc4 in Py_DECREF Include/object.h:922 #10 0xaaaabbb69bc4 in Py_XDECREF Include/object.h:1030 #11 0xaaaabbb69bc4 in _PyFrame_ClearExceptCode Python/frame.c:140 #12 0xaaaabbaa276c in clear_thread_frame Python/ceval.c:1652 #13 0xaaaabbaab750 in _PyEval_FrameClearAndPop Python/ceval.c:1679 #14 0xaaaabbadc91c in _PyEval_EvalFrameDefault Python/generated_cases.c.h:4914 #15 0xaaaabbb008f4 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:115 #16 0xaaaabbb008f4 in _PyEval_Vector Python/ceval.c:1788 #17 0xaaaabb7cc2fc in _PyFunction_Vectorcall Objects/call.c:413 #18 0xaaaabb94bfe0 in _PyObject_VectorcallTstate Include/internal/pycore_call.h:168 #19 0xaaaabb94bfe0 in vectorcall_unbound Objects/typeobject.c:2271 #20 0xaaaabb94bfe0 in slot_tp_richcompare Objects/typeobject.c:8983 #21 0xaaaabb8c1058 in do_richcompare Objects/object.c:916 #22 0xaaaabb8c1438 in PyObject_RichCompare Objects/object.c:965 #23 0xaaaabb8c1578 in PyObject_RichCompareBool Objects/object.c:987 #24 0xaaaabbcc1a5c in deque_index_impl Modules/_collectionsmodule.c:1222 #25 0xaaaabbcc1c94 in deque_index Modules/clinic/_collectionsmodule.c.h:248 #26 0xaaaabb7f4ee4 in method_vectorcall_FASTCALL Objects/descrobject.c:401 #27 0xaaaabb7ccb84 in _PyObject_VectorcallTstate Include/internal/pycore_call.h:168 #28 0xaaaabb7cccc0 in PyObject_Vectorcall Objects/call.c:327 #29 0xaaaabbab73e4 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:815 #30 0xaaaabbb008f4 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:115 #31 0xaaaabbb008f4 in _PyEval_Vector Python/ceval.c:1788 #32 0xaaaabbb00abc in PyEval_EvalCode Python/ceval.c:592 #33 0xaaaabbc02aec in run_eval_code_obj Python/pythonrun.c:1294 #34 0xaaaabbc059e0 in run_mod Python/pythonrun.c:1379 #35 0xaaaabbc0677c in pyrun_file Python/pythonrun.c:1215 previously allocated by thread T0 here: #0 0xffffb96aa2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0xaaaabb8cb160 in _PyMem_RawMalloc Objects/obmalloc.c:56 #2 0xaaaabb8c9028 in _PyMem_DebugRawAlloc Objects/obmalloc.c:2331 #3 0xaaaabb8c9084 in _PyMem_DebugRawMalloc Objects/obmalloc.c:2364 #4 0xaaaabb8ccdc0 in _PyMem_DebugMalloc Objects/obmalloc.c:2516 #5 0xaaaabb8f0df0 in PyObject_Malloc Objects/obmalloc.c:966 #6 0xaaaabb92e22c in _PyObject_MallocWithType Include/internal/pycore_object_alloc.h:46 #7 0xaaaabb92e22c in _PyType_AllocNoTrack Objects/typeobject.c:1739 #8 0xaaaabb92e538 in PyType_GenericAlloc Objects/typeobject.c:1763 #9 0xaaaabb92830c in object_new Objects/typeobject.c:5555 #10 0xaaaabb92ec48 in type_call Objects/typeobject.c:1682 #11 0xaaaabb7cc64c in _PyObject_MakeTpCall Objects/call.c:242 #12 0xaaaabb7ccc90 in _PyObject_VectorcallTstate Include/internal/pycore_call.h:166 #13 0xaaaabb7cccc0 in PyObject_Vectorcall Objects/call.c:327 #14 0xaaaabbab73e4 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:815 #15 0xaaaabbb008f4 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:115 #16 0xaaaabbb008f4 in _PyEval_Vector Python/ceval.c:1788 #17 0xaaaabbb00abc in PyEval_EvalCode Python/ceval.c:592 #18 0xaaaabbc02aec in run_eval_code_obj Python/pythonrun.c:1294 #19 0xaaaabbc059e0 in run_mod Python/pythonrun.c:1379 #20 0xaaaabbc0677c in pyrun_file Python/pythonrun.c:1215 #21 0xaaaabbc08c3c in _PyRun_SimpleFileObject Python/pythonrun.c:464 #22 0xaaaabbc08ff4 in _PyRun_AnyFileObject Python/pythonrun.c:77 #23 0xaaaabbc66e68 in pymain_run_file_obj Modules/main.c:357 #24 0xaaaabbc693d8 in pymain_run_file Modules/main.c:376 #25 0xaaaabbc69de0 in pymain_run_python Modules/main.c:628 #26 0xaaaabbc6a084 in Py_RunMain Modules/main.c:707 #27 0xaaaabbc6a274 in pymain_main Modules/main.c:737 #28 0xaaaabbc6a5b0 in Py_BytesMain Modules/main.c:761 #29 0xaaaabb63145c in main Programs/python.c:15 #30 0xffffb93d73f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #31 0xffffb93d74c8 in __libc_start_main_impl ../csu/libc-start.c:392 SUMMARY: AddressSanitizer: heap-use-after-free Include/object.h:333 in Py_TYPE Shadow bytes around the buggy address: 0x200ff610d620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff610d630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff610d640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff610d650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x200ff610d660: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa =>0x200ff610d670: fa fa fd fd fd fd fd fd fd[fd]fd fa fa fa fa fa 0x200ff610d680: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fd fd 0x200ff610d690: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd 0x200ff610d6a0: fd fd fd fd fd fd fa fa fa fa 00 00 00 00 00 00 0x200ff610d6b0: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 0x200ff610d6c0: 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==246599==ABORTING CPython versions tested on:
CPython main branch
Operating systems tested on:
Linux
Output from running 'python -VV' on the command line:
Python 3.13.0a3+ (heads/v3.13.0a2:e2c4038924, Feb 10 2024, 12:05:47) [GCC 11.4.0]