[Python-Dev] Is core dump always a bug? Advice requested

Michel Pelletier michel at dialnetwork.com
Tue May 11 15:14:42 EDT 2004


> Message: 6
> Date: Tue, 11 May 2004 07:12:00 -0700
> From: Guido van Rossum <guido at python.org>
> Subject: Re: [Python-Dev] Is core dump always a bug? Advice requested
> To: Greg Ewing <greg at cosc.canterbury.ac.nz>
> Cc: python-dev at python.org

> No, the holes aren't in ceval.  The hole is the ability to create new
> code objects from arbitrary arguments, which wasn't planned at all
> when ceval was designed.  I was always reluctant to add this
> capability, but finally allowed it, consiciously opening up the hole,
> under pressure from various people who wanted to do bytecode level
> hacking.

Please excuse me if I'm wrong, but wasn't the hole always there, you just made 
it wider?  It seems it has always been possible to handcraft an evil .pyc 
file and cause its import, it's just more laborious than using the new 
module.

> The responsibility to validate bytecode should really be in new.code()
> (and probably in new.function, which requires the code to behave in
> certain ways).

This seems to only cover the part of the hole you widened, not the whole hole.  
For example, Java verifies bytecode when a .class file is loaded  (See 
section 4.9 of the Java VM Specification).  At this time it does quite a bit 
of verification, the spec is very interesting and could be a possible 
starting point for a Python bytecode verifier.

It would seem a similar verification should happen any time the Python VM 
attempts to execute a code object for the first time, not just when the new 
module is used.

> Note that while I like the general principle that Python code
> shouldn't be able to cause segfaults, I don't think we should see that
> property as a safety *guarantee*.  It's more a code-of-honor of the
> Python implementation.  There are many violations of the principle,
> mostly in platform-specific extensions (it is easy to crash Python
> with certain win32 primitives, for example, and it seems unreasonable
> to expect otherwise).

While it's reasonable that C extensions can cause seg-faults, the problem to 
me seems to be the way in which bytecode can be used to exploit the 
interpreter without the involvement of extensions and not necessarily causing 
hard failures like seg faults.

-Michel



More information about the Python-Dev mailing list