2013/4/13 Eli Bendersky <eliben@gmail.com>:

Test case?

I see one.

On Sat, Apr 13, 2013 at 7:19 AM, mark.dickinson <python-checkins@python.org> wrote:

...

http://hg.python.org/cpython/rev/d5e5017309b1 changeset: 83283:d5e5017309b1 branch: 2.7 user: Mark Dickinson <dickinsm@gmail.com> date: Sat Apr 13 15:19:05 2013 +0100 summary: Issue #16447: Fix potential segfault when setting __name__ on a class.

files: Lib/test/test_descr.py | 14 ++++++++++++++ Misc/NEWS | 3 +++ Objects/typeobject.c | 6 +++++- 3 files changed, 22 insertions(+), 1 deletions(-)

diff --git a/Lib/test/test_descr.py b/Lib/test/test_descr.py --- a/Lib/test/test_descr.py +++ b/Lib/test/test_descr.py @@ -4136,6 +4136,20 @@ C.__name__ = 'D.E' self.assertEqual((C.__module__, C.__name__), (mod, 'D.E'))

+ def test_evil_type_name(self): + # A badly placed Py_DECREF in type_set_name led to arbitrary code + # execution while the type structure was not in a sane state, and a + # possible segmentation fault as a result. See bug #16447. + class Nasty(str): + def __del__(self): + C.__name__ = "other" + + class C(object): + pass + + C.__name__ = Nasty("abc") + C.__name__ = "normal" + def test_subclass_right_op(self): # Testing correct dispatch of subclass overloading __r<op>__...

diff --git a/Misc/NEWS b/Misc/NEWS --- a/Misc/NEWS +++ b/Misc/NEWS @@ -17,6 +17,9 @@ Core and Builtins -----------------

+- Issue #16447: Fixed potential segmentation fault when setting __name__ on a + class. + - Issue #17610: Don't rely on non-standard behavior of the C qsort() function.

Library diff --git a/Objects/typeobject.c b/Objects/typeobject.c --- a/Objects/typeobject.c +++ b/Objects/typeobject.c @@ -225,6 +225,7 @@ type_set_name(PyTypeObject *type, PyObject *value, void *context) { PyHeapTypeObject* et; + PyObject *tmp;

if (!(type->tp_flags & Py_TPFLAGS_HEAPTYPE)) { PyErr_Format(PyExc_TypeError, @@ -253,10 +254,13 @@

Py_INCREF(value);

- Py_DECREF(et->ht_name); + /* Wait until et is a sane state before Py_DECREF'ing the old et->ht_name + value. (Bug #16447.) */ + tmp = et->ht_name; et->ht_name = value;

type->tp_name = PyString_AS_STRING(value); + Py_DECREF(tmp);

return 0; }

-- Repository URL: http://hg.python.org/cpython

_______________________________________________ Python-checkins mailing list Python-checkins@python.org http://mail.python.org/mailman/listinfo/python-checkins

_______________________________________________ Python-checkins mailing list Python-checkins@python.org http://mail.python.org/mailman/listinfo/python-checkins

-- Regards, Benjamin

2013/4/13 Eli Bendersky <eliben@gmail.com>:

Test case?

I see one.

On Sat, Apr 13, 2013 at 7:19 AM, mark.dickinson <python-checkins@python.org> wrote:

...

http://hg.python.org/cpython/rev/d5e5017309b1 changeset: 83283:d5e5017309b1 branch: 2.7 user: Mark Dickinson <dickinsm@gmail.com> date: Sat Apr 13 15:19:05 2013 +0100 summary: Issue #16447: Fix potential segfault when setting __name__ on a class.

files: Lib/test/test_descr.py | 14 ++++++++++++++ Misc/NEWS | 3 +++ Objects/typeobject.c | 6 +++++- 3 files changed, 22 insertions(+), 1 deletions(-)

diff --git a/Lib/test/test_descr.py b/Lib/test/test_descr.py --- a/Lib/test/test_descr.py +++ b/Lib/test/test_descr.py @@ -4136,6 +4136,20 @@ C.__name__ = 'D.E' self.assertEqual((C.__module__, C.__name__), (mod, 'D.E'))

+ def test_evil_type_name(self): + # A badly placed Py_DECREF in type_set_name led to arbitrary code + # execution while the type structure was not in a sane state, and a + # possible segmentation fault as a result. See bug #16447. + class Nasty(str): + def __del__(self): + C.__name__ = "other" + + class C(object): + pass + + C.__name__ = Nasty("abc") + C.__name__ = "normal" + def test_subclass_right_op(self): # Testing correct dispatch of subclass overloading __r<op>__...

diff --git a/Misc/NEWS b/Misc/NEWS --- a/Misc/NEWS +++ b/Misc/NEWS @@ -17,6 +17,9 @@ Core and Builtins -----------------

+- Issue #16447: Fixed potential segmentation fault when setting __name__ on a + class. + - Issue #17610: Don't rely on non-standard behavior of the C qsort() function.

Library diff --git a/Objects/typeobject.c b/Objects/typeobject.c --- a/Objects/typeobject.c +++ b/Objects/typeobject.c @@ -225,6 +225,7 @@ type_set_name(PyTypeObject *type, PyObject *value, void *context) { PyHeapTypeObject* et; + PyObject *tmp;

if (!(type->tp_flags & Py_TPFLAGS_HEAPTYPE)) { PyErr_Format(PyExc_TypeError, @@ -253,10 +254,13 @@

Py_INCREF(value);

- Py_DECREF(et->ht_name); + /* Wait until et is a sane state before Py_DECREF'ing the old et->ht_name + value. (Bug #16447.) */ + tmp = et->ht_name; et->ht_name = value;

type->tp_name = PyString_AS_STRING(value); + Py_DECREF(tmp);

return 0; }

-- Repository URL: http://hg.python.org/cpython

_______________________________________________ Python-checkins mailing list Python-checkins@python.org http://mail.python.org/mailman/listinfo/python-checkins

_______________________________________________ Python-checkins mailing list Python-checkins@python.org http://mail.python.org/mailman/listinfo/python-checkins

-- Regards, Benjamin