[issue38033] Use After Free: PyObject_Free

Chiaki Ishikawa report at bugs.python.org
Wed Sep 4 19:52:29 EDT 2019 

Chiaki Ishikawa <ishikawa at yk.rim.or.jp> added the comment:

Addtion:

PyObject_Realloc also has the issue of Use After Free: this may be more serious.


==31128== Invalid read of size 4
==31128==    at 0x5A48CA: PyObject_Realloc (in /usr/bin/python3.7)
==31128==    by 0x5DD8FB: _PyBytes_Resize (in /usr/bin/python3.7)
==31128==    by 0x4F53BC: ??? (in /usr/bin/python3.7)
==31128==    by 0x5D9A22: _PyMethodDef_RawFastCallKeywords (in /usr/bin/python3.7)
==31128==    by 0x54C75F: ??? (in /usr/bin/python3.7)
==31128==    by 0x5537DA: _PyEval_EvalFrameDefault (in /usr/bin/python3.7)
==31128==    by 0x5DA3EB: _PyFunction_FastCallKeywords (in /usr/bin/python3.7)
==31128==    by 0x54FA9B: _PyEval_EvalFrameDefault (in /usr/bin/python3.7)
==31128==    by 0x54D0A1: _PyEval_EvalCodeWithName (in /usr/bin/python3.7)
==31128==    by 0x5DA6E1: _PyFunction_FastCallKeywords (in /usr/bin/python3.7)
==31128==    by 0x54FA9B: _PyEval_EvalFrameDefault (in /usr/bin/python3.7)
==31128==    by 0x5DA3EB: _PyFunction_FastCallKeywords (in /usr/bin/python3.7)
==31128==    by 0x54F8FB: _PyEval_EvalFrameDefault (in /usr/bin/python3.7)
==31128==    by 0x54D0A1: _PyEval_EvalCodeWithName (in /usr/bin/python3.7)
==31128==    by 0x5DA6E1: _PyFunction_FastCallKeywords (in /usr/bin/python3.7)
==31128==    by 0x54F8FB: _PyEval_EvalFrameDefault (in /usr/bin/python3.7)
==31128==    by 0x5DA3EB: _PyFunction_FastCallKeywords (in /usr/bin/python3.7)
==31128==    by 0x54F8FB: _PyEval_EvalFrameDefault (in /usr/bin/python3.7)
==31128==    by 0x5DA3EB: _PyFunction_FastCallKeywords (in /usr/bin/python3.7)
==31128==    by 0x54C61F: ??? (in /usr/bin/python3.7)
==31128==    by 0x5537DA: _PyEval_EvalFrameDefault (in /usr/bin/python3.7)
==31128==    by 0x5DA3EB: _PyFunction_FastCallKeywords (in /usr/bin/python3.7)
==31128==    by 0x54F8FB: _PyEval_EvalFrameDefault (in /usr/bin/python3.7)
==31128==    by 0x54D0A1: _PyEval_EvalCodeWithName (in /usr/bin/python3.7)
==31128==    by 0x54F3F2: PyEval_EvalCode (in /usr/bin/python3.7)
==31128==    by 0x6313D1: ??? (in /usr/bin/python3.7)
==31128==    by 0x631486: PyRun_FileExFlags (in /usr/bin/python3.7)
==31128==    by 0x6320EE: PyRun_SimpleFileExFlags (in /usr/bin/python3.7)
==31128==    by 0x653EED: ??? (in /usr/bin/python3.7)
==31128==    by 0x65424D: _Py_UnixMain (in /usr/bin/python3.7)
==31128==    by 0x4ACB09A: (below main) (libc-start.c:308)
==31128==  Address 0x5b21020 is 32,208 bytes inside a block of size 32,801 free'd
==31128==    at 0x4835259: realloc (vg_replace_malloc.c:834)
==31128==    by 0x5A49AB: PyObject_Realloc (in /usr/bin/python3.7)
==31128==    by 0x5DD8FB: _PyBytes_Resize (in /usr/bin/python3.7)
==31128==    by 0x4F53BC: ??? (in /usr/bin/python3.7)
==31128==    by 0x5D9A22: _PyMethodDef_RawFastCallKeywords (in /usr/bin/python3.7)
==31128==    by 0x54C75F: ??? (in /usr/bin/python3.7)
==31128==    by 0x5537DA: _PyEval_EvalFrameDefault (in /usr/bin/python3.7)
==31128==    by 0x5DA3EB: _PyFunction_FastCallKeywords (in /usr/bin/python3.7)
==31128==    by 0x54FA9B: _PyEval_EvalFrameDefault (in /usr/bin/python3.7)
==31128==    by 0x54D0A1: _PyEval_EvalCodeWithName (in /usr/bin/python3.7)
==31128==    by 0x5DA6E1: _PyFunction_FastCallKeywords (in /usr/bin/python3.7)
==31128==    by 0x54FA9B: _PyEval_EvalFrameDefault (in /usr/bin/python3.7)
==31128==    by 0x5DA3EB: _PyFunction_FastCallKeywords (in /usr/bin/python3.7)
==31128==    by 0x54F8FB: _PyEval_EvalFrameDefault (in /usr/bin/python3.7)
==31128==    by 0x54D0A1: _PyEval_EvalCodeWithName (in /usr/bin/python3.7)
