gh-101765: Fix SystemError / segmentation fault in iter __reduce__ when internal access of builtins.__dict__ exhausts the iterator#101769
Conversation
Sorry, something went wrong.
arhadthedev
added
interpreter-core
(Objects, Python, Grammar, and Parser dirs)
type-crash
A hard crash of the interpreter, possibly with a core dump
labels
Feb 10, 2023
…o potential side effects
- Added some comments for dict del usages - Switched to `__builtin__` instead of conditional `__dict__` access - Use kwargs for improved readability
…ist conditional branch
|
Since this could cause a segfault, it should perhaps be considered a security issue to be backported to the security branches. However, the way to trigger it is so obscure that I'm not sure it's worth backporting. @ambv what do you think? |
Sorry, something went wrong.
|
Thanks @ionite34 for the PR, and @JelleZijlstra for merging it 🌮🎉.. I'm working now to backport this PR to: 3.10, 3.11. |
Sorry, something went wrong.
|
Sorry, @ionite34 and @JelleZijlstra, I could not cleanly backport this to |
Sorry, something went wrong.
|
Sorry @ionite34 and @JelleZijlstra, I had trouble checking out the |
Sorry, something went wrong.
|
@ionite34 are you interested in doing the 3.10/3.11 backports (and potentially 3.7-3.9 if we decide this is important enough)? It's probably a matter of installing cherry-picker locally and fixing a few conflicts. |
Sorry, something went wrong.
Yeah I could try 👀, though uh, I don't think I saw anything on the dev guide regarding backports. Am I essentially doing the stuff mentioned here? https://pypi.org/project/cherry_picker/#example |
Sorry, something went wrong.
|
Thanks! Yes, cherrry-picker will do most of the work of actually creating the PR, you just have to do the manual work to fix the merge. Just as general background, we develop every 3.x version in a separate branch. PRs are usually first against the main branch (which will be 3.12). If the PR fixes a bug (as opposed to a new feature), we'll backport the change into the bugfix branches, which are currently for 3.10 and 3.11. |
Sorry, something went wrong.
…`__reduce__` when internal access of `builtins.__dict__` exhausts the iterator (pythonGH-101769). (cherry picked from commit 54dfa14) Co-authored-by: Ionite <dev@ionite.io>
…`__reduce__` when internal access of `builtins.__dict__` exhausts the iterator (pythonGH-101769). (cherry picked from commit 54dfa14) Co-authored-by: Ionite <dev@ionite.io>
…`__reduce__` when internal access of `builtins.__dict__` exhausts the iterator (pythonGH-101769). (cherry picked from commit 54dfa14) Co-authored-by: Ionite <dev@ionite.io>
…ing (pythonGH-102265) Followup from pythonGH-101769.. (cherry picked from commit d71edbd) Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
…ing (pythonGH-102265) Followup from pythonGH-101769.. (cherry picked from commit d71edbd) Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
…ce__` when internal access of `builtins.__dict__` exhausts the iterator (python#101769)
Reviewers
Assignees
7 participants
Summary
__reduce__is called oniterobjects when the key of the hash of"iter"within__builtins__.__dict__is a custom object that executes arbitrary code within__eq__, mutating theiterobject and causing illegal memory access or SystemError (based on C argument evaluation order, which is undefined behavior).Affected methods
iterobject.citer_reducecalliter_reducelistobject.clistiter_reduce_generalbytearrayobject.cbytearrayiter_reducebytesobject.cstriter_reducetupleobject.ctupleiter_reducegenericaliasobject.cga_iter_reduceThis PR also fixes a compounded issue where currently
genericaliasobject.ga_iter_reducedoes not handle empty iterators at all and has no NULL checkAlong with moving the evaluation of
_PyEval_GetBuiltinfor potential side effects, this also adds handling of the NULL case (like the otheriter_reducefunctions have:Linked Issue
__reduce__can segfault if accessing__builtins__.__dict__['iter']mutates the iter object #101765