[Python-Dev] [Python-checkins] cpython (2.7): Issue #16447: Fix potential segfault when setting __name__ on a class.

Eli Bendersky eliben at gmail.com
Sat Apr 13 16:26:57 CEST 2013


On Sat, Apr 13, 2013 at 7:25 AM, Eli Bendersky <eliben at gmail.com> wrote:

> Test case?
>
>
Ugh, sorry. I missed it. Ignore my previous email please.

Eli



>
> On Sat, Apr 13, 2013 at 7:19 AM, mark.dickinson <
> python-checkins at python.org> wrote:
>
>> http://hg.python.org/cpython/rev/d5e5017309b1
>> changeset:   83283:d5e5017309b1
>> branch:      2.7
>> user:        Mark Dickinson <dickinsm at gmail.com>
>> date:        Sat Apr 13 15:19:05 2013 +0100
>> summary:
>>   Issue #16447: Fix potential segfault when setting __name__ on a class.
>>
>> files:
>>   Lib/test/test_descr.py |  14 ++++++++++++++
>>   Misc/NEWS              |   3 +++
>>   Objects/typeobject.c   |   6 +++++-
>>   3 files changed, 22 insertions(+), 1 deletions(-)
>>
>>
>> diff --git a/Lib/test/test_descr.py b/Lib/test/test_descr.py
>> --- a/Lib/test/test_descr.py
>> +++ b/Lib/test/test_descr.py
>> @@ -4136,6 +4136,20 @@
>>          C.__name__ = 'D.E'
>>          self.assertEqual((C.__module__, C.__name__), (mod, 'D.E'))
>>
>> +    def test_evil_type_name(self):
>> +        # A badly placed Py_DECREF in type_set_name led to arbitrary code
>> +        # execution while the type structure was not in a sane state,
>> and a
>> +        # possible segmentation fault as a result.  See bug #16447.
>> +        class Nasty(str):
>> +            def __del__(self):
>> +                C.__name__ = "other"
>> +
>> +        class C(object):
>> +            pass
>> +
>> +        C.__name__ = Nasty("abc")
>> +        C.__name__ = "normal"
>> +
>>      def test_subclass_right_op(self):
>>          # Testing correct dispatch of subclass overloading __r<op>__...
>>
>> diff --git a/Misc/NEWS b/Misc/NEWS
>> --- a/Misc/NEWS
>> +++ b/Misc/NEWS
>> @@ -17,6 +17,9 @@
>>  Core and Builtins
>>  -----------------
>>
>> +- Issue #16447: Fixed potential segmentation fault when setting __name__
>> on a
>> +  class.
>> +
>>  - Issue #17610: Don't rely on non-standard behavior of the C qsort()
>> function.
>>
>>  Library
>> diff --git a/Objects/typeobject.c b/Objects/typeobject.c
>> --- a/Objects/typeobject.c
>> +++ b/Objects/typeobject.c
>> @@ -225,6 +225,7 @@
>>  type_set_name(PyTypeObject *type, PyObject *value, void *context)
>>  {
>>      PyHeapTypeObject* et;
>> +    PyObject *tmp;
>>
>>      if (!(type->tp_flags & Py_TPFLAGS_HEAPTYPE)) {
>>          PyErr_Format(PyExc_TypeError,
>> @@ -253,10 +254,13 @@
>>
>>      Py_INCREF(value);
>>
>> -    Py_DECREF(et->ht_name);
>> +    /* Wait until et is a sane state before Py_DECREF'ing the old
>> et->ht_name
>> +       value.  (Bug #16447.)  */
>> +    tmp = et->ht_name;
>>      et->ht_name = value;
>>
>>      type->tp_name = PyString_AS_STRING(value);
>> +    Py_DECREF(tmp);
>>
>>      return 0;
>>  }
>>
>> --
>> Repository URL: http://hg.python.org/cpython
>>
>> _______________________________________________
>> Python-checkins mailing list
>> Python-checkins at python.org
>> http://mail.python.org/mailman/listinfo/python-checkins
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20130413/ff1cd4e4/attachment-0001.html>


More information about the Python-Dev mailing list