Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

create_builtin() in _imp module trigger segfault if taking a builtin object as input #98354

Closed
xiaxinmeng opened this issue Oct 17, 2022 · 6 comments · Fixed by #98412
Closed

create_builtin() in _imp module trigger segfault if taking a builtin object as input #98354

xiaxinmeng opened this issue Oct 17, 2022 · 6 comments · Fixed by #98412
Labels
3.10 only security fixes type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@xiaxinmeng
Copy link

Crash report

In the following test program, _imp.create_builtin takes a object A as input. The object instance the name attribute as "self" at "self.name = self". This action triggers a segfault on CPython 3.10.7 and CPython 3.10.7. Similarly, if self.name = other keywords, e.g.,int, print, the program also crashes. It may need a checker for _imp.create_builtin to avoid keywords.

import _imp

class FakeSpec:
	def __init__(self, name):
		self.name = self

A = FakeSpec("time")

imp_time = _imp.create_builtin(A)

Error messages

Expected behavior on CPython 3.9.0

Traceback (most recent call last):
  File "/home/xxm/Desktop/imp.py", line 9, in <module>
    imp_time = _imp.create_builtin(A)
TypeError: bad argument type for built-in operation

Unexpected Behavior on CPython 3.10.8
Segmentation fault(core dumped)

Your environment

  • CPython versions tested on:Python 3.10.8, Python 3.10.7

  • Operating system and architecture: [GCC 7.5.0] on linux
@xiaxinmeng xiaxinmeng added the type-crash A hard crash of the interpreter, possibly with a core dump label Oct 17, 2022
@mdboom mdboom added the 3.10 only security fixes label Oct 17, 2022
@chgnrdv
Copy link
Contributor

chgnrdv commented Oct 18, 2022
edited
Loading

Crashes on 3.12.0a0 with the following message:

Objects/unicodeobject.c:498: _PyUnicode_CheckConsistency: Assertion failed: PyType_HasFeature((Py_TYPE(((PyObject*)((op))))), ((1UL << 28)))
Enable tracemalloc to get the memory block allocation traceback

object address  : 0x7ffff77eb530
object refcount : 4
object type     : 0x555555c2b9b0
object type name: FakeSpec
object repr     : <__main__.FakeSpec object at 0x7ffff77eb530>

Fatal Python error: _PyObject_AssertFailed: _PyObject_AssertFailed
Python runtime state: initialized

Current thread 0x00007ffff7cad740 (most recent call first):
  File "/home/.../cpython/crash_98354.py", line 9 in <module>

Program received signal SIGABRT, Aborted.

Looks like _imp_create_builtin should check name for being a str instance in general, not only to avoid it being a keyword.

@chgnrdv chgnrdv mentioned this issue Oct 18, 2022
Merged
@ericsnowcurrently
Copy link
Member

To be clear, code should not be using the _imp module directly. That said, this would be relatively easy to reproduce with a metapath finder.

Regardless, I was able to reproduce this on main (3.12, c051d55) using the OP code. It is not crashing on 3.8 (but does fail with a TypeError). Likewise with 3.9.

It does start crashing in 3.10. Looks like it started in 6223071 (GH-23378). It was probably caught before by the PyUnicode_AsUTF8() (which was removed). Checking for PyUnicode should restore the pre-3.10 behavior.

miss-islington pushed a commit that referenced this issue Oct 20, 2022
@chgnrdv
gh-98354: Add unicode check for 'name' attribute in _imp_create_built…
1f369ad 
…in (GH-98412)

Fixes #98354
carljm added a commit to carljm/cpython that referenced this issue Oct 20, 2022
@carljm
Merge branch 'main' into typewatch
8bba5da 
* main: (40 commits)
  pythongh-98461: Fix source location in comprehensions bytecode (pythonGH-98464)
  pythongh-98421: Clean Up PyObject_Print (pythonGH-98422)
  pythongh-98360: multiprocessing now spawns children on Windows with correct argv[0] in virtual environments (pythonGH-98462)
  CODEOWNERS: Become a typing code owner (python#98480)
  [doc] Improve logging cookbook example. (pythonGH-98481)
  Add more tkinter.Canvas tests (pythonGH-98475)
  pythongh-95023: Added os.setns and os.unshare functions (python#95046)
  pythonGH-98363: Presize the list for batched() (pythonGH-98419)
  pythongh-98374: Suppress ImportError for invalid query for help() command. (pythongh-98450)
  typing tests: `_overload_dummy` raises `NotImplementedError`, not `RuntimeError` (python#98351)
  pythongh-98354: Add unicode check for 'name' attribute in _imp_create_builtin (pythonGH-98412)
  pythongh-98257: Make _PyEval_SetTrace() reentrant (python#98258)
  pythongh-98414: py.exe launcher does not use defaults for -V:company/ option (pythonGH-98460)
  pythongh-98417: Store int_max_str_digits on the Interpreter State (pythonGH-98418)
  Doc: Remove title text from internal links (python#98409)
  [doc] Refresh the venv introduction documentation, and correct the statement about VIRTUAL_ENV (pythonGH-98350)
  Docs: Bump sphinx-lint and fix unbalanced inline literal markup (python#98441)
  pythongh-92886: Replace assertion statements in `handlers.BaseHandler` to support running with optimizations (`-O`) (pythonGH-93231)
  pythongh-92886: Fix tests that fail when running with optimizations (`-O`) in `_test_multiprocessing.py` (pythonGH-93233)
  pythongh-92886: Fix tests that fail when running with optimizations (`-O`) in `test_py_compile.py` (pythonGH-93235)
  ...
@ericsnowcurrently
Copy link
Member

Per #98412 (comment), this might not be completely fixed yet.

@xiaxinmeng, can you verify if the problem you had is fixed on the main branch (i.e. 3.12a1)?

@ericsnowcurrently
Copy link
Member

Additional info from @chgnrdv:

@chgnrdv, can you confirm this is fixed by gh-99642 (for gh-99578)? If so, we can close this issue.

@xiaxinmeng
Copy link
Author

xiaxinmeng commented Nov 23, 2022
edited
Loading

Per #98412 (comment), this might not be completely fixed yet.

@xiaxinmeng, can you verify if the problem you had is fixed on the main branch (i.e. 3.12a1)?

Sorry for being late @ericsnowcurrently . I think this problem has been fixed.
It does not crash CPython any more, the behavior on the main branch 8f18ac0 is as follows:

Traceback (most recent call last):
  File "/home/xxm/Downloads/cpython-main(2)/test.py", line 9, in <module>
    imp_time = _imp.create_builtin(A)
               ^^^^^^^^^^^^^^^^^^^^^^
TypeError: name must be string, not FakeSpec

@chgnrdv
Copy link
Contributor

chgnrdv commented Feb 12, 2023

@ericsnowcurrently, sorry for the slow response. Yes, I confirm that refleak issue is fixed by gh-99578, and therefore we can close this one.

@erlend-aasland erlend-aasland mentioned this issue Apr 5, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3.10 only security fixes type-crash A hard crash of the interpreter, possibly with a core dump
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

gh-98354: Add unicode check for 'name' attribute in _imp_create_builtin chgnrdv/cpython
5 participants
@mdboom @ericsnowcurrently @xiaxinmeng @chgnrdv @kumaraditya303