Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
Sign upbpo-39510: Fix use-after-free in BufferedReader.readinto() #18295
+7
−0
Conversation
This comment has been minimized.
This comment has been minimized.
the-knights-who-say-ni
commented
Jan 31, 2020
|
Hello, and thanks for your contribution! I'm a bot set up to make sure that the project can legally accept this contribution by verifying everyone involved has signed the PSF contributor agreement (CLA). CLA MissingOur records indicate the following people have not signed the CLA: For legal reasons we need all the people listed to sign the CLA before we can look at your contribution. Please follow the steps outlined in the CPython devguide to rectify this issue. If you have recently signed the CLA, please wait at least one business day You can check yourself to see if the CLA has been received. Thanks again for the contribution, we look forward to reviewing it! |
This comment has been minimized.
This comment has been minimized.
|
Thanks for the PR; please add a brief NEWS note. |
When called on a closed object, readinto() segfaults on account
of a write to a freed buffer:
==220553== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==220553== Access not within mapped region at address 0x2A
==220553== at 0x48408A0: memmove (vg_replace_strmem.c:1272)
==220553== by 0x58DB0C: _buffered_readinto_generic (bufferedio.c:972)
==220553== by 0x58DCBA: _io__Buffered_readinto_impl (bufferedio.c:1053)
==220553== by 0x58DCBA: _io__Buffered_readinto (bufferedio.c.h:253)
Reproducer:
reader = open ("/dev/zero", "rb")
_void = reader.read (42)
reader.close ()
reader.readinto (bytearray (42)) ### BANG!
The problem exists since 2012 when commit dc46945 added code
to free the read buffer on close().
Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com>
cb1c074
into
python:master
9 checks passed
9 checks passed
bedevere/news
News entry found in Misc/NEWS.d
This comment has been minimized.
This comment has been minimized.
miss-islington
commented
Feb 4, 2020
|
Thanks @phi-gamma for the PR, and @benjaminp for merging it |
This comment has been minimized.
This comment has been minimized.
bedevere-bot
commented
Feb 4, 2020
|
GH-18348 is a backport of this pull request to the 3.8 branch. |
miss-islington
added a commit
to miss-islington/cpython
that referenced
this pull request
Feb 4, 2020
…thonGH-18295) When called on a closed object, readinto() segfaults on account of a write to a freed buffer: ==220553== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==220553== Access not within mapped region at address 0x2A ==220553== at 0x48408A0: memmove (vg_replace_strmem.c:1272) ==220553== by 0x58DB0C: _buffered_readinto_generic (bufferedio.c:972) ==220553== by 0x58DCBA: _io__Buffered_readinto_impl (bufferedio.c:1053) ==220553== by 0x58DCBA: _io__Buffered_readinto (bufferedio.c.h:253) Reproducer: reader = open ("/dev/zero", "rb") _void = reader.read (42) reader.close () reader.readinto (bytearray (42)) GH-GH-GH- BANG! The problem exists since 2012 when commit dc46945 added code to free the read buffer on close(). Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com> (cherry picked from commit cb1c074) Co-authored-by: Philipp Gesang <phg@phi-gamma.net>
This comment has been minimized.
This comment has been minimized.
bedevere-bot
commented
Feb 4, 2020
|
GH-18349 is a backport of this pull request to the 3.7 branch. |
miss-islington
added a commit
to miss-islington/cpython
that referenced
this pull request
Feb 4, 2020
…thonGH-18295) When called on a closed object, readinto() segfaults on account of a write to a freed buffer: ==220553== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==220553== Access not within mapped region at address 0x2A ==220553== at 0x48408A0: memmove (vg_replace_strmem.c:1272) ==220553== by 0x58DB0C: _buffered_readinto_generic (bufferedio.c:972) ==220553== by 0x58DCBA: _io__Buffered_readinto_impl (bufferedio.c:1053) ==220553== by 0x58DCBA: _io__Buffered_readinto (bufferedio.c.h:253) Reproducer: reader = open ("/dev/zero", "rb") _void = reader.read (42) reader.close () reader.readinto (bytearray (42)) GH-GH-GH- BANG! The problem exists since 2012 when commit dc46945 added code to free the read buffer on close(). Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com> (cherry picked from commit cb1c074) Co-authored-by: Philipp Gesang <phg@phi-gamma.net>
This comment has been minimized.
