[Python-checkins] r47261 - python/trunk/Lib/test/crashers/borrowed_ref_1.py python/trunk/Lib/test/crashers/borrowed_ref_2.py

armin.rigo python-checkins at python.org
Thu Jul 6 09:58:19 CEST 2006 

Author: armin.rigo
Date: Thu Jul  6 09:58:18 2006
New Revision: 47261

Added:
   python/trunk/Lib/test/crashers/borrowed_ref_1.py   (contents, props changed)
   python/trunk/Lib/test/crashers/borrowed_ref_2.py   (contents, props changed)
Log:
A couple of examples about how to attack the fact that _PyType_Lookup()
returns a borrowed ref.  Many of the calls are open to attack.


Added: python/trunk/Lib/test/crashers/borrowed_ref_1.py
==============================================================================
--- (empty file)
+++ python/trunk/Lib/test/crashers/borrowed_ref_1.py	Thu Jul  6 09:58:18 2006
@@ -0,0 +1,29 @@
+"""
+_PyType_Lookup() returns a borrowed reference.
+This attacks the call in dictobject.c.
+"""
+
+class A(object):
+    pass
+
+class B(object):
+    def __del__(self):
+        print 'hi'
+        del D.__missing__
+
+class D(dict):
+    class __missing__:
+        def __init__(self, *args):
+            pass
+
+
+d = D()
+a = A()
+a.cycle = a
+a.other = B()
+del a
+
+prev = None
+while 1:
+    d[5]
+    prev = (prev,)

Added: python/trunk/Lib/test/crashers/borrowed_ref_2.py
==============================================================================
--- (empty file)
+++ python/trunk/Lib/test/crashers/borrowed_ref_2.py	Thu Jul  6 09:58:18 2006
@@ -0,0 +1,38 @@
+"""
+_PyType_Lookup() returns a borrowed reference.
+This attacks PyObject_GenericSetAttr().
+
+NB. on my machine this crashes in 2.5 debug but not release.
+"""
+
+class A(object):
+    pass
+
+class B(object):
+    def __del__(self):
+        print "hi"
+        del C.d
+
+class D(object):
+    def __set__(self, obj, value):
+        self.hello = 42
+
+class C(object):
+    d = D()
+
+    def g():
+        pass
+
+
+c = C()
+a = A()
+a.cycle = a
+a.other = B()
+
+lst = [None] * 1000000
+i = 0
+del a
+while 1:
+    c.d = 42         # segfaults in PyMethod_New(im_func=D.__set__, im_self=d)
+    lst[i] = c.g     # consume the free list of instancemethod objects
+    i += 1

More information about the Python-checkins mailing list