[3.6] closes bpo-39510: Fix use-after-free in BufferedReader.readinto() (GH-18295) #18350

miss-islington · 2020-02-04T21:25:55Z

When called on a closed object, readinto() segfaults on account
of a write to a freed buffer:

==220553== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==220553==  Access not within mapped region at address 0x2A
==220553==    at 0x48408A0: memmove (vg_replace_strmem.c:1272)
==220553==    by 0x58DB0C: _buffered_readinto_generic (bufferedio.c:972)
==220553==    by 0x58DCBA: _io__Buffered_readinto_impl (bufferedio.c:1053)
==220553==    by 0x58DCBA: _io__Buffered_readinto (bufferedio.c.h:253)

Reproducer:

reader = open ("/dev/zero", "rb")
_void  = reader.read (42)
reader.close ()
reader.readinto (bytearray (42)) GH-GH-GH- BANG!

The problem exists since 2012 when commit dc46945 added code
to free the read buffer on close().

Signed-off-by: Philipp Gesang philipp.gesang@intra2net.com
(cherry picked from commit cb1c074)

Co-authored-by: Philipp Gesang phg@phi-gamma.net

https://bugs.python.org/issue39510


        closes bpo-39510: Fix use-after-free in BufferedReader.readinto() (GH…

…-18295) When called on a closed object, readinto() segfaults on account of a write to a freed buffer: ==220553== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==220553== Access not within mapped region at address 0x2A ==220553== at 0x48408A0: memmove (vg_replace_strmem.c:1272) ==220553== by 0x58DB0C: _buffered_readinto_generic (bufferedio.c:972) ==220553== by 0x58DCBA: _io__Buffered_readinto_impl (bufferedio.c:1053) ==220553== by 0x58DCBA: _io__Buffered_readinto (bufferedio.c.h:253) Reproducer: reader = open ("/dev/zero", "rb") _void = reader.read (42) reader.close () reader.readinto (bytearray (42)) GH-GH-GH- BANG! The problem exists since 2012 when commit dc46945 added code to free the read buffer on close(). Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com> (cherry picked from commit cb1c074) Co-authored-by: Philipp Gesang <phg@phi-gamma.net>

miss-islington · 2020-02-04T21:48:52Z

@phi-gamma and @benjaminp: Status check is done, and it's a success ✅ .

miss-islington · 2020-02-04T21:48:54Z

Sorry, I can't merge this PR. Reason: You're not authorized to push to this branch. Visit https://help.github.com/articles/about-protected-branches/ for more information..

the-knights-who-say-ni added the CLA signed label Feb 4, 2020

bedevere-bot mentioned this pull request Feb 4, 2020

bpo-39510: Fix use-after-free in BufferedReader.readinto() #18295

Merged

bedevere-bot added the awaiting review label Feb 4, 2020

benjaminp approved these changes Feb 4, 2020

View changes

bedevere-bot added awaiting merge and removed awaiting review labels Feb 4, 2020

bedevere-bot removed the awaiting merge label Feb 4, 2020

miss-islington deleted the miss-islington:backport-cb1c074-3.6 branch Feb 4, 2020

python / cpython

[3.6] closes bpo-39510: Fix use-after-free in BufferedReader.readinto() (GH-18295) #18350

[3.6] closes bpo-39510: Fix use-after-free in BufferedReader.readinto() (GH-18295) #18350

miss-islington commented Feb 4, 2020 •

edited by bedevere-bot

This comment has been minimized.

miss-islington commented Feb 4, 2020

This comment has been minimized.

miss-islington commented Feb 4, 2020

python / cpython

Sponsor python/cpython

Join GitHub today

[3.6] closes bpo-39510: Fix use-after-free in BufferedReader.readinto() (GH-18295) #18350

[3.6] closes bpo-39510: Fix use-after-free in BufferedReader.readinto() (GH-18295) #18350

Conversation

miss-islington commented Feb 4, 2020 • edited by bedevere-bot

This comment has been minimized.

miss-islington commented Feb 4, 2020

This comment has been minimized.

miss-islington commented Feb 4, 2020

miss-islington commented Feb 4, 2020 •

edited by bedevere-bot