[New-bugs-announce] [issue6083] Reference counting bug in setrlimit

Bill McCloskey report at bugs.python.org
Fri May 22 10:18:56 CEST 2009

New submission from Bill McCloskey <billm at cs.berkeley.edu>:

The code for resource_setrlimit in Modules/resource.c does not handle
reference counting properly. The following Python code segfaults for me
on Ubuntu 8.10 in Python 2.5.2 and also a custom-built 2.6.1.

import resource

l = [0, 0]

class MyNum:
    def __int__(self):
        l[1] = 20
        return 10

    def __del__(self):
        print 'byebye', self

l[0] = MyNum()
l[1] = MyNum()
resource.setrlimit(resource.RLIMIT_CPU, l)

The problem is that setrlimit gets its arguments by calling:
   PyArg_ParseTuple(args, "i(OO):setrlimit", 
                    &resource, &curobj, &maxobj)
The references curobj and maxobj are borrowed. The second argument can
be passed as a mutable list rather than a tuple, so it's possible to
update the list in the middle of setrlimit, causing maxobj to be
destroyed before setrlimit is done with it.

I've attached a patch that INCREFs both variables immediately after
parsing them to avoid this problem.

In my opinion it seems dangerous to allow format strings with the 'O'
specifier appearing in parentheses. You normally expect that objects
returned from PyArg_ParseTuple are pretty safe, but the fact that the
inner sequence may be mutable violates this assumption. Might it make
sense to ban this use case? I only found one other instance of it in the
Python source tree, inside ctypes. This one may also be a crashing
bug--I didn't look at it carefully enough.

components: Extension Modules
files: python-bug-01.patch
keywords: patch
messages: 88181
nosy: billm
severity: normal
status: open
title: Reference counting bug in setrlimit
type: crash
versions: Python 2.5, Python 2.6
Added file: http://bugs.python.org/file14040/python-bug-01.patch

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list