New submission from Clement Rouault <pyt...@hakril.net>: While playing with '_multiprocessing.PipeConnection' I found out that instancing an object with a subtype of '_multiprocessing.PipeConnection' will crash the interpreter when the object is deleted.
My guess is that some connection methods does not check/handle the fact that the object is a subtype and not a 'pure' PipeConnection. I don't know if the exploitability aspect of this crash is important but it allows to rewrite an arbitrary address easily with some heap-pointer (leading to CPython trying to execute the heap). I attached a simple program that crash CPython using this bug. ---------- components: Library (Lib) files: poc.py messages: 311260 nosy: hakril priority: normal severity: normal status: open title: Instance of _multiprocessing.PipeConnection-subtype crash on deletion type: crash versions: Python 2.7 Added file: https://bugs.python.org/file47417/poc.py _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue32725> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