==31128==    by 0x5DA6E1: _PyFunction_FastCallKeywords (in /usr/bin/python3.7)
==31128==    by 0x54F8FB: _PyEval_EvalFrameDefault (in /usr/bin/python3.7)
==31128==    by 0x5DA3EB: _PyFunction_FastCallKeywords (in /usr/bin/python3.7)
==31128==    by 0x54F8FB: _PyEval_EvalFrameDefault (in /usr/bin/python3.7)
==31128==    by 0x5DA3EB: _PyFunction_FastCallKeywords (in /usr/bin/python3.7)
==31128==    by 0x54C61F: ??? (in /usr/bin/python3.7)
==31128==    by 0x5537DA: _PyEval_EvalFrameDefault (in /usr/bin/python3.7)
==31128==    by 0x5DA3EB: _PyFunction_FastCallKeywords (in /usr/bin/python3.7)
==31128==    by 0x54F8FB: _PyEval_EvalFrameDefault (in /usr/bin/python3.7)
==31128==    by 0x54D0A1: _PyEval_EvalCodeWithName (in /usr/bin/python3.7)
==31128==    by 0x54F3F2: PyEval_EvalCode (in /usr/bin/python3.7)
==31128==    by 0x6313D1: ??? (in /usr/bin/python3.7)
==31128==    by 0x631486: PyRun_FileExFlags (in /usr/bin/python3.7)
==31128==    by 0x6320EE: PyRun_SimpleFileExFlags (in /usr/bin/python3.7)
==31128==    by 0x653EED: ??? (in /usr/bin/python3.7)
==31128==    by 0x65424D: _Py_UnixMain (in /usr/bin/python3.7)
==31128==    by 0x4ACB09A: (below main) (libc-start.c:308)
==31128==  Block was alloc'd at
==31128==    at 0x4832E13: malloc (vg_replace_malloc.c:307)
==31128==    by 0x5DE3AA: PyBytes_FromStringAndSize (in /usr/bin/python3.7)
==31128==    by 0x4F5375: ??? (in /usr/bin/python3.7)
==31128==    by 0x5D9A22: _PyMethodDef_RawFastCallKeywords (in /usr/bin/python3.7)
==31128==    by 0x54C75F: ??? (in /usr/bin/python3.7)
==31128==    by 0x5537DA: _PyEval_EvalFrameDefault (in /usr/bin/python3.7)
==31128==    by 0x5DA3EB: _PyFunction_FastCallKeywords (in /usr/bin/python3.7)
==31128==    by 0x54FA9B: _PyEval_EvalFrameDefault (in /usr/bin/python3.7)
==31128==    by 0x54D0A1: _PyEval_EvalCodeWithName (in /usr/bin/python3.7)
==31128==    by 0x5DA6E1: _PyFunction_FastCallKeywords (in /usr/bin/python3.7)
==31128==    by 0x54FA9B: _PyEval_EvalFrameDefault (in /usr/bin/python3.7)
==31128==    by 0x5DA3EB: _PyFunction_FastCallKeywords (in /usr/bin/python3.7)
==31128==    by 0x54F8FB: _PyEval_EvalFrameDefault (in /usr/bin/python3.7)
==31128==    by 0x54D0A1: _PyEval_EvalCodeWithName (in /usr/bin/python3.7)
==31128==    by 0x5DA6E1: _PyFunction_FastCallKeywords (in /usr/bin/python3.7)
==31128==    by 0x54F8FB: _PyEval_EvalFrameDefault (in /usr/bin/python3.7)
==31128==    by 0x5DA3EB: _PyFunction_FastCallKeywords (in /usr/bin/python3.7)
==31128==    by 0x54F8FB: _PyEval_EvalFrameDefault (in /usr/bin/python3.7)
==31128==    by 0x5DA3EB: _PyFunction_FastCallKeywords (in /usr/bin/python3.7)
==31128==    by 0x54C61F: ??? (in /usr/bin/python3.7)
==31128==    by 0x5537DA: _PyEval_EvalFrameDefault (in /usr/bin/python3.7)
==31128==    by 0x5DA3EB: _PyFunction_FastCallKeywords (in /usr/bin/python3.7)
==31128==    by 0x54F8FB: _PyEval_EvalFrameDefault (in /usr/bin/python3.7)
==31128==    by 0x54D0A1: _PyEval_EvalCodeWithName (in /usr/bin/python3.7)
==31128==    by 0x54F3F2: PyEval_EvalCode (in /usr/bin/python3.7)
==31128==    by 0x6313D1: ??? (in /usr/bin/python3.7)
==31128==    by 0x631486: PyRun_FileExFlags (in /usr/bin/python3.7)
==31128==    by 0x6320EE: PyRun_SimpleFileExFlags (in /usr/bin/python3.7)
==31128==    by 0x653EED: ??? (in /usr/bin/python3.7)
==31128==    by 0x65424D: _Py_UnixMain (in /usr/bin/python3.7)
==31128==    by 0x4ACB09A: (below main) (libc-start.c:308)
==31128==
{

----------

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue38033>
_______________________________________

More information about the Python-bugs-list mailing list