[New-bugs-announce] [issue6083] Reference counting bug in setrlimit
report at bugs.python.org
Fri May 22 10:18:56 CEST 2009
New submission from Bill McCloskey <billm at cs.berkeley.edu>:
The code for resource_setrlimit in Modules/resource.c does not handle
reference counting properly. The following Python code segfaults for me
on Ubuntu 8.10 in Python 2.5.2 and also a custom-built 2.6.1.
l = [0, 0]
l = 20
print 'byebye', self
l = MyNum()
l = MyNum()
The problem is that setrlimit gets its arguments by calling:
&resource, &curobj, &maxobj)
The references curobj and maxobj are borrowed. The second argument can
be passed as a mutable list rather than a tuple, so it's possible to
update the list in the middle of setrlimit, causing maxobj to be
destroyed before setrlimit is done with it.
I've attached a patch that INCREFs both variables immediately after
parsing them to avoid this problem.
In my opinion it seems dangerous to allow format strings with the 'O'
specifier appearing in parentheses. You normally expect that objects
returned from PyArg_ParseTuple are pretty safe, but the fact that the
inner sequence may be mutable violates this assumption. Might it make
sense to ban this use case? I only found one other instance of it in the
Python source tree, inside ctypes. This one may also be a crashing
bug--I didn't look at it carefully enough.
components: Extension Modules
title: Reference counting bug in setrlimit
versions: Python 2.5, Python 2.6
Added file: http://bugs.python.org/file14040/python-bug-01.patch
Python tracker <report at bugs.python.org>
More information about the New-bugs-announce