bpo-41654: Fix deallocator of MemoryError to account for subclasses #22020
Conversation
pablogsal
force-pushed
the
bpo-41654
branch
4 times, most recently
from
e204706 to
faefcf6
Compare
pablogsal
force-pushed
the
bpo-41654
branch
2 times, most recently
from
0e25645 to
3941f94
Compare
When allocating MemoryError classes, there is some logic to use pre-allocated instances in a freelist only if the type that is being allocated is not a subclass of MemoryError. Unfortunately in the destructor this logic is not present so the freelist is altered even with subclasses of MemoryError.
| return Py_TYPE(self)->tp_free((PyObject *)self); | ||
| } | ||
|
|
||
| _PyObject_GC_UNTRACK(self); |
There was a problem hiding this comment.
This is a bugfix. Once this PR is merged, you may propose a PR to fix it in 3.9 and 3.8 as well. I'm surprised that _PyObject_GC_UNTRACK() doesn't crash (assert failure) on subclasses.
There was a problem hiding this comment.
This PR will be backported to all supported branches....do you want a separate PR for them?
There was a problem hiding this comment.
"This PR will be backported to all supported branches" oh ok, in this case, there is no need for a separated change ;-)
There was a problem hiding this comment.
This bug has been here since forever! 😨
There was a problem hiding this comment.
LGTM. Thanks for the fix @pablogsal!
I tested manually bug.py script attached to https://bugs.python.org/issue41654 : it crashs without the fix, it pass with the fix. I tested Python built in debug mode.
| if (type != (PyTypeObject *) PyExc_MemoryError) | ||
| /* If this is a subclass of MemoryError, don't use the freelist | ||
| * and just return a fresh object */ | ||
| if (type != (PyTypeObject *) PyExc_MemoryError) { |
There was a problem hiding this comment.
nitpick: Can you update this line same like line 2323 after you updated this line ;)
There was a problem hiding this comment.
nitpick: Can you update this line same like line 2323 after you updated this line ;)
Here it does not make sense because we don't have an instance yet.
There was a problem hiding this comment.
oh, sorry~. Forget my comment.
| if (type != (PyTypeObject *) PyExc_MemoryError) | ||
| /* If this is a subclass of MemoryError, don't use the freelist | ||
| * and just return a fresh object */ | ||
| if (type != (PyTypeObject *) PyExc_MemoryError) { |
There was a problem hiding this comment.
oh, sorry~. Forget my comment.
|
Thanks @pablogsal for the PR 🌮🎉.. I'm working now to backport this PR to: 3.6, 3.7, 3.8, 3.9. |
|
Sorry @pablogsal, I had trouble checking out the |
|
Sorry, @pablogsal, I could not cleanly backport this to |
|
Sorry @pablogsal, I had trouble checking out the |
|
Sorry, @pablogsal, I could not cleanly backport this to |
|
@pablogsal: I don't think that this change is related to security. Why do you want to backport it to 3.6 and 3.7? https://bugs.python.org/issue41654 type is "crash", not "security". |
I normally qualify segfaults/buffer overflow as security as they can be maliciously used, but it may be a stretch. Let's backport to 3.8 and 3.9 only. |
…sses (pythonGH-22020) When allocating MemoryError classes, there is some logic to use pre-allocated instances in a freelist only if the type that is being allocated is not a subclass of MemoryError. Unfortunately in the destructor this logic is not present so the freelist is altered even with subclasses of MemoryError.. (cherry picked from commit 9b648a9) Co-authored-by: Pablo Galindo <[email protected]>
|
GH-22045 is a backport of this pull request to the 3.9 branch. |
|
GH-22046 is a backport of this pull request to the 3.8 branch. |
…subclasses (pythonGH-22020) When allocating MemoryError classes, there is some logic to use pre-allocated instances in a freelist only if the type that is being allocated is not a subclass of MemoryError. Unfortunately in the destructor this logic is not present so the freelist is altered even with subclasses of MemoryError.. (cherry picked from commit 9b648a9) Co-authored-by: Pablo Galindo <[email protected]>. (cherry picked from commit 87e91ae) Co-authored-by: Pablo Galindo <[email protected]>
…subclasses (GH-22020) (GH-22046) When allocating MemoryError classes, there is some logic to use pre-allocated instances in a freelist only if the type that is being allocated is not a subclass of MemoryError. Unfortunately in the destructor this logic is not present so the freelist is altered even with subclasses of MemoryError.. (cherry picked from commit 9b648a9) Co-authored-by: Pablo Galindo <[email protected]>. (cherry picked from commit 87e91ae) Co-authored-by: Pablo Galindo <[email protected]>
…sses (GH-22020) (GH-22045) When allocating MemoryError classes, there is some logic to use pre-allocated instances in a freelist only if the type that is being allocated is not a subclass of MemoryError. Unfortunately in the destructor this logic is not present so the freelist is altered even with subclasses of MemoryError.. (cherry picked from commit 9b648a9) Co-authored-by: Pablo Galindo <[email protected]>
…ythonGH-22020) When allocating MemoryError classes, there is some logic to use pre-allocated instances in a freelist only if the type that is being allocated is not a subclass of MemoryError. Unfortunately in the destructor this logic is not present so the freelist is altered even with subclasses of MemoryError.
When allocating MemoryError classes, there is some logic to use
pre-allocated instances in a freelist only if the type that is being
allocated is not a subclass of MemoryError. Unfortunately in the
destructor this logic is not present so the freelist is altered even
with subclasses of MemoryError.
https://bugs.python.org/issue41654