`_lsprof.Profiler._creturn_callback()` segfaults

[devdanzin]

Crash report

What happened?

It's possible to crash Python by simply calling the ._creturn_callback() or the ._ccall_callback() methods of the Profiler class in either _lsprof or cProfile.

from _lsprof import Profiler
Profiler()._creturn_callback()
Profiler()._ccall_callback()

Backtrace looks like:

Program received signal SIGSEGV, Segmentation fault.
get_cfunc_from_callable (callable=0x0, self_arg=0x7ffff7bff710, missing=0x555555c53b80 <_PyInstrumentation_MISSING>) at ./Modules/_lsprof.c:628
628         if (PyCFunction_Check(callable)) {
(gdb) bt
#0  get_cfunc_from_callable (callable=0x0, self_arg=0x7ffff7bff710,
    missing=0x555555c53b80 <_PyInstrumentation_MISSING>) at ./Modules/_lsprof.c:628
#1  0x00007ffff79dd610 in creturn_callback (self=0x7ffff7a91050, args=<optimized out>,
    size=<optimized out>) at ./Modules/_lsprof.c:676
#2  0x000055555568f4b9 in method_vectorcall_FASTCALL (func=0x7ffff7aba630, args=0x7ffff7fb0078,
    nargsf=<optimized out>, kwnames=<optimized out>) at Objects/descrobject.c:401
#3  0x000055555567ba55 in _PyObject_VectorcallTstate (tstate=0x555555cbbc70 <_PyRuntime+329232>,
    callable=0x7ffff7aba630, args=0x7ffff7fb0078, nargsf=9223372036854775809, kwnames=0x0)
    at ./Include/internal/pycore_call.h:167
#4  0x000055555567bb74 in PyObject_Vectorcall (callable=callable@entry=0x7ffff7aba630,
    args=args@entry=0x7ffff7fb0078, nargsf=<optimized out>, kwnames=kwnames@entry=0x0)
    at Objects/call.c:327
#5  0x0000555555827d24 in _PyEval_EvalFrameDefault (
    tstate=tstate@entry=0x555555cbbc70 <_PyRuntime+329232>, frame=0x7ffff7fb0020,
    throwflag=throwflag@entry=0) at Python/generated_cases.c.h:955
#6  0x0000555555852fb7 in _PyEval_EvalFrame (throwflag=0, frame=<optimized out>,
    tstate=0x555555cbbc70 <_PyRuntime+329232>) at ./Include/internal/pycore_ceval.h:116
#7  _PyEval_Vector (tstate=tstate@entry=0x555555cbbc70 <_PyRuntime+329232>,
    func=func@entry=0x7ffff7a46450, locals=locals@entry=0x7ffff7a55df0, args=args@entry=0x0,
    argcount=argcount@entry=0, kwnames=kwnames@entry=0x0) at Python/ceval.c:1886
#8  0x0000555555853096 in PyEval_EvalCode (co=co@entry=0x7ffff7a58630,
    globals=globals@entry=0x7ffff7a55df0, locals=locals@entry=0x7ffff7a55df0) at Python/ceval.c:662
#9  0x00005555559251f4 in run_eval_code_obj (tstate=tstate@entry=0x555555cbbc70 <_PyRuntime+329232>,
    co=co@entry=0x7ffff7a58630, globals=globals@entry=0x7ffff7a55df0, locals=locals@entry=0x7ffff7a55df0)
    at Python/pythonrun.c:1338

Found using fusil by @vstinner.

CPython versions tested on:

CPython main branch

Operating systems tested on:

Linux, Windows

Output from running 'python -VV' on the command line:

No response

Linked PRs

• gh-126220: Adapt _lsprof to Argument Clinic #126233
• gh-126220: Fix crash on calls to _lsprof.Profiler methods with 0 args (backportable) #126271
• [3.13] gh-126220: Fix crash on calls to _lsprof.Profiler methods with 0 args (backportable) (GH-126271) #126310
• [3.12] gh-126220: Fix crash on calls to _lsprof.Profiler methods with 0 args (backportable) (GH-126271) #126311
• [3.13] gh-126220: Adapt _lsprof to Argument Clinic (GH-126233) #126402

[sobolevn]

Not just these two, but also others (like _pystart_callback) all from #103534 CC @gaogaotiantian

This happens because args is never checked to have a proper length. I think that TypeError should be raised when these function do not have enough arguments (like we always do).

I am working on a fix :)