Use after free in Element.extend (1) #68279

pkt · 2015-05-01T13:56:08Z

BPO	24091
Nosy	@scoder, @tiran, @serhiy-storchaka
Files	poc_elt_extend1.py etree_crashes.patch

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = 'https://github.com/serhiy-storchaka'
closed_at = <Date 2015-05-19.12:51:10.048>
created_at = <Date 2015-05-01.13:56:07.806>
labels = ['extension-modules', 'expert-XML', 'type-crash']
title = 'Use after free in Element.extend (1)'
updated_at = <Date 2015-05-19.12:51:10.048>
user = 'https://bugs.python.org/pkt'

bugs.python.org fields:

activity = <Date 2015-05-19.12:51:10.048>
actor = 'serhiy.storchaka'
assignee = 'serhiy.storchaka'
closed = True
closed_date = <Date 2015-05-19.12:51:10.048>
closer = 'serhiy.storchaka'
components = ['Extension Modules', 'XML']
creation = <Date 2015-05-01.13:56:07.806>
creator = 'pkt'
dependencies = []
files = ['39240', '39270']
hgrepos = []
issue_num = 24091
keywords = ['patch']
message_count = 3.0
messages = ['242305', '242430', '243489']
nosy_count = 7.0
nosy_names = ['scoder', 'christian.heimes', 'Arfrever', 'eli.bendersky', 'python-dev', 'serhiy.storchaka', 'pkt']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'crash'
url = 'https://bugs.python.org/issue24091'
versions = ['Python 3.4', 'Python 3.5']

pkt · 2015-05-01T13:56:07Z

\bpo-1055 for (i = 0; i < seqlen; i++) {
# (gdb) n
\bpo-1056 PyObject* element = PySequence_Fast_GET_ITEM(seq, i);
# (gdb) n
\bpo-1057 if (!PyObject_IsInstance(element, (PyObject *)&Element_Type)) {
# (gdb) print *element
# $19 = {_ob_next = 0x4060e6fc, _ob_prev = 0x4056cd8c, ob_refcnt = 1, ob_type = 0x406de3e4}
# (gdb) n
\bpo-1066 if (element_add_subelement(self, element) < 0) {
# (gdb) print *element
# $20 = {ob_next = 0xdbdbdbdb, _ob_prev = 0xdbdbdbdb, ob_refcnt = -606348325, ob_type = 0xdbdbdbdb}
#
# Fatal Python error: /home/p/Python-3.4.1/Modules/elementtree.c:267 object at 0x4056c4cc has negative ref count -606348326
#
# "element" is removed in __getattribute method.

serhiy-storchaka · 2015-05-02T20:34:43Z

Here is a patch that fixes bpo-24091, bpo-24092, bpo-24093, and several other similar bugs.

python-dev · 2015-05-18T15:34:14Z

New changeset 34523e53a342 by Serhiy Storchaka in branch '2.7':
Issue bpo-24091: Fixed various crashes in corner cases in cElementTree.
https://hg.python.org/cpython/rev/34523e53a342

New changeset 157c4afca186 by Serhiy Storchaka in branch '3.4':
Issue bpo-24091: Fixed various crashes in corner cases in C implementation of
https://hg.python.org/cpython/rev/157c4afca186

New changeset a8b8d1b211fe by Serhiy Storchaka in branch 'default':
Issue bpo-24091: Fixed various crashes in corner cases in C implementation of
https://hg.python.org/cpython/rev/a8b8d1b211fe

pkt mannequin added the type-crash A hard crash of the interpreter, possibly with a core dump label May 1, 2015

serhiy-storchaka added extension-modules C modules in the Modules dir topic-XML labels May 1, 2015

serhiy-storchaka self-assigned this May 2, 2015

serhiy-storchaka closed this as completed May 19, 2015

ezio-melotti transferred this issue from another repository Apr 10, 2022

picnixz mentioned this issue Oct 27, 2024

Crash: xml.etree.ElementTree.Element.remove with an evil Element.__eq__ #126033

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Use after free in Element.extend (1) #68279

Use after free in Element.extend (1) #68279

pkt mannequin commented May 1, 2015

pkt mannequin commented May 1, 2015

serhiy-storchaka commented May 2, 2015

python-dev mannequin commented May 18, 2015

Use after free in Element.extend (1) #68279

Use after free in Element.extend (1) #68279

Comments

pkt mannequin commented May 1, 2015

pkt mannequin commented May 1, 2015

serhiy-storchaka commented May 2, 2015

python-dev mannequin commented May 18, 2015