[Python-Dev] Fuzzing bugs: most bugs are closed
Jesse Noller
jnoller at gmail.com
Sat Jul 19 15:14:44 CEST 2008
On Sat, Jul 19, 2008 at 7:23 AM, Victor Stinner
<victor.stinner at haypocalc.com> wrote:
> Hi,
>
> I filled 14 issues about bugs found by fuzzing (see my other email "Play with
> fuzzing" for more informations). Most bugs are now closed, cool :-) Last
> bugs:
>
>
> == Trivial open bugs ==
>
> segfault on locale.gettext(None)
> - http://bugs.python.org/issue3302
> - attached patch is trivial: fix the PyArg_ParseTuple() to block None value,
> and reject empty domain string for bindtextdomain() (to avoid strange
> error "OSError(0): success")
>
> invalid ref count on locale.strcoll() error
> - http://bugs.python.org/issue3303
> - attached patch is trivial: add "if (rel1)"
>
> _multiprocessing.Connection() doesn't check handle
> - http://bugs.python.org/issue3321
> - _multiprocessing.Connection(fd) doesn't check that fd is a valid file handle
> and so may crash on poll (the "evil" FD_SET() call)
> - my patch add "|| fstat(handle, &statbuf)" to make sure that the
> file descriptor is valid
>
>
> == Complex open bugs ==
>
> block operation on closed socket/pipe for multiprocessing
> - http://bugs.python.org/issue3311
> - close() method sets the file handle to -1 but most methods don't check
> the handle and so may fail or crash. Especially poll() calls
> FD_SET((SOCKET)conn->handle, &rfds); with handle=-1 => crash.
> - my patch creates a new MP error: "return MP_CLOSED_FILE;", used if handle
> is INVALID_HANDLE_VALUE to block operations (send, receive, poll) on
> closed files for socket and pipe.
>
> bugs in scanstring_str() and scanstring_unicode() of _json module
> - http://bugs.python.org/issue3322
> - scanstring() function crashs if second argument is a big negative
> integer. There is no attached patch because I don't understand this
> function enough to fix it correctly, but I suggest to raise a ValueError
> if end is too small/big
>
> invalid object destruction in re.finditer()
> - or "PyObject_DEL inconsistency if pydebug option is used"
> - http://bugs.python.org/issue3299
> - It's the most complex bug, I prefer to write a new email :-)
>
>
> == Need backport / port to python 3.0 ==
>
> invalid call to PyMem_Free() in fileio_init()
> - http://bugs.python.org/issue3304
> - patch applied in Python 2.6 (trunk) but not in Python 3000:
> "i'm assuming that'll be merged into py3k automagically."
> wrote Gregory P. Smith
>
> missing lock release in BZ2File_iternext()
> - http://bugs.python.org/issue3309
> - patch applied in Python 2.6 but "Needs backporting to release25-maint."
> wrote Gregory P. Smith
>
>
> When all bugs will be closed, I will restart a fuzzing Python ;-) But I also
> tried with my patches and I was unable to find new bugs, great!
>
> Victor
Thank you Victor - I didn't want to change any underlying
multiprocessing code until we had the test suite in a better state
(which we do now). Now that beta 2 is out, I will address the
multiprocessing ones asap.
One suggestion would be to include tests to prove the bugs is fixed if
possible (to the patch), so we can add them to the suite. I know that
that is not always possible, but it does help. I worry about making
code changes without appropriate tests. If anything, a snippet of code
"exploiting" the flaw may help generate a test case on my end. Thanks
again for doing this.
-jesse
More information about the Python-Dev
mailing list