Skip to content

/ cpython

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bpo-39510: Fix use-after-free in BufferedReader.readinto() #18295

Open
wants to merge 1 commit into
base: master
from
Open

bpo-39510: Fix use-after-free in BufferedReader.readinto() #18295

wants to merge 1 commit into from
+6 −0

Conversation

@phi-gamma
Copy link

phi-gamma commented Jan 31, 2020
edited by bedevere-bot

When called on a closed object, readinto() segfaults on account
of a write to a freed buffer:

==220553== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==220553==  Access not within mapped region at address 0x2A
==220553==    at 0x48408A0: memmove (vg_replace_strmem.c:1272)
==220553==    by 0x58DB0C: _buffered_readinto_generic (bufferedio.c:972)
==220553==    by 0x58DCBA: _io__Buffered_readinto_impl (bufferedio.c:1053)
==220553==    by 0x58DCBA: _io__Buffered_readinto (bufferedio.c.h:253)

Reproducer:

reader = open ("/dev/zero", "rb")
_void  = reader.read (42)
reader.close ()
reader.readinto (bytearray (42)) ### BANG!

The problem exists since 2012 when commit dc46945 added code
to free the read buffer on close().

Signed-off-by: Philipp Gesang philipp.gesang@intra2net.com

https://bugs.python.org/issue39510
@the-knights-who-say-ni

This comment has been minimized.

Sign in to view
Copy link

the-knights-who-say-ni commented Jan 31, 2020

Hello, and thanks for your contribution!

I'm a bot set up to make sure that the project can legally accept this contribution by verifying everyone involved has signed the PSF contributor agreement (CLA).

CLA Missing

Our records indicate the following people have not signed the CLA:

@phi-gamma

For legal reasons we need all the people listed to sign the CLA before we can look at your contribution. Please follow the steps outlined in the CPython devguide to rectify this issue.

If you have recently signed the CLA, please wait at least one business day
before our records are updated.

You can check yourself to see if the CLA has been received.

Thanks again for the contribution, we look forward to reviewing it!
@phi-gamma phi-gamma force-pushed the phi-gamma:segv branch from 0e6676d to 319b826 Feb 1, 2020
@phi-gamma
Fix use-after-free in BufferedReader.readinto()
Verified
This commit was signed with a verified signature.
phi-gamma Philipp Gesang
GPG key ID: 1360EC0B3CC3D66D Learn about signing commits
Loading status checks…
0a90d4a 
When called on a closed object, readinto() segfaults on account
of a write to a freed buffer:

    ==220553== Process terminating with default action of signal 11 (SIGSEGV): dumping core
    ==220553==  Access not within mapped region at address 0x2A
    ==220553==    at 0x48408A0: memmove (vg_replace_strmem.c:1272)
    ==220553==    by 0x58DB0C: _buffered_readinto_generic (bufferedio.c:972)
    ==220553==    by 0x58DCBA: _io__Buffered_readinto_impl (bufferedio.c:1053)
    ==220553==    by 0x58DCBA: _io__Buffered_readinto (bufferedio.c.h:253)

Reproducer:

    reader = open ("/dev/zero", "rb")
    _void  = reader.read (42)
    reader.close ()
    reader.readinto (bytearray (42)) ### BANG!

The problem exists since 2012 when commit dc46945 added code
to free the read buffer on close().

Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com>
@phi-gamma phi-gamma force-pushed the phi-gamma:segv branch from 319b826 to 0a90d4a Feb 1, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
CLA signed awaiting review
Projects
None yet
Milestone
No milestone
3 participants
@phi-gamma @the-knights-who-say-ni @bedevere-bot
You can’t perform that action at this time.