New submission from Chiaki Ishikawa <ishik...@yk.rim.or.jp>:
Hi, I am new to Python bug tracker, so my setting of the fields may be inadequate. If so, apologies in advance. I think Use After Free bug is a potential security issue and so wanted to report ASAP. First my environment: I am using Debian GNU/Linux, and its kernel version is: uname -a output, SMP Debian 4.19.37-6 (2019-07-18) x86_64 GNU/Linux Python version is: # python3 --version Python 3.7.4 mozilla thunderbird mail client testing framework uses python as a test driver, and when I was checking the local build of thunderbird under a test suite invoked from |make mozmill| under valgrind (a memory usage checker), the first thing I noticed is the following message from valgrind. PyObject_Free seems to access a memory location (4 octets) in an already freed block. This happened many times during the test. I have not bothered to look into the source code of python, but a seasoned developer should be able to figure out where such reference is made. >From valgrind log: ==30354== Invalid read of size 4 ==30354== at 0x5A29FE: PyObject_Free (in /usr/bin/python3.7) ==30354== by 0x5B7337: ??? (in /usr/bin/python3.7) ==30354== by 0x5BBBFF: PyDict_SetItem (in /usr/bin/python3.7) ==30354== by 0x58DE19: PyType_Ready (in /usr/bin/python3.7) ==30354== by 0x6482A0: _Py_ReadyTypes (in /usr/bin/python3.7) ==30354== by 0x63551A: _Py_InitializeCore_impl (in /usr/bin/python3.7) ==30354== by 0x6357AA: _Py_InitializeCore (in /usr/bin/python3.7) ==30354== by 0x5E17EC: ??? (in /usr/bin/python3.7) ==30354== by 0x653D88: ??? (in /usr/bin/python3.7) ==30354== by 0x65424D: _Py_UnixMain (in /usr/bin/python3.7) ==30354== by 0x4ACB09A: (below main) (libc-start.c:308) ==30354== Address 0x4c8b020 is 16 bytes after a block of size 576 free'd ==30354== at 0x4833FC0: free (vg_replace_malloc.c:538) ==30354== by 0x5B7337: ??? (in /usr/bin/python3.7) ==30354== by 0x5BBBFF: PyDict_SetItem (in /usr/bin/python3.7) ==30354== by 0x58DE19: PyType_Ready (in /usr/bin/python3.7) ==30354== by 0x6482A0: _Py_ReadyTypes (in /usr/bin/python3.7) ==30354== by 0x63551A: _Py_InitializeCore_impl (in /usr/bin/python3.7) ==30354== by 0x6357AA: _Py_InitializeCore (in /usr/bin/python3.7) ==30354== by 0x5E17EC: ??? (in /usr/bin/python3.7) ==30354== by 0x653D88: ??? (in /usr/bin/python3.7) ==30354== by 0x65424D: _Py_UnixMain (in /usr/bin/python3.7) ==30354== by 0x4ACB09A: (below main) (libc-start.c:308) ==30354== Block was alloc'd at ==30354== at 0x4832E13: malloc (vg_replace_malloc.c:307) ==30354== by 0x5A4B16: PyObject_Malloc (in /usr/bin/python3.7) ==30354== by 0x5B72BD: ??? (in /usr/bin/python3.7) ==30354== by 0x5BBBFF: PyDict_SetItem (in /usr/bin/python3.7) ==30354== by 0x58DE19: PyType_Ready (in /usr/bin/python3.7) ==30354== by 0x6482A0: _Py_ReadyTypes (in /usr/bin/python3.7) ==30354== by 0x63551A: _Py_InitializeCore_impl (in /usr/bin/python3.7) ==30354== by 0x6357AA: _Py_InitializeCore (in /usr/bin/python3.7) ==30354== by 0x5E17EC: ??? (in /usr/bin/python3.7) ==30354== by 0x653D88: ??? (in /usr/bin/python3.7) ==30354== by 0x65424D: _Py_UnixMain (in /usr/bin/python3.7) ==30354== by 0x4ACB09A: (below main) (libc-start.c:308) ==30354== TIA ---------- components: Library (Lib) messages: 351154 nosy: zephyrus00jp priority: normal severity: normal status: open title: Use After Free: PyObject_Free type: security versions: Python 3.7 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue38033> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