This comment has been minimized.
bedevere-bot
commented
Feb 4, 2020
|
GH-18350 is a backport of this pull request to the 3.6 branch. |
miss-islington
added a commit
to miss-islington/cpython
that referenced
this pull request
Feb 4, 2020
…thonGH-18295) When called on a closed object, readinto() segfaults on account of a write to a freed buffer: ==220553== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==220553== Access not within mapped region at address 0x2A ==220553== at 0x48408A0: memmove (vg_replace_strmem.c:1272) ==220553== by 0x58DB0C: _buffered_readinto_generic (bufferedio.c:972) ==220553== by 0x58DCBA: _io__Buffered_readinto_impl (bufferedio.c:1053) ==220553== by 0x58DCBA: _io__Buffered_readinto (bufferedio.c.h:253) Reproducer: reader = open ("/dev/zero", "rb") _void = reader.read (42) reader.close () reader.readinto (bytearray (42)) GH-GH-GH- BANG! The problem exists since 2012 when commit dc46945 added code to free the read buffer on close(). Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com> (cherry picked from commit cb1c074) Co-authored-by: Philipp Gesang <phg@phi-gamma.net>
miss-islington
added a commit
that referenced
this pull request
Feb 4, 2020
…-18295) When called on a closed object, readinto() segfaults on account of a write to a freed buffer: ==220553== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==220553== Access not within mapped region at address 0x2A ==220553== at 0x48408A0: memmove (vg_replace_strmem.c:1272) ==220553== by 0x58DB0C: _buffered_readinto_generic (bufferedio.c:972) ==220553== by 0x58DCBA: _io__Buffered_readinto_impl (bufferedio.c:1053) ==220553== by 0x58DCBA: _io__Buffered_readinto (bufferedio.c.h:253) Reproducer: reader = open ("/dev/zero", "rb") _void = reader.read (42) reader.close () reader.readinto (bytearray (42)) GH-GH-GH- BANG! The problem exists since 2012 when commit dc46945 added code to free the read buffer on close(). Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com> (cherry picked from commit cb1c074) Co-authored-by: Philipp Gesang <phg@phi-gamma.net>
miss-islington
added a commit
that referenced
this pull request
Feb 4, 2020
…-18295) When called on a closed object, readinto() segfaults on account of a write to a freed buffer: ==220553== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==220553== Access not within mapped region at address 0x2A ==220553== at 0x48408A0: memmove (vg_replace_strmem.c:1272) ==220553== by 0x58DB0C: _buffered_readinto_generic (bufferedio.c:972) ==220553== by 0x58DCBA: _io__Buffered_readinto_impl (bufferedio.c:1053) ==220553== by 0x58DCBA: _io__Buffered_readinto (bufferedio.c.h:253) Reproducer: reader = open ("/dev/zero", "rb") _void = reader.read (42) reader.close () reader.readinto (bytearray (42)) GH-GH-GH- BANG! The problem exists since 2012 when commit dc46945 added code to free the read buffer on close(). Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com> (cherry picked from commit cb1c074) Co-authored-by: Philipp Gesang <phg@phi-gamma.net>
opavlyuk
pushed a commit
to opavlyuk/cpython
that referenced
this pull request
Feb 12, 2020
…thonGH-18295) When called on a closed object, readinto() segfaults on account of a write to a freed buffer: ==220553== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==220553== Access not within mapped region at address 0x2A ==220553== at 0x48408A0: memmove (vg_replace_strmem.c:1272) ==220553== by 0x58DB0C: _buffered_readinto_generic (bufferedio.c:972) ==220553== by 0x58DCBA: _io__Buffered_readinto_impl (bufferedio.c:1053) ==220553== by 0x58DCBA: _io__Buffered_readinto (bufferedio.c.h:253) Reproducer: reader = open ("/dev/zero", "rb") _void = reader.read (42) reader.close () reader.readinto (bytearray (42)) ### BANG! The problem exists since 2012 when commit dc46945 added code to free the read buffer on close(). Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
phi-gamma commentedJan 31, 2020
•
edited by bedevere-bot
When called on a closed object, readinto() segfaults on account
of a write to a freed buffer:
Reproducer:
The problem exists since 2012 when commit dc46945 added code
to free the read buffer on close().
Signed-off-by: Philipp Gesang philipp.gesang@intra2net.com
https://bugs.python.org/issue39510