Re: [Python-Dev] [Python-checkins] cpython (2.7): Issue #16447: Fix potential segfault when setting __name__ on a class.
Test case? On Sat, Apr 13, 2013 at 7:19 AM, mark.dickinson <python-checkins@python.org>wrote:
http://hg.python.org/cpython/rev/d5e5017309b1 changeset: 83283:d5e5017309b1 branch: 2.7 user: Mark Dickinson <dickinsm@gmail.com> date: Sat Apr 13 15:19:05 2013 +0100 summary: Issue #16447: Fix potential segfault when setting __name__ on a class.
files: Lib/test/test_descr.py | 14 ++++++++++++++ Misc/NEWS | 3 +++ Objects/typeobject.c | 6 +++++- 3 files changed, 22 insertions(+), 1 deletions(-)
diff --git a/Lib/test/test_descr.py b/Lib/test/test_descr.py --- a/Lib/test/test_descr.py +++ b/Lib/test/test_descr.py @@ -4136,6 +4136,20 @@ C.__name__ = 'D.E' self.assertEqual((C.__module__, C.__name__), (mod, 'D.E'))
+ def test_evil_type_name(self): + # A badly placed Py_DECREF in type_set_name led to arbitrary code + # execution while the type structure was not in a sane state, and a + # possible segmentation fault as a result. See bug #16447. + class Nasty(str): + def __del__(self): + C.__name__ = "other" + + class C(object): + pass + + C.__name__ = Nasty("abc") + C.__name__ = "normal" + def test_subclass_right_op(self): # Testing correct dispatch of subclass overloading __r<op>__...
diff --git a/Misc/NEWS b/Misc/NEWS --- a/Misc/NEWS +++ b/Misc/NEWS @@ -17,6 +17,9 @@ Core and Builtins -----------------
+- Issue #16447: Fixed potential segmentation fault when setting __name__ on a + class. + - Issue #17610: Don't rely on non-standard behavior of the C qsort() function.
Library diff --git a/Objects/typeobject.c b/Objects/typeobject.c --- a/Objects/typeobject.c +++ b/Objects/typeobject.c @@ -225,6 +225,7 @@ type_set_name(PyTypeObject *type, PyObject *value, void *context) { PyHeapTypeObject* et; + PyObject *tmp;
if (!(type->tp_flags & Py_TPFLAGS_HEAPTYPE)) { PyErr_Format(PyExc_TypeError, @@ -253,10 +254,13 @@
Py_INCREF(value);
- Py_DECREF(et->ht_name); + /* Wait until et is a sane state before Py_DECREF'ing the old et->ht_name + value. (Bug #16447.) */ + tmp = et->ht_name; et->ht_name = value;
type->tp_name = PyString_AS_STRING(value); + Py_DECREF(tmp);
return 0; }
-- Repository URL: http://hg.python.org/cpython
_______________________________________________ Python-checkins mailing list Python-checkins@python.org http://mail.python.org/mailman/listinfo/python-checkins
On Sat, Apr 13, 2013 at 7:25 AM, Eli Bendersky <eliben@gmail.com> wrote:
Test case?
Ugh, sorry. I missed it. Ignore my previous email please. Eli
On Sat, Apr 13, 2013 at 7:19 AM, mark.dickinson < python-checkins@python.org> wrote:
http://hg.python.org/cpython/rev/d5e5017309b1 changeset: 83283:d5e5017309b1 branch: 2.7 user: Mark Dickinson <dickinsm@gmail.com> date: Sat Apr 13 15:19:05 2013 +0100 summary: Issue #16447: Fix potential segfault when setting __name__ on a class.
files: Lib/test/test_descr.py | 14 ++++++++++++++ Misc/NEWS | 3 +++ Objects/typeobject.c | 6 +++++- 3 files changed, 22 insertions(+), 1 deletions(-)
diff --git a/Lib/test/test_descr.py b/Lib/test/test_descr.py --- a/Lib/test/test_descr.py +++ b/Lib/test/test_descr.py @@ -4136,6 +4136,20 @@ C.__name__ = 'D.E' self.assertEqual((C.__module__, C.__name__), (mod, 'D.E'))
+ def test_evil_type_name(self): + # A badly placed Py_DECREF in type_set_name led to arbitrary code + # execution while the type structure was not in a sane state, and a + # possible segmentation fault as a result. See bug #16447. + class Nasty(str): + def __del__(self): + C.__name__ = "other" + + class C(object): + pass + + C.__name__ = Nasty("abc") + C.__name__ = "normal" + def test_subclass_right_op(self): # Testing correct dispatch of subclass overloading __r<op>__...
diff --git a/Misc/NEWS b/Misc/NEWS --- a/Misc/NEWS +++ b/Misc/NEWS @@ -17,6 +17,9 @@ Core and Builtins -----------------
+- Issue #16447: Fixed potential segmentation fault when setting __name__ on a + class. + - Issue #17610: Don't rely on non-standard behavior of the C qsort() function.
