[3.13] gh-123083: Fix a potential use-after-free in ``STORE_ATTR_WITH… (#123235)

author Donghee Na <donghee.na@python.org>

Thu, 22 Aug 2024 16:37:26 +0000 (01:37 +0900)

committer GitHub <noreply@github.com>

Thu, 22 Aug 2024 16:37:26 +0000 (01:37 +0900)
author Donghee Na <donghee.na@python.org>
Thu, 22 Aug 2024 16:37:26 +0000 (01:37 +0900)
committer GitHub <noreply@github.com>
Thu, 22 Aug 2024 16:37:26 +0000 (01:37 +0900)
diff --git a/Lib/test/test_dict.py b/Lib/test/test_dict.py

index e5dba7cdc570a85ada8664e3f922554ae72f34e8..4030716efb51f9cc893910e8963c4a6b231f8cce 100644 (file)
--- a/Lib/test/test_dict.py
+++ b/Lib/test/test_dict.py
@@ -1476,6 +1476,24 @@ class DictTest(unittest.TestCase):
          gc.collect()
          self.assertTrue(gc.is_tracked(next(it)))
  
+    def test_store_evilattr(self):
+        class EvilAttr:
+            def __init__(self, d):
+                self.d = d
+
+            def __del__(self):
+                if 'attr' in self.d:
+                    del self.d['attr']
+                gc.collect()
+
+        class Obj:
+            pass
+
+        obj = Obj()
+        obj.__dict__ = {}
+        for _ in range(10):
+            obj.attr = EvilAttr(obj.__dict__)
+
      def test_str_nonstr(self):
          # cpython uses a different lookup function if the dict only contains
          # `str` keys. Make sure the unoptimized path is used when a non-`str`
diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2024-08-17-17-26-25.gh-issue-123083.9xWLJ-.rst b/Misc/NEWS.d/next/Core_and_Builtins/2024-08-17-17-26-25.gh-issue-123083.9xWLJ-.rst

new file mode 100644 (file)

index 0000000..edc3f1a
--- /dev/null
+++ b/Misc/NEWS.d/next/Core_and_Builtins/2024-08-17-17-26-25.gh-issue-123083.9xWLJ-.rst
@@ -0,0 +1 @@
+Fix a potential use-after-free in ``STORE_ATTR_WITH_HINT``.
diff --git a/Objects/dictobject.c b/Objects/dictobject.c

index 05600772db702623e0a5333df6098f7b4ca8db51..6586e0c5c27de13cc5460caedd6e9a0858ef7cb6 100644 (file)
--- a/Objects/dictobject.c
+++ b/Objects/dictobject.c
@@ -1762,6 +1762,8 @@ insert_split_value(PyInterpreterState *interp, PyDictObject *mp, PyObject *key,
          uint64_t new_version = _PyDict_NotifyEvent(interp, PyDict_EVENT_MODIFIED, mp, key, value);
          STORE_SPLIT_VALUE(mp, ix, Py_NewRef(value));
          mp->ma_version_tag = new_version;
+        // old_value should be DECREFed after GC track checking is done, if not, it could raise a segmentation fault,
+        // when dict only holds the strong reference to value in ep->me_value.
          Py_DECREF(old_value);
      }
      ASSERT_CONSISTENT(mp);
diff --git a/Python/bytecodes.c b/Python/bytecodes.c

index cac9f67d7f2171745e7ea1f72040b5657bf0f95b..c222fcdb22f85379da313aac55225308945cb89c 100644 (file)
--- a/Python/bytecodes.c
+++ b/Python/bytecodes.c
@@ -2170,14 +2170,15 @@ dummy_func(
                  new_version = _PyDict_NotifyEvent(tstate->interp, PyDict_EVENT_MODIFIED, dict, name, value);
                  ep->me_value = value;
              }
-            Py_DECREF(old_value);
-            STAT_INC(STORE_ATTR, hit);
              /* Ensure dict is GC tracked if it needs to be */
              if (!_PyObject_GC_IS_TRACKED(dict) && _PyObject_GC_MAY_BE_TRACKED(value)) {
                  _PyObject_GC_TRACK(dict);
              }
-            /* PEP 509 */
-            dict->ma_version_tag = new_version;
+            dict->ma_version_tag = new_version; // PEP 509
+            // old_value should be DECREFed after GC track checking is done, if not, it could raise a segmentation fault,
+            // when dict only holds the strong reference to value in ep->me_value.
+            Py_DECREF(old_value);
+            STAT_INC(STORE_ATTR, hit);
              Py_DECREF(owner);
          }
  
diff --git a/Python/generated_cases.c.h b/Python/generated_cases.c.h

index fe42e20f4393d67091e4619be1a95461f5e62a3a..dd334044d559b644f42a3dc6e82049f7db750707 100644 (file)
--- a/Python/generated_cases.c.h
+++ b/Python/generated_cases.c.h
@@ -5608,14 +5608,15 @@
                  new_version = _PyDict_NotifyEvent(tstate->interp, PyDict_EVENT_MODIFIED, dict, name, value);
                  ep->me_value = value;
              }
-            Py_DECREF(old_value);
-            STAT_INC(STORE_ATTR, hit);
              /* Ensure dict is GC tracked if it needs to be */
              if (!_PyObject_GC_IS_TRACKED(dict) && _PyObject_GC_MAY_BE_TRACKED(value)) {
                  _PyObject_GC_TRACK(dict);
              }
-            /* PEP 509 */
-            dict->ma_version_tag = new_version;
+            dict->ma_version_tag = new_version; // PEP 509
+            // old_value should be DECREFed after GC track checking is done, if not, it could raise a segmentation fault,
+            // when dict only holds the strong reference to value in ep->me_value.
+            Py_DECREF(old_value);
+            STAT_INC(STORE_ATTR, hit);
              Py_DECREF(owner);
              stack_pointer += -2;
              DISPATCH();
author	Donghee Na <donghee.na@python.org>
	Thu, 22 Aug 2024 16:37:26 +0000 (01:37 +0900)
committer	GitHub <noreply@github.com>
	Thu, 22 Aug 2024 16:37:26 +0000 (01:37 +0900)
Lib/test/test_dict.py		patch \| blob \| blame \| history
Misc/NEWS.d/next/Core_and_Builtins/2024-08-17-17-26-25.gh-issue-123083.9xWLJ-.rst	[new file with mode: 0644]	patch \| blob
Objects/dictobject.c		patch \| blob \| blame \| history
Python/bytecodes.c		patch \| blob \| blame \| history
Python/generated_cases.c.h		patch \| blob \| blame \| history