heap-buffer-overflow deepcopy posix_param

[YuanchengJiang]

Crash report

What happened?

import copy
import posix

param = posix.sched_param(float('inf'))
newparam = copy.deepcopy(param)

=================================================================
==2451226==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x503000014d9f at pc 0x6030c15f984b bp 0x7fffcd1a09a0 sp 0x7fffcd1a0990
READ of size 8 at 0x503000014d9f thread T0
    #0 0x6030c15f984a in _PyFreeList_PopNoStats ../Include/internal/pycore_freelist.h:79
    #1 0x6030c15f984a in clear_freelist ../Objects/object.c:901
    #2 0x6030c15f984a in _PyObject_ClearFreeLists ../Objects/object.c:925
    #3 0x6030c18e1786 in gc_collect_full ../Python/gc.c:1735
    #4 0x6030c18e1786 in _PyGC_Collect ../Python/gc.c:2098
    #5 0x6030c197c98d in finalize_modules ../Python/pylifecycle.c:1755
    #6 0x6030c1986863 in _Py_Finalize ../Python/pylifecycle.c:2255
    #7 0x6030c1a100e3 in Py_RunMain ../Modules/main.c:774
    #8 0x6030c1a100e3 in pymain_main ../Modules/main.c:802
    #9 0x6030c1a100e3 in Py_BytesMain ../Modules/main.c:826
    #10 0x70dd8b5631c9  (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 282c2c16e7b6600b0b22ea0c99010d2795752b5f)
    #11 0x70dd8b56328a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 282c2c16e7b6600b0b22ea0c99010d2795752b5f)

0x503000014d9f is located 1 bytes before 24-byte region [0x503000014da0,0x503000014db8)
allocated by thread T0 here:
    #0 0x70dd8b9319c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x6030c153a1d9 in PyFloat_FromDouble ../Objects/floatobject.c:128
    #2 0x6030c1a49ac1 in fill_time ../Modules/posixmodule.c:2681
    #3 0x6030c1a4a1de in _pystat_fromstructstat ../Modules/posixmodule.c:2796
    #4 0x6030c1a4bffc in posix_do_stat ../Modules/posixmodule.c:2918
    #5 0x6030c1a5670c in os_stat_impl ../Modules/posixmodule.c:3285
    #6 0x6030c1a5670c in os_stat ../Modules/clinic/posixmodule.c.h:105
    #7 0x6030c13997e6 in _PyEval_EvalFrameDefault ../Python/generated_cases.c.h:2361
    #8 0x6030c1850bb5 in _PyEval_EvalFrame ../Include/internal/pycore_ceval.h:121
    #9 0x6030c1850bb5 in _PyEval_Vector ../Python/ceval.c:2001
    #10 0x6030c14d1322 in _PyObject_VectorcallTstate ../Include/internal/pycore_call.h:169
    #11 0x6030c14d1322 in object_vacall ../Objects/call.c:819
    #12 0x6030c14d4971 in PyObject_CallMethodObjArgs ../Objects/call.c:886
    #13 0x6030c1918b73 in import_find_and_load ../Python/import.c:3701
    #14 0x6030c1918b73 in PyImport_ImportModuleLevelObject ../Python/import.c:3783
    #15 0x6030c18333cc in builtin___import___impl ../Python/bltinmodule.c:285
    #16 0x6030c18333cc in builtin___import__ ../Python/clinic/bltinmodule.c.h:110
    #17 0x6030c14d1be8 in _PyObject_VectorcallTstate ../Include/internal/pycore_call.h:169
    #18 0x6030c14d1be8 in _PyObject_CallFunctionVa ../Objects/call.c:552
    #19 0x6030c14d2c79 in PyObject_CallFunction ../Objects/call.c:574
    #20 0x6030c191a0ab in PyImport_Import ../Python/import.c:3975
    #21 0x6030c191a85f in PyImport_ImportModule ../Python/import.c:3423
    #22 0x6030c185bd42 in _PyCodec_InitRegistry ../Python/codecs.c:1686
    #23 0x6030c1772094 in _PyUnicode_InitEncodings ../Objects/unicodeobject.c:15455
    #24 0x6030c198082b in init_interp_main ../Python/pylifecycle.c:1228
    #25 0x6030c19843cc in pyinit_main ../Python/pylifecycle.c:1420
    #26 0x6030c19843cc in Py_InitializeFromConfig ../Python/pylifecycle.c:1451
    #27 0x6030c1a0bcd9 in pymain_init ../Modules/main.c:68
    #28 0x6030c1a10062 in pymain_main ../Modules/main.c:793
    #29 0x6030c1a10062 in Py_BytesMain ../Modules/main.c:826
    #30 0x70dd8b5631c9  (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 282c2c16e7b6600b0b22ea0c99010d2795752b5f)
    #31 0x70dd8b56328a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 282c2c16e7b6600b0b22ea0c99010d2795752b5f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../Include/internal/pycore_freelist.h:79 in _PyFreeList_PopNoStats
Shadow bytes around the buggy address:
  0x503000014b00: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x503000014b80: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x503000014c00: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x503000014c80: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x503000014d00: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
=>0x503000014d80: fd fd fa[fa]00 00 00 fa fa fa fd fd fd fa fa fa
  0x503000014e00: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fd
  0x503000014e80: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x503000014f00: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x503000014f80: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x503000015000: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2451226==ABORTING

