[New-bugs-announce] [issue32725] Instance of _multiprocessing.PipeConnection-subtype crash on deletion
report at bugs.python.org
Tue Jan 30 05:13:55 EST 2018
New submission from Clement Rouault <python at hakril.net>:
While playing with '_multiprocessing.PipeConnection' I found out that instancing an object with a subtype of '_multiprocessing.PipeConnection' will crash the interpreter when the object is deleted.
My guess is that some connection methods does not check/handle the fact that the object is a subtype and not a 'pure' PipeConnection.
I don't know if the exploitability aspect of this crash is important but it allows to rewrite an arbitrary address easily with some heap-pointer (leading to CPython trying to execute the heap).
I attached a simple program that crash CPython using this bug.
components: Library (Lib)
title: Instance of _multiprocessing.PipeConnection-subtype crash on deletion
versions: Python 2.7
Added file: https://bugs.python.org/file47417/poc.py
Python tracker <report at bugs.python.org>
More information about the New-bugs-announce