Your message dated Sat, 29 Jun 2024 10:46:16 +0000
with message-id <e1snvay-002ban...@coccia.debian.org>
and subject line Released with 12.6
has caused the Debian Bug report #1065326,
regarding bookworm-pu: package python3.11/3.11.2-6+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1065326: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065326
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: python3...@packages.debian.org, d...@debian.org
Control: affects -1 + src:python3.11
User: release.debian....@packages.debian.org
Usertags: pu
[ Reason ]
A use-after-free causing a SEGV was found in python 3.11, affecting the
the Zulip chat server.
The bug is known to affect python 3.11.0 - 3.11.4. And since being fixed
upstream, there have been no known related regressions.
[ Impact ]
Potential SEGV in python3. Known to be triggered by zulip's CI when
running under coverage.
[ Tests ]
The Python stdlib testsuite is extensive and passes with this patch.
There is a stand-alone reproducer that I've manually reproduced the bug
with and verified that it's fixed.
[ Risks ]
The code is pretty straight-forward. It asserts that the f_frame hasn't
already been freed before freeing.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
diff -Nru python3.11-3.11.2/debian/changelog python3.11-3.11.2/debian/changelog
--- python3.11-3.11.2/debian/changelog 2023-03-13 08:18:29.000000000 -0400
+++ python3.11-3.11.2/debian/changelog 2024-03-02 16:28:50.000000000 -0400
@@ -1,3 +1,11 @@
+python3.11 (3.11.2-6+deb12u1) bookworm; urgency=medium
+
+ [ Anders Kaseorg ]
+ * Fix a use-after-free crash when deallocating a frame object
+ (closes: #1050843).
+
+ -- Stefano Rivera <stefa...@debian.org> Sat, 02 Mar 2024 16:28:50 -0400
+
python3.11 (3.11.2-6) unstable; urgency=high
[ Stefano Rivera ]
diff -Nru python3.11-3.11.2/debian/patches/frame_dealloc-crash.diff
python3.11-3.11.2/debian/patches/frame_dealloc-crash.diff
--- python3.11-3.11.2/debian/patches/frame_dealloc-crash.diff 1969-12-31
20:00:00.000000000 -0400
+++ python3.11-3.11.2/debian/patches/frame_dealloc-crash.diff 2024-03-02
16:28:50.000000000 -0400
@@ -0,0 +1,54 @@
+Description: Fix use-after-free crash in frame_dealloc
+ It was possible for the trashcan to delay the deallocation of a
+ PyFrameObject until after its corresponding _PyInterpreterFrame has
+ already been freed. So frame_dealloc needs to avoid dereferencing the
+ f_frame pointer unless it first checks that the pointer still points
+ to the interpreter frame within the frame object.
+Origin:
https://github.com/python/cpython/commit/46cae02085311481dc8b1ea9a5110969d9325bc7
+Bug-upstream: https://github.com/python/cpython/issues/106092
+Bug-Debian: https://bugs.debian.org/1050843
+Author: Anders Kaseorg <ande...@mit.edu>
+Last-Update: 2023-08-29
+Applied-Upstream: 3.11.5
+
+---
+ .../2023-07-18-16-13-51.gh-issue-106092.bObgRM.rst | 2 ++
+ Objects/frameobject.c | 13 +++++++------
+ 2 files changed, 9 insertions(+), 6 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Core and
Builtins/2023-07-18-16-13-51.gh-issue-106092.bObgRM.rst
+
+--- /dev/null
++++ b/Misc/NEWS.d/next/Core and
Builtins/2023-07-18-16-13-51.gh-issue-106092.bObgRM.rst
+@@ -0,0 +1,2 @@
++Fix a segmentation fault caused by a use-after-free bug in ``frame_dealloc``
++when the trashcan delays the deallocation of a ``PyFrameObject``.
+--- a/Objects/frameobject.c
++++ b/Objects/frameobject.c
+@@ -851,9 +851,6 @@
+ /* It is the responsibility of the owning generator/coroutine
+ * to have cleared the generator pointer */
+
+- assert(f->f_frame->owner != FRAME_OWNED_BY_GENERATOR ||
+- _PyFrame_GetGenerator(f->f_frame)->gi_frame_state == FRAME_CLEARED);
+-
+ if (_PyObject_GC_IS_TRACKED(f)) {
+ _PyObject_GC_UNTRACK(f);
+ }
+@@ -861,10 +858,14 @@
+ Py_TRASHCAN_BEGIN(f, frame_dealloc);
+ PyCodeObject *co = NULL;
+
++ /* GH-106092: If f->f_frame was on the stack and we reached the maximum
++ * nesting depth for deallocations, the trashcan may have delayed this
++ * deallocation until after f->f_frame is freed. Avoid dereferencing
++ * f->f_frame unless we know it still points to valid memory. */
++ _PyInterpreterFrame *frame = (_PyInterpreterFrame *)f->_f_frame_data;
++
+ /* Kill all local variables including specials, if we own them */
+- if (f->f_frame->owner == FRAME_OWNED_BY_FRAME_OBJECT) {
+- assert(f->f_frame == (_PyInterpreterFrame *)f->_f_frame_data);
+- _PyInterpreterFrame *frame = (_PyInterpreterFrame *)f->_f_frame_data;
++ if (f->f_frame == frame && frame->owner == FRAME_OWNED_BY_FRAME_OBJECT) {
+ /* Don't clear code object until the end */
+ co = frame->f_code;
+ frame->f_code = NULL;
diff -Nru python3.11-3.11.2/debian/patches/series
python3.11-3.11.2/debian/patches/series
--- python3.11-3.11.2/debian/patches/series 2023-03-01 05:58:01.000000000
-0400
+++ python3.11-3.11.2/debian/patches/series 2024-03-02 16:28:50.000000000
-0400
@@ -39,3 +39,4 @@
fix-py_compile.diff
ntpath-import.diff
shutdown-deadlock.diff
+frame_dealloc-crash.diff
--- End Message ---
--- Begin Message ---
Version: 12.6
The upload requested in this bug has been released as part of 12.6.
--- End Message ---
