gh-112127: Fix use-after-free in atexit.unregister() #114092
Conversation
|
All commit authors signed the Contributor License Agreement. |
|
Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool. If this change has little impact on Python users, wait for a maintainer to apply the |
|
Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool. If this change has little impact on Python users, wait for a maintainer to apply the |
sobolevn
left a comment
sobolevn
left a comment
There was a problem hiding this comment.
Thanks! I have several comments.
|
Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool. If this change has little impact on Python users, wait for a maintainer to apply the |
|
Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool. If this change has little impact on Python users, wait for a maintainer to apply the |
|
Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool. If this change has little impact on Python users, wait for a maintainer to apply the |
|
Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool. If this change has little impact on Python users, wait for a maintainer to apply the |
|
Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool. If this change has little impact on Python users, wait for a maintainer to apply the |
|
Thanks for the feedback @serhiy-storchaka ! I updated my PR based on your comments, could you take another look when you get a chance please? |
|
Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool. If this change has little impact on Python users, wait for a maintainer to apply the |
kumaraditya303
left a comment
kumaraditya303
left a comment
There was a problem hiding this comment.
There are merge conflicts
|
A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated. Once you have made the requested changes, please leave a comment on this pull request containing the phrase |
|
There is yet one issue here. Even if it no longer crashes, it can unregister wrong function if other function was unregistered during execution of After finding the callback, we should check that the tuple at the current position is the same, and if it is not, iterate back until we find it (items can only be removed, not inserted before the current position, unless we play with |
serhiy-storchaka
left a comment
serhiy-storchaka
left a comment
There was a problem hiding this comment.
Also, currently the test is passed with unpatched code.
Lib/test/_test_atexit.py
Outdated
| cnt += 1 | ||
| if cnt == 1: | ||
| self.action(o) | ||
| return self.eq_ret_val(o) |
There was a problem hiding this comment.
self.eq_ret_val is not callable.
|
Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool. If this change has little impact on Python users, wait for a maintainer to apply the |
serhiy-storchaka
added
needs backport to 3.13
|
Thanks @benjaminJohnson2204 for the PR, and @serhiy-storchaka for merging it 🌮🎉.. I'm working now to backport this PR to: 3.13. |
|
Thanks @benjaminJohnson2204 for the PR, and @serhiy-storchaka for merging it 🌮🎉.. I'm working now to backport this PR to: 3.14. |
|
Sorry, @benjaminJohnson2204 and @serhiy-storchaka, I could not cleanly backport this to |
…ythonGH-114092) (cherry picked from commit 2b466c4) Co-authored-by: Benjamin Johnson <[email protected]> Co-authored-by: Serhiy Storchaka <[email protected]>
|
GH-142878 is a backport of this pull request to the 3.14 branch. |
…ter() (pythonGH-114092) (cherry picked from commit 2b466c4) Co-authored-by: Benjamin Johnson <[email protected]> Co-authored-by: Serhiy Storchaka <[email protected]>
|
GH-142880 is a backport of this pull request to the 3.13 branch. |
…H-114092) (#142878) gh-112127: Fix possible use-after-free in atexit.unregister() (GH-114092) (cherry picked from commit 2b466c4) Co-authored-by: Benjamin Johnson <[email protected]> Co-authored-by: Serhiy Storchaka <[email protected]>
…ter() (pythonGH-114092) (cherry picked from commit 2b466c4) Co-authored-by: Benjamin Johnson <[email protected]> Co-authored-by: Serhiy Storchaka <[email protected]>
…H-114092) (GH-142880) (cherry picked from commit 2b466c4) Co-authored-by: Benjamin Johnson <[email protected]>
4 participants
This PR fixes a use-after-free error when a callback registered with
atexit.register()callsatexit.unregister()oratexit._clear()in its__eq__method, which is called by theatexit_register()C API.I fixed the issue by increasing the refcounts of both arguments to the
__eq__check before the equality check, and decrementing them afterward.I also added additional unit tests to test that these cases do not cause crashes.
I don't think this needs a news entry.
Issue: #112127