Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

segfault in property.getter/setter/deleter if property subclass has weird __new__ #100942

Closed
cfbolz opened this issue Jan 11, 2023 · 6 comments
Closed

segfault in property.getter/setter/deleter if property subclass has weird __new__ #100942

cfbolz opened this issue Jan 11, 2023 · 6 comments
Assignees
@rhettinger
Labels
3.10 only security fixes 3.11 only security fixes 3.12 bugs and security fixes type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@cfbolz
Copy link
Contributor

cfbolz commented Jan 11, 2023
edited by bedevere-bot
Loading

CPython crashes if run on the following code:

class pro(property):
    def __new__(typ, *args, **kwargs):
        return "abcdef"
class A:
    pass

p = property.__new__(pro)
p.__set_name__(A, 1)
np = p.getter(lambda self: 1)

The crash happens on the last line. The problem is the following code in property_copy:

    new =  PyObject_CallFunctionObjArgs(type, get, set, del, doc, NULL);
    Py_DECREF(type);
    if (new == NULL)
        return NULL;

    Py_XSETREF(((propertyobject *) new)->prop_name, Py_XNewRef(pold->prop_name));
    return new;

In the crashing code, new is a string, so casting it to propertyobject and writing to prop_name is wrong.

This is synthetic code, I found the problem while porting some 3.10 features to PyPy and thinking about corner cases.

Linked PRs
@cfbolz cfbolz added the type-crash A hard crash of the interpreter, possibly with a core dump label Jan 11, 2023
@mdboom
Copy link
Contributor

mdboom commented Jan 11, 2023

Confirmed on 3.10, 3.11 and main.

@mdboom mdboom added 3.11 only security fixes 3.10 only security fixes 3.12 bugs and security fixes labels Jan 11, 2023
sobolevn added a commit to sobolevn/cpython that referenced this issue Jan 11, 2023
@sobolevn
pythongh-100942: Fix crash on property subtypes with weird __new__
9bc9512
@sobolevn
Copy link
Member

__set_name__ part is not required for the repro:

class pro(property):
    def __new__(typ, *args, **kwargs):
        return "abcdef"

p = property.__new__(pro)
np = p.getter(lambda self: 1)

This code also crashes on 3.12

@bedevere-bot bedevere-bot mentioned this issue Jan 11, 2023
Closed
@rhettinger rhettinger self-assigned this Jan 11, 2023
@rhettinger
Copy link
Contributor

This did not fail on 3.9. Soonish, I will hunt down the offending check in. Off hand, I suspect the disasterous and now deprecated descriptor chaining logic.

@sobolevn
Copy link
Member

Commit that introduced these lines: c56387f

@rhettinger
Copy link
Contributor

Confirmed, c56387f is the culprit.

rhettinger added a commit to rhettinger/cpython that referenced this issue Jan 12, 2023
@rhettinger
pythonGH-100942: Fix incorrect cast in property_copy().
e2e3368
@bedevere-bot bedevere-bot mentioned this issue Jan 12, 2023
Merged
rhettinger added a commit that referenced this issue Jan 12, 2023
@rhettinger
GH-100942: Fix incorrect cast in property_copy(). (#100965)
94fc770
sobolevn pushed a commit to sobolevn/cpython that referenced this issue Jan 13, 2023
@rhettinger @sobolevn
[3.11] pythonGH-100942: Fix incorrect cast in property_copy(). (pytho…
e42fbf0 
…nGH-100965).

(cherry picked from commit 94fc770)

Co-authored-by: Raymond Hettinger <rhettinger@users.noreply.github.com>
@bedevere-bot bedevere-bot mentioned this issue Jan 13, 2023
Merged
sobolevn pushed a commit to sobolevn/cpython that referenced this issue Jan 13, 2023
@rhettinger @sobolevn
[3.10] pythonGH-100942: Fix incorrect cast in property_copy(). (pytho…
4871a93 
…nGH-100965).

(cherry picked from commit 94fc770)

Co-authored-by: Raymond Hettinger <rhettinger@users.noreply.github.com>
@bedevere-bot bedevere-bot mentioned this issue Jan 13, 2023
Merged
@rhettinger
Copy link
Contributor

@sobolevn Thank you for the back ports.

kumaraditya303 pushed a commit that referenced this issue Jan 15, 2023
@sobolevn @rhettinger
[3.11] GH-100942: Fix incorrect cast in property_copy(). (GH-100965). (
855b1a9 
…#101008)

(cherry picked from commit 94fc770)

Co-authored-by: Raymond Hettinger <rhettinger@users.noreply.github.com>
kumaraditya303 pushed a commit that referenced this issue Jan 15, 2023
@sobolevn @rhettinger
[3.10] GH-100942: Fix incorrect cast in property_copy(). (GH-100965). (
b7b641a 
…#101009)

(cherry picked from commit 94fc770)

Co-authored-by: Raymond Hettinger <rhettinger@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rhettinger rhettinger

Labels
3.10 only security fixes 3.11 only security fixes 3.12 bugs and security fixes type-crash A hard crash of the interpreter, possibly with a core dump
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mdboom @cfbolz @rhettinger @sobolevn