[issue42422] Py_Decref on value crash the interpreter in Python/ceval.c:1104

[STINNER Victor]

STINNER Victor  added the comment:

About PR 23448: I don't see the value of adding a script just prove that 
CPython has no bytecode verifier.

If you consider that it's not well documented, it should be documented in the 
types.CodeType documentation:
https://docs.python.org/dev/library/types.html#types.CodeType

--
nosy: +vstinner

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42422] Py_Decref on value crash the interpreter in Python/ceval.c:1104

[Batuhan Taskaya]

Batuhan Taskaya  added the comment:

> I would be happy to update and fix it instead if you think it's better that 
> way. Please let me know, it will be great to see my first submission being 
> treated.

Yes, please. That seems more appropriate

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42422] Py_Decref on value crash the interpreter in Python/ceval.c:1104

[Dennis Sweeney]

Dennis Sweeney  added the comment:

Why not just fix bogus_code_obj.py?

Something like this (using the replace method) would make it more future-proof 
to similar changes in the code object constructor signature (and be more 
readable!):

import dis
POP_TOP = dis.opmap['POP_TOP']
wordcode = bytes([POP_TOP, 0] * 10)
f = lambda: None
f.__code__ = f.__code__.replace(co_code=wordcode)
f()

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42422] Py_Decref on value crash the interpreter in Python/ceval.c:1104

[Sofian Brabez]

Sofian Brabez  added the comment:

Any ETA? I would appreciate to see my contribution being merged.

Batuhan, the current code is not doing what it's supposed to do in 
bogus_code_obj.py (i.e. no crash after 3.8 and above in master and branches). 
This still make the issue valid I guess.

```
$ ./python -V
Python 3.8.6+
$ ./python -V
Python 3.10.0a2+
$ ./python Lib/test/crashers/bogus_code_obj.py 
Traceback (most recent call last):
  File "/usr/home/sbz/github/cpython/Lib/test/crashers/bogus_code_obj.py", line 
17, in 
co = types.CodeType(0, 0, 0, 0, 0, b'\x04\x71\x00\x00',
TypeError: code expected at least 14 arguments, got 13
```

I would be happy to update and fix it instead if you think it's better that 
way. Please let me know, it will be great to see my first submission being 
treated.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42422] Py_Decref on value crash the interpreter in Python/ceval.c:1104

[Batuhan Taskaya]

Batuhan Taskaya  added the comment:

> do you think this is too similar to bogus_code_obj.py? That's the only 
> crasher I can see it being similar to.

As far as I assume, yes, that is the generic VM crasher via custom code object 
execution. I feel its existence is good enough to answer to issue openings like 
this.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42422] Py_Decref on value crash the interpreter in Python/ceval.c:1104

[Eric V. Smith]

Eric V. Smith  added the comment:

@BTaskaya: do you think this is too similar to bogus_code_obj.py? That's the 
only crasher I can see it being similar to.

--
versions: +Python 3.10 -Python 3.6, Python 3.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42422] Py_Decref on value crash the interpreter in Python/ceval.c:1104

[Batuhan Taskaya]

Batuhan Taskaya  added the comment:

I'm sorry to interrupt but what is the exact reasoning behind adding a new, (I 
presume) redundant crasher? There are tons of different ways to crash the 
interpreter with malformed bytecode, how would adding only one of them bring 
any good?

--
nosy: +BTaskaya

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42422] Py_Decref on value crash the interpreter in Python/ceval.c:1104

[Eric V. Smith]

Change by Eric V. Smith :


--
nosy: +eric.smith

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42422] Py_Decref on value crash the interpreter in Python/ceval.c:1104

[Sofian Brabez]

Change by Sofian Brabez :


--
pull_requests: +22340
stage:  -> patch review
pull_request: https://github.com/python/cpython/pull/23448

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42422] Py_Decref on value crash the interpreter in Python/ceval.c:1104

[Sofian Brabez]

Sofian Brabez  added the comment:

Thanks Dennis for pointing me the crashers, I was not aware of them.

I have added a new crash test to cover multiple crashes in different 
interpreter versions. Current bogus does not crash where it could be possible 
to crash in older and newer interpreter versions.

