Skip to content

Use after free in 3.11 #96572

New issue
New issue
Closed
Closed
Use after free in 3.11#96572
Assignees
kumaraditya303
Labels
3.11only security fixes3.12only security fixesrelease-blockertype-crashA hard crash of the interpreter, possibly with a core dump
@matthiasgoergens

Description

@matthiasgoergens
matthiasgoergens
opened on Sep 5, 2022

When I try to build the current 3.11 0c81909 on my 64-bit ArchLinux machine with clang version 14.0.6 and the following configuration:

../configure \
    --with-assertions \
    --with-address-sanitizer \
    --with-trace-refs \
    --with-undefined-behavior-sanitizer

I get the following error:

(3.11)$ make
./_bootstrap_python ../Programs/_freeze_module.py abc ../Lib/abc.py Python/frozen_modules/abc.h
=================================================================
==1780959==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000046cb0 at pc 0x55896728b06e bp 0x7ffc8d63cba0 sp 0x7ffc8d63cb98
READ of size 8 at 0x608000046cb0 thread T0
    #0 0x55896728b06d in _Py_ForgetReference /home/matthias/prog/python/cpython/build-bisect-2/../Objects/object.c:2044:23
    #1 0x55896728dd86 in _Py_Dealloc /home/matthias/prog/python/cpython/build-bisect-2/../Objects/object.c:2385:5
    #2 0x5589672019f7 in Py_DECREF /home/matthias/prog/python/cpython/build-bisect-2/../Include/object.h:538:9
    #3 0x5589672019f7 in Py_XDECREF /home/matthias/prog/python/cpython/build-bisect-2/../Include/object.h:602:9
    #4 0x5589672019f7 in insertdict /home/matthias/prog/python/cpython/build-bisect-2/../Objects/dictobject.c:1304:5
    #5 0x558967566581 in _PyEval_EvalFrameDefault /home/matthias/prog/python/cpython/build-bisect-2/../Python/ceval.c:2774:23
    #6 0x558967544abd in _PyEval_Vector /home/matthias/prog/python/cpython/build-bisect-2/../Python/ceval.c:6424:24
    #7 0x558967530c0d in builtin___build_class__ /home/matthias/prog/python/cpython/build-bisect-2/../Python/bltinmodule.c:201:12
    #8 0x55896726d395 in cfunction_vectorcall_FASTCALL_KEYWORDS /home/matthias/prog/python/cpython/build-bisect-2/../Objects/methodobject.c:443:24
    #9 0x5589670ce5a4 in _PyObject_VectorcallTstate /home/matthias/prog/python/cpython/build-bisect-2/../Include/internal/pycore_call.h:92:11
    #10 0x558967567ba6 in _PyEval_EvalFrameDefault /home/matthias/prog/python/cpython/build-bisect-2/../Python/ceval.c
    #11 0x558967544abd in _PyEval_Vector /home/matthias/prog/python/cpython/build-bisect-2/../Python/ceval.c:6424:24
    #12 0x558967544544 in PyEval_EvalCode /home/matthias/prog/python/cpython/build-bisect-2/../Python/ceval.c:1154:21
    #13 0x5589676b990b in exec_code_in_module /home/matthias/prog/python/cpython/build-bisect-2/../Python/import.c:764:9
    #14 0x5589676ba193 in PyImport_ImportFrozenModuleObject /home/matthias/prog/python/cpython/build-bisect-2/../Python/import.c:1394:9
    #15 0x5589676bbfb1 in PyImport_ImportFrozenModule /home/matthias/prog/python/cpython/build-bisect-2/../Python/import.c:1434:11
    #16 0x55896772498f in init_importlib /home/matthias/prog/python/cpython/build-bisect-2/../Python/pylifecycle.c:186:9
    #17 0x55896772349d in pycore_interp_init /home/matthias/prog/python/cpython/build-bisect-2/../Python/pylifecycle.c:871:13
    #18 0x558967719beb in pyinit_config /home/matthias/prog/python/cpython/build-bisect-2/../Python/pylifecycle.c:900:14
    #19 0x558967719beb in pyinit_core /home/matthias/prog/python/cpython/build-bisect-2/../Python/pylifecycle.c:1063:18
    #20 0x558967719beb in Py_InitializeFromConfig /home/matthias/prog/python/cpython/build-bisect-2/../Python/pylifecycle.c:1253:14
    #21 0x5589679ecc04 in main /home/matthias/prog/python/cpython/build-bisect-2/../Programs/_bootstrap_python.c:103:14
    #22 0x7f5b4e5662cf  (/usr/lib/libc.so.6+0x232cf) (BuildId: 9c28cfc869012ebbd43cdb0f1eebcd14e1b8bdd8)
    #23 0x7f5b4e566389 in __libc_start_main (/usr/lib/libc.so.6+0x23389) (BuildId: 9c28cfc869012ebbd43cdb0f1eebcd14e1b8bdd8)
    #24 0x558966dcae34 in _start /build/glibc/src/glibc/csu/../sysdeps/x86_64/start.S:115

