[New-bugs-announce] [issue38033] Use After Free: PyObject_Free

[Chiaki Ishikawa]

New submission from Chiaki Ishikawa <ishikawa at yk.rim.or.jp>:

Hi, 
I am new to Python bug tracker, so my setting of the fields may be inadequate. If so, apologies in advance.
I think Use After Free bug is a potential security issue and so wanted to report ASAP.

First my environment: I am using Debian GNU/Linux, and its kernel version is: uname -a output, 
SMP Debian 4.19.37-6 (2019-07-18) x86_64 GNU/Linux

Python version is:
# python3 --version
Python 3.7.4

mozilla thunderbird mail client testing framework uses
python as a test driver, and when I was checking the local build of thunderbird under a test suite invoked from |make mozmill| under valgrind (a memory usage checker), the first thing I noticed is the following message from valgrind.
PyObject_Free seems to access a memory location (4 octets) in an already freed block. This happened many times during the test.

I have not bothered to look into the source code of python, but a seasoned developer should be able to figure out where such reference is made.

>From valgrind log:

==30354== Invalid read of size 4
==30354==    at 0x5A29FE: PyObject_Free (in /usr/bin/python3.7)
==30354==    by 0x5B7337: ??? (in /usr/bin/python3.7)
==30354==    by 0x5BBBFF: PyDict_SetItem (in /usr/bin/python3.7)
==30354==    by 0x58DE19: PyType_Ready (in /usr/bin/python3.7)
==30354==    by 0x6482A0: _Py_ReadyTypes (in /usr/bin/python3.7)
==30354==    by 0x63551A: _Py_InitializeCore_impl (in /usr/bin/python3.7)
==30354==    by 0x6357AA: _Py_InitializeCore (in /usr/bin/python3.7)
==30354==    by 0x5E17EC: ??? (in /usr/bin/python3.7)
==30354==    by 0x653D88: ??? (in /usr/bin/python3.7)
==30354==    by 0x65424D: _Py_UnixMain (in /usr/bin/python3.7)
==30354==    by 0x4ACB09A: (below main) (libc-start.c:308)
==30354==  Address 0x4c8b020 is 16 bytes after a block of size 576 free'd
==30354==    at 0x4833FC0: free (vg_replace_malloc.c:538)
==30354==    by 0x5B7337: ??? (in /usr/bin/python3.7)
==30354==    by 0x5BBBFF: PyDict_SetItem (in /usr/bin/python3.7)
==30354==    by 0x58DE19: PyType_Ready (in /usr/bin/python3.7)
==30354==    by 0x6482A0: _Py_ReadyTypes (in /usr/bin/python3.7)
==30354==    by 0x63551A: _Py_InitializeCore_impl (in /usr/bin/python3.7)
==30354==    by 0x6357AA: _Py_InitializeCore (in /usr/bin/python3.7)
==30354==    by 0x5E17EC: ??? (in /usr/bin/python3.7)
==30354==    by 0x653D88: ??? (in /usr/bin/python3.7)
==30354==    by 0x65424D: _Py_UnixMain (in /usr/bin/python3.7)
==30354==    by 0x4ACB09A: (below main) (libc-start.c:308)
==30354==  Block was alloc'd at
==30354==    at 0x4832E13: malloc (vg_replace_malloc.c:307)
==30354==    by 0x5A4B16: PyObject_Malloc (in /usr/bin/python3.7)
==30354==    by 0x5B72BD: ??? (in /usr/bin/python3.7)
==30354==    by 0x5BBBFF: PyDict_SetItem (in /usr/bin/python3.7)
==30354==    by 0x58DE19: PyType_Ready (in /usr/bin/python3.7)
==30354==    by 0x6482A0: _Py_ReadyTypes (in /usr/bin/python3.7)
==30354==    by 0x63551A: _Py_InitializeCore_impl (in /usr/bin/python3.7)
==30354==    by 0x6357AA: _Py_InitializeCore (in /usr/bin/python3.7)
==30354==    by 0x5E17EC: ??? (in /usr/bin/python3.7)
==30354==    by 0x653D88: ??? (in /usr/bin/python3.7)
==30354==    by 0x65424D: _Py_UnixMain (in /usr/bin/python3.7)
==30354==    by 0x4ACB09A: (below main) (libc-start.c:308)
==30354==


TIA

----------
components: Library (Lib)
messages: 351154
nosy: zephyrus00jp
priority: normal
severity: normal
status: open
title: Use After Free: PyObject_Free
type: security
versions: Python 3.7

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue38033>
_______________________________________