Skip to content

LOAD_ATTR_SLOT and STORE_ATTR_SLOT don't check the owner's type #99257

New issue
New issue
Closed
Closed
LOAD_ATTR_SLOT and STORE_ATTR_SLOT don't check the owner's type#99257
Assignees
brandtbucher
Labels
3.11only security fixes3.12only security fixesinterpreter-core(Objects, Python, Grammar, and Parser dirs)release-blockertype-crashA hard crash of the interpreter, possibly with a core dump
@brandtbucher

Description

@brandtbucher
brandtbucher
opened on Nov 8, 2022

When specializing LOAD_ATTR_SLOT, we don't check whether the given member descriptor is valid for the type we got it from.

Here is a problematic example, where one class "borrows" a slot from another:

>>> class Class: ... __slots__ = ("slot",) ... >>> class Sneaky: ... borrowed = Class.slot ... >>> def f(o): ... return o.borrowed ... >>> o = Sneaky()

The unspecialized code behaves correctly:

>>> f(o) Traceback (most recent call last): File "<stdin>", line 1, in <module> File "<stdin>", line 2, in f TypeError: descriptor 'slot' for 'Class' objects doesn't apply to a 'Sneaky' object

However, the specialized code crashes, since it is accessing memory past the end of the object:

>>> f(o) Segmentation fault

We can fix this by performing the same check that the member descriptor performs (PyObject_TypeCheck(obj, descr->d_type)) when specializing.

CC @markshannon

Metadata

Metadata

Assignees

Labels

3.11only security fixes3.12only security fixesinterpreter-core(Objects, Python, Grammar, and Parser dirs)release-blockertype-crashA hard crash of the interpreter, possibly with a core dump

Projects

Release and Deferred blockers 🚫

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions