[3.14] gh-140067: Fix memory leak in sub-interpreter creation (GH-140111) (#140118)

* [3.14] gh-140067: Fix memory leak in sub-interpreter creation  (GH-140111)

Fix memory leak in sub-interpreter creation caused by overwriting of the previously used `_malloced` field. Now the pointer is stored in the first word of the memory block to avoid it being overwritten accidentally.
(cherry picked from commit 59547a251f7069dc6e08cb6082dd21872671e381)

Co-authored-by: Shamil <ashm.tech@proton.me>
Co-authored-by: Kumar Aditya <kumaraditya@python.org>

diff --git a/Include/internal/pycore_interp_structs.h b/Include/internal/pycore_interp_structs.h
index d1f916fa7f727c24c1f0e198f104e538db73805e..15885b5f228c8b68c3c7feac9fee3f9b58845d5c 100644 (file)
--- a/Include/internal/pycore_interp_structs.h
+++ b/Include/internal/pycore_interp_structs.h
@@ -768,10 +768,7 @@ struct _is {
      * and should be placed at the beginning. */
     struct _ceval_state ceval;
 
-    /* This structure is carefully allocated so that it's correctly aligned
-     * to avoid undefined behaviors during LOAD and STORE. The '_malloced'
-     * field stores the allocated pointer address that will later be freed.
-     */
+    // unused, kept for ABI compatibility
     void *_malloced;
 
     PyInterpreterState *next;

diff --git a/Lib/test/test_threading.py b/Lib/test/test_threading.py
index 59db91b0ffce5e758a518e970e48491372764350..bb51ddd38e2cade5a8112678b434948305756db2 100644 (file)
--- a/Lib/test/test_threading.py
+++ b/Lib/test/test_threading.py
@@ -1727,6 +1727,7 @@ class SubinterpThreadingTests(BaseTestCase):
         self.assertEqual(os.read(r_interp, 1), DONE)
 
     @cpython_only
+    @support.skip_if_sanitizer(thread=True, memory=True)
     def test_daemon_threads_fatal_error(self):
         import_module("_testcapi")
         subinterp_code = f"""if 1:

diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2025-10-14-17-07-37.gh-issue-140067.ID2gOm.rst b/Misc/NEWS.d/next/Core_and_Builtins/2025-10-14-17-07-37.gh-issue-140067.ID2gOm.rst
new file mode 100644 (file)
index 0000000..3c5a828
--- /dev/null
+++ b/Misc/NEWS.d/next/Core_and_Builtins/2025-10-14-17-07-37.gh-issue-140067.ID2gOm.rst
@@ -0,0 +1 @@
+Fix memory leak in sub-interpreter creation.

diff --git a/Python/pystate.c b/Python/pystate.c
index 9f6e961e71ae9ff1269d10186a22a2472d7dae60..7f365ea50cab7d0a3e694291545214d7f3258a46 100644 (file)
--- a/Python/pystate.c
+++ b/Python/pystate.c
@@ -565,16 +565,19 @@ _PyInterpreterState_Enable(_PyRuntimeState *runtime)
 static PyInterpreterState *
 alloc_interpreter(void)
 {
+    // Aligned allocation for PyInterpreterState.
+    // the first word of the memory block is used to store
+    // the original pointer to be used later to free the memory.
     size_t alignment = _Alignof(PyInterpreterState);
-    size_t allocsize = sizeof(PyInterpreterState) + alignment - 1;
+    size_t allocsize = sizeof(PyInterpreterState) + sizeof(void *) + alignment - 1;
     void *mem = PyMem_RawCalloc(1, allocsize);
     if (mem == NULL) {
         return NULL;
     }
-    PyInterpreterState *interp = _Py_ALIGN_UP(mem, alignment);
-    assert(_Py_IS_ALIGNED(interp, alignment));
-    interp->_malloced = mem;
-    return interp;
+    void *ptr = _Py_ALIGN_UP((char *)mem + sizeof(void *), alignment);
+    ((void **)ptr)[-1] = mem;
+    assert(_Py_IS_ALIGNED(ptr, alignment));
+    return ptr;
 }
 
 static void
@@ -589,7 +592,7 @@ free_interpreter(PyInterpreterState *interp)
             interp->obmalloc = NULL;
         }
         assert(_Py_IS_ALIGNED(interp, _Alignof(PyInterpreterState)));
-        PyMem_RawFree(interp->_malloced);
+        PyMem_RawFree(((void **)interp)[-1]);
     }
 }