Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New generator frames have a dangling previous pointer #97752

Closed
brandtbucher opened this issue Oct 3, 2022 · 4 comments
Closed

New generator frames have a dangling previous pointer #97752

brandtbucher opened this issue Oct 3, 2022 · 4 comments
Assignees
@brandtbucher
Labels
3.11 only security fixes 3.12 bugs and security fixes interpreter-core (Objects, Python, Grammar, and Parser dirs) release-blocker sprint type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@brandtbucher
Copy link
Member

After RETURN_GENERATOR executes, the new generator's _PyInterpreterFrame has a previous member that still points to the caller's _PyInterpreterFrame. However, this is incorrect; it should be NULL, since the generator's frame isn't actually running anymore. This dangling pointer is dangerous, and can lead to hard crashes of the interpreter. Example:

Python 3.11.0rc2 (tags/v3.11.0rc2:ed7c3ff156, Oct  2 2022, 07:05:44) [GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> def g():
...     yield
... 
>>> def f():
...     return g()
... 
>>> gen = f()

This should be None, but instead it refers to a dead _PyInterpreterFrame from the previous call:

>>> gen.gi_frame.f_back
<frame at 0x7f74318c6e80, file '<stdin>', line 2, code f>

Making other calls "updates" this frame, since it just points to an arbitrary location in the stack:

>>> def spam():
...     pass
... 
>>> spam()
>>> gen.gi_frame.f_back
<frame at 0x7f7431ab93f0, file '<stdin>', line 2, code spam>

It's also quite simple to corrupt:

>>> del spam
>>> gen.gi_frame.f_back
<frame at 0x7f7431ab93f0, file '<stdin>', line 1629515630, code '<stdin>'>
>>> gen.gi_frame.f_back.f_code
Segmentation fault

This bug also appears to affect PyAsyncGen_New, PyCoro_New, PyGen_New, and PyGen_NewWithQualName.

The fix is simple: set frame->previous to NULL after calls to _PyFrame_Copy. I'll open a PR at the sprint tomorrow.
@brandtbucher brandtbucher added sprint interpreter-core (Objects, Python, Grammar, and Parser dirs) release-blocker 3.11 only security fixes type-crash A hard crash of the interpreter, possibly with a core dump 3.12 bugs and security fixes needs backport to 3.11 only security fixes labels Oct 3, 2022
@brandtbucher brandtbucher self-assigned this Oct 3, 2022
@brandtbucher brandtbucher removed the needs backport to 3.11 only security fixes label Oct 3, 2022
@brandtbucher
Copy link
Member Author

CC @markshannon

@ezio-melotti ezio-melotti moved this to Todo in Sprint 2024 Oct 3, 2022
@brandtbucher brandtbucher moved this from Todo to In Progress in Sprint 2024 Oct 3, 2022
@brandtbucher brandtbucher moved this from In Progress to Todo in Sprint 2024 Oct 3, 2022
@bedevere-bot bedevere-bot mentioned this issue Oct 3, 2022
Merged
markshannon pushed a commit that referenced this issue Oct 3, 2022
@brandtbucher
GH-97752: Clear the previous member of newly-created generator/coro…
93fcc1f 
…utine frames (GH-97795)
@bedevere-bot bedevere-bot mentioned this issue Oct 3, 2022
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Oct 3, 2022
@brandtbucher @miss-islington
pythonGH-97752: Clear the previous member of newly-created generato…
707f679 
…r/coroutine frames (pythonGH-97795)

(cherry picked from commit 93fcc1f)

Co-authored-by: Brandt Bucher <[email protected]>
brandtbucher pushed a commit that referenced this issue Oct 4, 2022
@miss-islington
[3.11] GH-97752: Clear the previous member of newly-created generator…
4591dae 
…/coroutine frames (GH-97812)

(cherry picked from commit 93fcc1f)
@arhadthedev
Copy link
Member

@brandtbucher Since gh-97812 is merged, can this issue be closed or have its release-blocker label removed?

@brandtbucher
Copy link
Member Author

I'd prefer to leave it open, and let @pablogsal close it once the cherry-pick to 3.11.0 is finished.

@arhadthedev
Copy link
Member

@pablogsal This issue seems to be eligible for closing (see the comment above).

Repository owner moved this from Todo to Done in Sprint 2024 Oct 22, 2022
Repository owner moved this from Todo to Done in Release and Deferred blockers 🚫 Oct 22, 2022
pablogsal pushed a commit that referenced this issue Oct 22, 2022
@miss-islington @pablogsal
[3.11] GH-97752: Clear the previous member of newly-created generator…
585c95d 
…/coroutine frames (GH-97812)

(cherry picked from commit 93fcc1f)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brandtbucher brandtbucher

Labels
3.11 only security fixes 3.12 bugs and security fixes interpreter-core (Objects, Python, Grammar, and Parser dirs) release-blocker sprint type-crash A hard crash of the interpreter, possibly with a core dump
Projects
Release and Deferred blockers 🚫
Archived in project
Sprint 2024
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@arhadthedev @pablogsal @brandtbucher