0x608000046cb0 is located 16 bytes inside of 88-byte region [0x608000046ca0,0x608000046cf8)
freed by thread T0 here:
    #0 0x558966e7ecf2 in __interceptor_free.part.0 asan_malloc_linux.cpp.o
    #1 0x55896726ec73 in meth_dealloc /home/matthias/prog/python/cpython/build-bisect-2/../Objects/methodobject.c:175:5
    #2 0x558967567c97 in _PyEval_EvalFrameDefault /home/matthias/prog/python/cpython/build-bisect-2/../Python/ceval.c:4783:13
    #3 0x558967544abd in _PyEval_Vector /home/matthias/prog/python/cpython/build-bisect-2/../Python/ceval.c:6424:24
    #4 0x558967530c0d in builtin___build_class__ /home/matthias/prog/python/cpython/build-bisect-2/../Python/bltinmodule.c:201:12
    #5 0x55896726d395 in cfunction_vectorcall_FASTCALL_KEYWORDS /home/matthias/prog/python/cpython/build-bisect-2/../Objects/methodobject.c:443:24
    #6 0x5589670ce5a4 in _PyObject_VectorcallTstate /home/matthias/prog/python/cpython/build-bisect-2/../Include/internal/pycore_call.h:92:11
    #7 0x558967567ba6 in _PyEval_EvalFrameDefault /home/matthias/prog/python/cpython/build-bisect-2/../Python/ceval.c
    #8 0x558967544abd in _PyEval_Vector /home/matthias/prog/python/cpython/build-bisect-2/../Python/ceval.c:6424:24
    #9 0x558967544544 in PyEval_EvalCode /home/matthias/prog/python/cpython/build-bisect-2/../Python/ceval.c:1154:21
    #10 0x5589676b990b in exec_code_in_module /home/matthias/prog/python/cpython/build-bisect-2/../Python/import.c:764:9
    #11 0x5589676ba193 in PyImport_ImportFrozenModuleObject /home/matthias/prog/python/cpython/build-bisect-2/../Python/import.c:1394:9
    #12 0x5589676bbfb1 in PyImport_ImportFrozenModule /home/matthias/prog/python/cpython/build-bisect-2/../Python/import.c:1434:11
    #13 0x55896772498f in init_importlib /home/matthias/prog/python/cpython/build-bisect-2/../Python/pylifecycle.c:186:9
    #14 0x55896772349d in pycore_interp_init /home/matthias/prog/python/cpython/build-bisect-2/../Python/pylifecycle.c:871:13
    #15 0x558967719beb in pyinit_config /home/matthias/prog/python/cpython/build-bisect-2/../Python/pylifecycle.c:900:14
    #16 0x558967719beb in pyinit_core /home/matthias/prog/python/cpython/build-bisect-2/../Python/pylifecycle.c:1063:18
    #17 0x558967719beb in Py_InitializeFromConfig /home/matthias/prog/python/cpython/build-bisect-2/../Python/pylifecycle.c:1253:14
    #18 0x5589679ecc04 in main /home/matthias/prog/python/cpython/build-bisect-2/../Programs/_bootstrap_python.c:103:14
    #19 0x7f5b4e5662cf  (/usr/lib/libc.so.6+0x232cf) (BuildId: 9c28cfc869012ebbd43cdb0f1eebcd14e1b8bdd8)