Library diff --git a/Objects/typeobject.c b/Objects/typeobject.c --- a/Objects/typeobject.c +++ b/Objects/typeobject.c @@ -225,6 +225,7 @@ type_set_name(PyTypeObject *type, PyObject *value, void *context) { PyHeapTypeObject* et; + PyObject *tmp;
if (!(type->tp_flags & Py_TPFLAGS_HEAPTYPE)) { PyErr_Format(PyExc_TypeError, @@ -253,10 +254,13 @@
Py_INCREF(value);
- Py_DECREF(et->ht_name); + /* Wait until et is a sane state before Py_DECREF'ing the old et->ht_name + value. (Bug #16447.) */ + tmp = et->ht_name; et->ht_name = value;
type->tp_name = PyString_AS_STRING(value); + Py_DECREF(tmp);
return 0; }
-- Repository URL: http://hg.python.org/cpython
_______________________________________________ Python-checkins mailing list Python-checkins@python.org http://mail.python.org/mailman/listinfo/python-checkins
2013/4/13 Eli Bendersky <eliben@gmail.com>:
Test case?
I see one.
On Sat, Apr 13, 2013 at 7:19 AM, mark.dickinson <python-checkins@python.org> wrote:
http://hg.python.org/cpython/rev/d5e5017309b1 changeset: 83283:d5e5017309b1 branch: 2.7 user: Mark Dickinson <dickinsm@gmail.com> date: Sat Apr 13 15:19:05 2013 +0100 summary: Issue #16447: Fix potential segfault when setting __name__ on a class.
files: Lib/test/test_descr.py | 14 ++++++++++++++ Misc/NEWS | 3 +++ Objects/typeobject.c | 6 +++++- 3 files changed, 22 insertions(+), 1 deletions(-)
diff --git a/Lib/test/test_descr.py b/Lib/test/test_descr.py --- a/Lib/test/test_descr.py +++ b/Lib/test/test_descr.py @@ -4136,6 +4136,20 @@ C.__name__ = 'D.E' self.assertEqual((C.__module__, C.__name__), (mod, 'D.E'))
+ def test_evil_type_name(self): + # A badly placed Py_DECREF in type_set_name led to arbitrary code + # execution while the type structure was not in a sane state, and a + # possible segmentation fault as a result. See bug #16447. + class Nasty(str): + def __del__(self): + C.__name__ = "other" + + class C(object): + pass + + C.__name__ = Nasty("abc") + C.__name__ = "normal" + def test_subclass_right_op(self): # Testing correct dispatch of subclass overloading __r<op>__...
diff --git a/Misc/NEWS b/Misc/NEWS --- a/Misc/NEWS +++ b/Misc/NEWS @@ -17,6 +17,9 @@ Core and Builtins -----------------
+- Issue #16447: Fixed potential segmentation fault when setting __name__ on a + class. + - Issue #17610: Don't rely on non-standard behavior of the C qsort() function.
Library diff --git a/Objects/typeobject.c b/Objects/typeobject.c --- a/Objects/typeobject.c +++ b/Objects/typeobject.c @@ -225,6 +225,7 @@ type_set_name(PyTypeObject *type, PyObject *value, void *context) { PyHeapTypeObject* et; + PyObject *tmp;
if (!(type->tp_flags & Py_TPFLAGS_HEAPTYPE)) { PyErr_Format(PyExc_TypeError, @@ -253,10 +254,13 @@
Py_INCREF(value);
- Py_DECREF(et->ht_name); + /* Wait until et is a sane state before Py_DECREF'ing the old et->ht_name + value. (Bug #16447.) */ + tmp = et->ht_name; et->ht_name = value;
type->tp_name = PyString_AS_STRING(value); + Py_DECREF(tmp);
return 0; }
-- Repository URL: http://hg.python.org/cpython
_______________________________________________ Python-checkins mailing list Python-checkins@python.org http://mail.python.org/mailman/listinfo/python-checkins
_______________________________________________ Python-checkins mailing list Python-checkins@python.org http://mail.python.org/mailman/listinfo/python-checkins
-- Regards, Benjamin
participants (2)
-
Benjamin Peterson -
Eli Bendersky