[Python-Dev] [Python-checkins] cpython (2.7): Issue #16447: Fix potential segfault when setting __name__ on a class.

Eli Bendersky eliben at gmail.com
Sat Apr 13 16:25:33 CEST 2013


Test case?


On Sat, Apr 13, 2013 at 7:19 AM, mark.dickinson
<python-checkins at python.org>wrote:

> http://hg.python.org/cpython/rev/d5e5017309b1
> changeset:   83283:d5e5017309b1
> branch:      2.7
> user:        Mark Dickinson <dickinsm at gmail.com>
> date:        Sat Apr 13 15:19:05 2013 +0100
> summary:
>   Issue #16447: Fix potential segfault when setting __name__ on a class.
>
> files:
>   Lib/test/test_descr.py |  14 ++++++++++++++
>   Misc/NEWS              |   3 +++
>   Objects/typeobject.c   |   6 +++++-
>   3 files changed, 22 insertions(+), 1 deletions(-)
>
>
> diff --git a/Lib/test/test_descr.py b/Lib/test/test_descr.py
> --- a/Lib/test/test_descr.py
> +++ b/Lib/test/test_descr.py
> @@ -4136,6 +4136,20 @@
>          C.__name__ = 'D.E'
>          self.assertEqual((C.__module__, C.__name__), (mod, 'D.E'))
>
> +    def test_evil_type_name(self):
> +        # A badly placed Py_DECREF in type_set_name led to arbitrary code
> +        # execution while the type structure was not in a sane state, and
> a
> +        # possible segmentation fault as a result.  See bug #16447.
> +        class Nasty(str):
> +            def __del__(self):
> +                C.__name__ = "other"
> +
> +        class C(object):
> +            pass
> +
> +        C.__name__ = Nasty("abc")
> +        C.__name__ = "normal"
> +
>      def test_subclass_right_op(self):
>          # Testing correct dispatch of subclass overloading __r<op>__...
>
> diff --git a/Misc/NEWS b/Misc/NEWS
> --- a/Misc/NEWS
> +++ b/Misc/NEWS
> @@ -17,6 +17,9 @@
>  Core and Builtins
>  -----------------
>
> +- Issue #16447: Fixed potential segmentation fault when setting __name__
> on a
> +  class.
> +
>  - Issue #17610: Don't rely on non-standard behavior of the C qsort()
> function.
>
>  Library
> diff --git a/Objects/typeobject.c b/Objects/typeobject.c
> --- a/Objects/typeobject.c
> +++ b/Objects/typeobject.c
> @@ -225,6 +225,7 @@
>  type_set_name(PyTypeObject *type, PyObject *value, void *context)
>  {
>      PyHeapTypeObject* et;
> +    PyObject *tmp;
>
>      if (!(type->tp_flags & Py_TPFLAGS_HEAPTYPE)) {
>          PyErr_Format(PyExc_TypeError,
> @@ -253,10 +254,13 @@
>
>      Py_INCREF(value);
>
> -    Py_DECREF(et->ht_name);
> +    /* Wait until et is a sane state before Py_DECREF'ing the old
> et->ht_name
> +       value.  (Bug #16447.)  */
> +    tmp = et->ht_name;
>      et->ht_name = value;
>
>      type->tp_name = PyString_AS_STRING(value);
> +    Py_DECREF(tmp);
>
>      return 0;
>  }
>
> --
> Repository URL: http://hg.python.org/cpython
>
> _______________________________________________
> Python-checkins mailing list
> Python-checkins at python.org
> http://mail.python.org/mailman/listinfo/python-checkins
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20130413/322c51a7/attachment.html>


More information about the Python-Dev mailing list