Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use of uninitialized pointer in Argument Clinic generated code #97728

Closed
serhiy-storchaka opened this issue Oct 2, 2022 · 3 comments
Closed
Labels
3.10 only security fixes 3.11 only security fixes 3.12 bugs and security fixes OS-windows topic-argument-clinic type-bug An unexpected behavior, bug, or error type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@serhiy-storchaka
Copy link
Member

The code generated for the Py_UNICODE converter (and derived converter LPCWSTR) looks like:

const Py_UNICODE *name;
...
if (!_PyArg_ParseXXX(..., name, ...)) {
    goto exit;
}
...
exit:
    PyMem_Free((void *)name);

If parsing fails, PyMem_Free() is called for uninitialized variable.

It is the only converter with non-trivial cleanup which does not have a mandatory initializer.

@serhiy-storchaka serhiy-storchaka added type-bug An unexpected behavior, bug, or error needs backport to 3.10 only security fixes type-crash A hard crash of the interpreter, possibly with a core dump topic-argument-clinic needs backport to 3.11 only security fixes OS-windows labels Oct 2, 2022
@serhiy-storchaka
Copy link
Member Author

Seems that for now it only affects the Windows code.

I have found this bug when tried to use Argument Clinic for OS agnostic code which converts arguments to wchar_t * (in getpath.c).

serhiy-storchaka added a commit to serhiy-storchaka/cpython that referenced this issue Oct 2, 2022
…_UNICODE converter

It affects function os.system() on Windows and Windows-specific modules
winreg, _winapi, _overlapped, and _msi.
@eryksun
Copy link
Contributor

eryksun commented Oct 2, 2022

These needs to be fixed if _winapi.CreateJunction() is used as a fallback for os.symlink() when creating a compatibility link such as "bin -> Scripts". More here: #97586 (comment).

@kumaraditya303 kumaraditya303 added 3.11 only security fixes 3.10 only security fixes 3.12 bugs and security fixes and removed needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes labels Oct 2, 2022
serhiy-storchaka added a commit that referenced this issue Oct 3, 2022
…DE converter (GH-97729)

It affects function os.system() on Windows and Windows-specific modules
winreg, _winapi, _overlapped, and _msi.
serhiy-storchaka added a commit to serhiy-storchaka/cpython that referenced this issue Oct 3, 2022
… the Py_UNICODE converter (pythonGH-97729)

It affects function os.system() on Windows and Windows-specific modules
winreg, _winapi, _overlapped, and _msi..
(cherry picked from commit 0ee9619)

Co-authored-by: Serhiy Storchaka <[email protected]>
serhiy-storchaka added a commit that referenced this issue Oct 3, 2022
…y_UNICODE converter (GH-97729) (GH-97757)

It affects function os.system() on Windows and Windows-specific modules
winreg, _winapi, _overlapped, and _msi.
(cherry picked from commit 0ee9619)
serhiy-storchaka added a commit to serhiy-storchaka/cpython that referenced this issue Oct 3, 2022
… the Py_UNICODE converter (pythonGH-97729)

It affects function os.system() on Windows and Windows-specific modules
winreg, _winapi, _overlapped, and _msi..
(cherry picked from commit 0ee9619)

Co-authored-by: Serhiy Storchaka <[email protected]>
serhiy-storchaka added a commit that referenced this issue Oct 3, 2022
…y_UNICODE converter (GH-97729) (GH-97760)

It affects function os.system() on Windows and Windows-specific modules
winreg, _winapi, _overlapped, and _msi.
(cherry picked from commit 0ee9619)
carljm added a commit to carljm/cpython that referenced this issue Oct 3, 2022
* main: (2069 commits)
  pythongh-96512: Move int_max_str_digits setting to PyConfig (python#96944)
  pythongh-94808: Coverage: Check picklablability of calliter (python#95923)
  pythongh-94808: Add test coverage for PyObject_HasAttrString (python#96627)
  pythongh-94732: Fix KeyboardInterrupt race in asyncio run_forever() (python#97765)
  Fix typos in `bltinmodule.c`. (pythonGH-97766)
  pythongh-94808: `_PyLineTable_StartsLine` was not used (pythonGH-96609)
  pythongh-97681: Remove Tools/demo/ directory (python#97682)
  Fix typo in unittest docs (python#97742)
  pythongh-97728: Argument Clinic: Fix uninitialized variable in the Py_UNICODE converter (pythonGH-97729)
  pythongh-95913: Fix PEP number in PEP 678 What's New ref label (python#97739)
  pythongh-95913: Copyedit/improve New Modules What's New section (python#97721)
  pythongh-97740: Fix bang in Sphinx C domain ref target syntax (python#97741)
  pythongh-96819: multiprocessing.resource_tracker: check if length of pipe write <= 512 (python#96890)
  pythongh-97706: multiprocessing tests: Delete unused variable `rand` (python#97707)
  pythonGH-85447: Clarify docs about awaiting future multiple times (python#97738)
  [docs] Update logging cookbook with recipe for using a logger like an output… (pythonGH-97730)
  pythongh-97607: Fix content parsing in the impl-detail reST directive (python#97652)
  pythongh-95975: Move except/*/finally ref labels to more precise locations (python#95976)
  pythongh-97591: In `Exception.__setstate__()` acquire strong references before calling `tp_hash` slot (python#97700)
  pythongh-95588: Drop the safety claim from `ast.literal_eval` docs. (python#95919)
  ...
@kumaraditya303
Copy link
Contributor

Fixed by #97729

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
3.10 only security fixes 3.11 only security fixes 3.12 bugs and security fixes OS-windows topic-argument-clinic type-bug An unexpected behavior, bug, or error type-crash A hard crash of the interpreter, possibly with a core dump
Projects
None yet
Development

No branches or pull requests

3 participants