previously allocated by thread T0 here:
    #0 0x558966e7fd09 in __interceptor_malloc (/home/matthias/prog/python/cpython/build-bisect-2/_bootstrap_python+0x765d09)
    #1 0x5589677e02e4 in gc_alloc /home/matthias/prog/python/cpython/build-bisect-2/../Modules/gcmodule.c:2283:17
    #2 0x5589677e0198 in _PyObject_GC_New /home/matthias/prog/python/cpython/build-bisect-2/../Modules/gcmodule.c:2298:20
    #3 0x55896726c600 in PyCMethod_New /home/matthias/prog/python/cpython/build-bisect-2/../Objects/methodobject.c:101:14
    #4 0x558967286aa5 in _PyObject_GenericGetAttrWithDict /home/matthias/prog/python/cpython/build-bisect-2/../Objects/object.c:1337:15
    #5 0x558967284949 in PyObject_GetAttr /home/matthias/prog/python/cpython/build-bisect-2/../Objects/object.c
    #6 0x55896754bf4a in _PyEval_EvalFrameDefault /home/matthias/prog/python/cpython/build-bisect-2/../Python/ceval.c:3471:29
    #7 0x558967544abd in _PyEval_Vector /home/matthias/prog/python/cpython/build-bisect-2/../Python/ceval.c:6424:24
    #8 0x558967530c0d in builtin___build_class__ /home/matthias/prog/python/cpython/build-bisect-2/../Python/bltinmodule.c:201:12
    #9 0x55896726d395 in cfunction_vectorcall_FASTCALL_KEYWORDS /home/matthias/prog/python/cpython/build-bisect-2/../Objects/methodobject.c:443:24
    #10 0x5589670ce5a4 in _PyObject_VectorcallTstate /home/matthias/prog/python/cpython/build-bisect-2/../Include/internal/pycore_call.h:92:11
    #11 0x558967567ba6 in _PyEval_EvalFrameDefault /home/matthias/prog/python/cpython/build-bisect-2/../Python/ceval.c
    #12 0x558967544abd in _PyEval_Vector /home/matthias/prog/python/cpython/build-bisect-2/../Python/ceval.c:6424:24
    #13 0x558967544544 in PyEval_EvalCode /home/matthias/prog/python/cpython/build-bisect-2/../Python/ceval.c:1154:21
    #14 0x5589676b990b in exec_code_in_module /home/matthias/prog/python/cpython/build-bisect-2/../Python/import.c:764:9
    #15 0x5589676ba193 in PyImport_ImportFrozenModuleObject /home/matthias/prog/python/cpython/build-bisect-2/../Python/import.c:1394:9
    #16 0x5589676bbfb1 in PyImport_ImportFrozenModule /home/matthias/prog/python/cpython/build-bisect-2/../Python/import.c:1434:11
    #17 0x55896772498f in init_importlib /home/matthias/prog/python/cpython/build-bisect-2/../Python/pylifecycle.c:186:9
    #18 0x55896772349d in pycore_interp_init /home/matthias/prog/python/cpython/build-bisect-2/../Python/pylifecycle.c:871:13
    #19 0x558967719beb in pyinit_config /home/matthias/prog/python/cpython/build-bisect-2/../Python/pylifecycle.c:900:14
    #20 0x558967719beb in pyinit_core /home/matthias/prog/python/cpython/build-bisect-2/../Python/pylifecycle.c:1063:18
    #21 0x558967719beb in Py_InitializeFromConfig /home/matthias/prog/python/cpython/build-bisect-2/../Python/pylifecycle.c:1253:14
    #22 0x5589679ecc04 in main /home/matthias/prog/python/cpython/build-bisect-2/../Programs/_bootstrap_python.c:103:14
    #23 0x7f5b4e5662cf  (/usr/lib/libc.so.6+0x232cf) (BuildId: 9c28cfc869012ebbd43cdb0f1eebcd14e1b8bdd8)

SUMMARY: AddressSanitizer: heap-use-after-free /home/matthias/prog/python/cpython/build-bisect-2/../Objects/object.c:2044:23 in _Py_ForgetReference
Shadow bytes around the buggy address:
  0x0c1080000d40: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c1080000d50: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1080000d60: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c1080000d70: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c1080000d80: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1080000d90: fa fa fa fa fd fd[fd]fd fd fd fd fd fd fd fd fa
  0x0c1080000da0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c1080000db0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1080000dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1080000dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1080000de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1780959==ABORTING
make: *** [Makefile:1215: Python/frozen_modules/abc.h] Error 1

This error also used to happen with main last week, but it seems not right now.

Metadata

Metadata

Assignees

Labels

3.11only security fixes3.12only security fixesrelease-blockertype-crashA hard crash of the interpreter, possibly with a core dump

Projects

Release and Deferred blockers 🚫

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions