Skip to content

gh-123083: Fix a potential use-after-free in STORE_ATTR_WITH_HINT #123092

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
corona10 merged 4 commits into from
Aug 22, 2024
Merged

gh-123083: Fix a potential use-after-free in STORE_ATTR_WITH_HINT #123092

corona10 merged 4 commits into from
Aug 22, 2024

Conversation

@corona10
Copy link
Member

@corona10 corona10 commented Aug 17, 2024
edited by bedevere-app bot
Loading

@corona10 corona10 requested a review from markshannon as a code owner August 17, 2024 08:27
@bedevere-app bedevere-app bot mentioned this pull request Aug 17, 2024
Closed
@corona10 corona10 added needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes labels Aug 17, 2024
corona10
corona10 commented Aug 17, 2024
View reviewed changes
Lib/test/test_dict.py
gc.collect()
self.assertTrue(gc.is_tracked(next(it)))

def test_store_evilattr(self):
Copy link
Member Author

@corona10 corona10 Aug 17, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure that this is the proper place.

@corona10 corona10 added the 🔨 test-with-refleak-buildbots Test PR w/ refleak buildbots; report in status section label Aug 17, 2024
@bedevere-bot
Copy link

bedevere-bot commented Aug 17, 2024

🤖 New build scheduled with the buildbot fleet by @corona10 for commit 6cdacd8 🤖

If you want to schedule another build, you need to add the 🔨 test-with-refleak-buildbots label again.

@bedevere-bot bedevere-bot removed the 🔨 test-with-refleak-buildbots Test PR w/ refleak buildbots; report in status section label Aug 17, 2024
@corona10 corona10 changed the title gh-123083: Fix STORE_ATTR_WITH_HINT has potential use-after-free gh-123083: Fix a potential use-after-free in STORE_ATTR_WITH_HINT Aug 17, 2024
@corona10 corona10 added the 🔨 test-with-refleak-buildbots Test PR w/ refleak buildbots; report in status section label Aug 17, 2024
@bedevere-bot
Copy link

bedevere-bot commented Aug 17, 2024

🤖 New build scheduled with the buildbot fleet by @corona10 for commit a71d20d 🤖

If you want to schedule another build, you need to add the 🔨 test-with-refleak-buildbots label again.

@bedevere-bot bedevere-bot removed the 🔨 test-with-refleak-buildbots Test PR w/ refleak buildbots; report in status section label Aug 17, 2024
colesbury
colesbury reviewed Aug 19, 2024
View reviewed changes
Python/bytecodes.c Outdated
DEOPT_IF(ep->me_key != name);
old_value = ep->me_value;
PyDict_WatchEvent event = old_value == NULL ? PyDict_EVENT_ADDED : PyDict_EVENT_MODIFIED;
new_version = _PyDict_NotifyEvent(tstate->interp, event, dict, name, PyStackRef_AsPyObjectBorrow(value));
Copy link
Contributor

@colesbury colesbury Aug 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should structure this to match the ordering in dictobject.c:

cpython/Objects/dictobject.c

Lines 1693 to 1707 in b6d0a40

MAINTAIN_TRACKING(mp, key, value);
PyObject *old_value = mp->ma_values->values[ix];
if (old_value == NULL) {
uint64_t new_version = _PyDict_NotifyEvent(interp, PyDict_EVENT_ADDED, mp, key, value);
STORE_SPLIT_VALUE(mp, ix, Py_NewRef(value));
_PyDictValues_AddToInsertionOrder(mp->ma_values, ix);
STORE_USED(mp, mp->ma_used + 1);
mp->ma_version_tag = new_version;
}
else {
uint64_t new_version = _PyDict_NotifyEvent(interp, PyDict_EVENT_MODIFIED, mp, key, value);
STORE_SPLIT_VALUE(mp, ix, Py_NewRef(value));
mp->ma_version_tag = new_version;
Py_DECREF(old_value);
}

  1. Update GC tracking if necessary
  2. Notify event
  3. Store value and version tag
  4. Decref old value

@markshannon
Copy link
Member

markshannon commented Aug 19, 2024

Could you add a comment, specifically why this is the correct order?
It isn't obvious and it will be easy to reintroduce the error without some warning not to.

@corona10 corona10 requested a review from methane as a code owner August 20, 2024 15:28
@corona10 corona10 requested a review from colesbury August 20, 2024 15:30
@corona10
Copy link
Member Author

corona10 commented Aug 20, 2024

Thank you for the kind review!
I followed the suggestions. Please take a look. :)

@corona10
Copy link
Member Author

corona10 commented Aug 22, 2024

@colesbury @markshannon gentle ping :)

markshannon
markshannon approved these changes Aug 22, 2024
View reviewed changes
Copy link
Member

@markshannon markshannon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks fine to me. But let @colesbury review it before merging.

colesbury
colesbury approved these changes Aug 22, 2024
View reviewed changes
Copy link
Contributor

@colesbury colesbury left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM too

@corona10 corona10 merged commit 297f2e0 into python:main Aug 22, 2024
@miss-islington-app
Copy link

miss-islington-app bot commented Aug 22, 2024

Thanks @corona10 for the PR 🌮🎉.. I'm working now to backport this PR to: 3.12, 3.13.
🐍🍒⛏🤖

@miss-islington-app
Copy link

miss-islington-app bot commented Aug 22, 2024

Sorry, @corona10, I could not cleanly backport this to 3.13 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 297f2e093ec95800ae2184330b8408c875523467 3.13

@miss-islington-app
Copy link

miss-islington-app bot commented Aug 22, 2024

Sorry, @corona10, I could not cleanly backport this to 3.12 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 297f2e093ec95800ae2184330b8408c875523467 3.12

corona10 added a commit to corona10/cpython that referenced this pull request Aug 22, 2024
@corona10
[3.13] pythongh-123083: Fix a potential use-after-free in ``STORE_ATT…
0ab4e42 
…R_WITH_HINT`` (pythongh-123092)

(cherry picked from commit 297f2e0)

Co-authored-by: Donghee Na <[email protected]>
corona10 added a commit to corona10/cpython that referenced this pull request Aug 22, 2024
@corona10
[3.13] pythongh-123083: Fix a potential use-after-free in ``STORE_ATT…
1c16bdf 
…R_WITH_HINT`` (pythongh-123092)

(cherry picked from commit 297f2e0)

Co-authored-by: Donghee Na <[email protected]>
@corona10 corona10 mentioned this pull request Aug 22, 2024
Merged
@bedevere-app
Copy link

bedevere-app bot commented Aug 22, 2024

GH-123235 is a backport of this pull request to the 3.13 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.13 bugs and security fixes label Aug 22, 2024
@corona10 corona10 mentioned this pull request Aug 22, 2024
Merged
@bedevere-app
Copy link

bedevere-app bot commented Aug 22, 2024

GH-123237 is a backport of this pull request to the 3.12 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.12 only security fixes label Aug 22, 2024
corona10 added a commit that referenced this pull request Aug 22, 2024
@corona10
[3.13] gh-123083: Fix a potential use-after-free in ``STORE_ATTR_WITH… (
6cd67e4 
#123235)

[3.13] gh-123083: Fix a potential use-after-free in ``STORE_ATTR_WITH_HINT`` (gh-123092)
(cherry picked from commit 297f2e0)
corona10 added a commit that referenced this pull request Aug 22, 2024
@corona10
[3.12] gh-123083: Fix a potential use-after-free in ``STORE_ATTR_WITH… (
6e68559 
#123237)

[3.12] gh-123083: Fix a potential use-after-free in ``STORE_ATTR_WITH_HINT`` (gh-123092)
(cherry picked from commit 297f2e0)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@picnixz picnixz picnixz left review comments

@colesbury colesbury colesbury approved these changes

@markshannon markshannon markshannon approved these changes

@Fidget-Spinner Fidget-Spinner Awaiting requested review from Fidget-Spinner

@brandtbucher brandtbucher Awaiting requested review from brandtbucher

@methane methane Awaiting requested review from methane methane is a code owner

Assignees

@corona10 corona10

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@corona10 @bedevere-bot @markshannon @colesbury @picnixz