Skip to content

ceval.c: positional_only_passed_as_keyword can be failed with segfault #101967

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Eclips4 opened this issue Feb 16, 2023 · 0 comments · Fixed by #101968
Closed

ceval.c: positional_only_passed_as_keyword can be failed with segfault #101967

Eclips4 opened this issue Feb 16, 2023 · 0 comments · Fixed by #101968
Labels
interpreter-core (Objects, Python, Grammar, and Parser dirs) type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@Eclips4
Copy link
Member

Eclips4 commented Feb 16, 2023
edited by bedevere-app bot
Loading

cpython/Python/ceval.c

Lines 1251 to 1285 in 4d8959b

static int
positional_only_passed_as_keyword(PyThreadState *tstate, PyCodeObject *co,
Py_ssize_t kwcount, PyObject* kwnames,
PyObject *qualname)
{
int posonly_conflicts = 0;
PyObject* posonly_names = PyList_New(0);
for(int k=0; k < co->co_posonlyargcount; k++){
PyObject* posonly_name = PyTuple_GET_ITEM(co->co_localsplusnames, k);
for (int k2=0; k2<kwcount; k2++){
/* Compare the pointers first and fallback to PyObject_RichCompareBool*/
PyObject* kwname = PyTuple_GET_ITEM(kwnames, k2);
if (kwname == posonly_name){
if(PyList_Append(posonly_names, kwname) != 0) {
goto fail;
}
posonly_conflicts++;
continue;
}
int cmp = PyObject_RichCompareBool(posonly_name, kwname, Py_EQ);
if ( cmp > 0) {
if(PyList_Append(posonly_names, kwname) != 0) {
goto fail;
}
posonly_conflicts++;
} else if (cmp < 0) {
goto fail;
}
}
}

This implemention doesn't take in account case when PyList_New returns NULL.
If PyList_New(0) returns a NULL, PyList_Append will be failed with segfault, cause of Py_TYPE, which will try to reach out ob_type. of (PyObject *) NULL.
This hard to reproduce, because the only way PyList_New can error, if it is runs out of memory, but theoretically it can happen.

Linked PRs
@Eclips4 Eclips4 added the type-crash A hard crash of the interpreter, possibly with a core dump label Feb 16, 2023
Eclips4 added a commit to Eclips4/cpython that referenced this issue Feb 16, 2023
@Eclips4
pythongh-101967: Fix possible segfault in positional_only_passed_as_k…
6a43099 
…eyword
Eclips4 added a commit to Eclips4/cpython that referenced this issue Feb 16, 2023
@Eclips4
pythongh-101967: Fix possible segfault in positional_only_passed_as_k…
b054c19 
…eyword
@Eclips4 Eclips4 mentioned this issue Feb 16, 2023
Merged
@arhadthedev arhadthedev added the interpreter-core (Objects, Python, Grammar, and Parser dirs) label Feb 17, 2023
iritkatriel pushed a commit that referenced this issue Feb 18, 2023
@Eclips4
gh-101967: add a missing error check (#101968)
89413bb
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Feb 18, 2023
@Eclips4 @miss-islington
pythongh-101967: add a missing error check (pythonGH-101968)
19b0110 
(cherry picked from commit 89413bb)

Co-authored-by: Eclips4 <[email protected]>
@bedevere-bot bedevere-bot mentioned this issue Feb 18, 2023
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Feb 18, 2023
@Eclips4 @miss-islington
pythongh-101967: add a missing error check (pythonGH-101968)
3066e8f 
(cherry picked from commit 89413bb)

Co-authored-by: Eclips4 <[email protected]>
miss-islington added a commit that referenced this issue Feb 18, 2023
@miss-islington @Eclips4
gh-101967: add a missing error check (GH-101968)
92050e8 
(cherry picked from commit 89413bb)

Co-authored-by: Eclips4 <[email protected]>
@bedevere-bot bedevere-bot mentioned this issue Feb 18, 2023
Merged
pablogsal pushed a commit that referenced this issue Feb 21, 2023
@miss-islington @Eclips4 @hauntsaninja
[3.11] gh-101967: add a missing error check (GH-101968) (#102015)
1633aea 
gh-101967: add a missing error check (GH-101968)
(cherry picked from commit 89413bb)

Co-authored-by: Eclips4 <[email protected]>
Co-authored-by: Shantanu <[email protected]>
@3xt3r 3xt3r mentioned this issue Jan 29, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
interpreter-core (Objects, Python, Grammar, and Parser dirs) type-crash A hard crash of the interpreter, possibly with a core dump
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

gh-101967: add a missing error check Eclips4/cpython
2 participants
@arhadthedev @Eclips4