Do you think it's worth to add it? I joined the patch against master and if yes 
I could submit a new PR.

--
keywords: +patch
Added file: 
https://bugs.python.org/file49612/add-new-crasher-to-cover-multiple-versions.diff

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42422] Py_Decref on value crash the interpreter in Python/ceval.c:1104

[Dennis Sweeney]

Dennis Sweeney  added the comment:

>From 
>https://github.com/python/cpython/blob/master/Lib/test/crashers/bogus_code_obj.py
> :

"""
Broken bytecode objects can easily crash the interpreter.
This is not going to be fixed.  It is generally agreed that there is no
point in writing a bytecode verifier and putting it in CPython just for
this.  Moreover, a verifier is bound to accept only a subset of all safe
bytecodes, so it could lead to unnecessary breakage.
For security purposes, "restricted" interpreters are not going to let
the user build or load random bytecodes anyway.  Otherwise, this is a
"won't fix" case.
"""

import types

co = types.CodeType(0, 0, 0, 0, 0, b'\x04\x71\x00\x00',
(), (), (), '', '', 1, b'')
exec(co)

--
nosy: +Dennis Sweeney

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42422] Py_Decref on value crash the interpreter in Python/ceval.c:1104

[Sofian Brabez]

Sofian Brabez  added the comment:

Linux, FreeBSD and MacOSX crash reports and backtraces joined in the zip.

Contributor Agreement 2020-09-23 signed.

--
Added file: https://bugs.python.org/file49611/crash-report-txt.zip

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42422] Py_Decref on value crash the interpreter in Python/ceval.c:1104

[Sofian Brabez]

New submission from Sofian Brabez :

This PoC is causing a local crash of python interpreters version 
2.7,3.6,3.7,3.8 and 3.9.

By creating a code object of size 0 with a POP_TOP opcode, in Python/ceval.c 
the call to Py_DECREF(value) on a NULL pointer lead to a segmentation fault of 
the python interpreter.

It was tested on all python3.x versions against a fresh compilation of a git 
clone github.com/python/cpython.git on branches and master. You need to adapt 
the code() constructor because the parameters are different across versions but 
crash remains.

I'm just covering the version 3.7 in following text

$ git clone --depth 1 https://github.com/python/cpython.git
$ git checkout -b 3.7 origin/3.7
$ export CFLAGS+="-g -O0"
$ ./configure
$ make
$ ./python -V
Python 3.7.9+
$ ./python -c 'import sys; print(sys.version)'
3.7.9+ (heads/3.7-dirty:08ba61dade, Nov 21 2020, 04:57:20) 
[Clang 10.0.1 (g...@github.com:llvm/llvm-project.git llvmorg-10.0.1-0-gef32c611a
$ ./python crash.py

Running the python3.7 execution into gdb, helped me to locate the crash for 
python3.7 https://github.com/python/cpython/blob/3.7/Python/ceval.c#L1104

$ gdb --batch --silent ./python -ex 'r crash.py'
Program received signal SIGSEGV, Segmentation fault.
0x0033873a in _PyEval_EvalFrameDefault (f=0x800bdda00, throwflag=0) at 
Python/ceval.c:1104
1104Py_DECREF(value);

Also I have executed the PoC on different platforms Linux, FreeBSD and MacOSX. 
The behaviour is the same and SIGSEGV the interpreter.

I have located the issue in the source code but I'm wondering what will be the 
best solution to fix it? Python developers should know better, I am open to 
your advices and suggestions.

I have noticed that one assertion handle this case (in master) 
https://github.com/python/cpython/blob/master/Python/ceval.c#L1430 but most of 
the interpreters are built without --with-assertions enabled, so the crash will 
still persist.

More details on this gist 
https://gist.github.com/sbz/267d35de5766c53835c5c4ef45b18705

I think the python interpreter shouldn't crash and handle properly this edge 
case.

--
components: Interpreter Core
files: crash.py
messages: 381527
nosy: sbz
priority: normal
severity: normal
status: open
title: Py_Decref on value crash the interpreter in Python/ceval.c:1104
type: crash
versions: Python 3.6, Python 3.7, Python 3.8, Python 3.9
Added file: https://bugs.python.org/file49610/crash.py

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com