CPython versions tested on:

CPython main branch

Operating systems tested on:

Linux

Output from running 'python -VV' on the command line:

No response

Linked PRs

• gh-140634: Fix a reference counting bug in posix.sched_param.__reduce__() #140667
• [3.14] gh-140634: Fix a reference counting bug in os.sched_param.__reduce__() (GH-140667) #140685
• [3.13] gh-140634: Fix a reference counting bug in os.sched_param.__reduce__() (GH-140667) #140686

[efimov-mikhail]

I've changed the repro a little:

-> % cat posix_param.py 
import copy
import posix

param = posix.sched_param(float('inf'))
param = copy.deepcopy(param)
param = copy.deepcopy(param)

And have the following gdb trace:

Trace

-> % gdb --args ./python posix_param.py
GNU gdb (Debian 13.1-3) 13.1
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./python...
warning: File "/home/sikko/projects/cpython/python-gdb.py" auto-loading has been declined by your `auto-load safe-path' set to "$debugdir:$datadir/auto-load".
To enable execution of this file add
	add-auto-load-safe-path /home/sikko/projects/cpython/python-gdb.py
line to your configuration file "/home/sikko/.config/gdb/gdbinit".
To completely disable this security protection add
	set auto-load safe-path /
line to your configuration file "/home/sikko/.config/gdb/gdbinit".
For more information about this security protection see the
"Auto-loading safe path" section in the GDB manual.  E.g., run from the shell:
	info "(gdb)Auto-loading safe path"
(gdb) r
Starting program: /home/sikko/projects/cpython/python posix_param.py
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
./Include/refcount.h:513: _Py_NegativeRefcount: Assertion failed: object has negative ref count
<object at 0x7ffff7978f70 is freed>
Fatal Python error: _PyObject_AssertFailed: _PyObject_AssertFailed
Python runtime state: finalizing (tstate=0x0000555555bedf60)

Current thread 0x00007ffff7cea740 [python] (most recent call first):
  <no Python frame>

Program received signal SIGABRT, Aborted.
__pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at ./nptl/pthread_kill.c:44
44	./nptl/pthread_kill.c: No such file or directory.
(gdb) bt
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at ./nptl/pthread_kill.c:44
#1  0x00007ffff7d77f4f in __pthread_kill_internal (signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:78
#2  0x00007ffff7d28fb2 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3  0x00007ffff7d13472 in __GI_abort () at ./stdlib/abort.c:79
#4  0x0000555555846905 in fatal_error_exit (status=<optimized out>) at Python/pylifecycle.c:3266
#5  0x0000555555847c75 in fatal_error (fd=2, header=header@entry=1, prefix=prefix@entry=0x555555932ab0 <__func__.13> "_PyObject_AssertFailed", 
    msg=msg@entry=0x555555931d76 "_PyObject_AssertFailed", status=status@entry=-1) at Python/pylifecycle.c:3482
#6  0x0000555555847cdf in _Py_FatalErrorFunc (func=func@entry=0x555555932ab0 <__func__.13> "_PyObject_AssertFailed", 
    msg=msg@entry=0x555555931d76 "_PyObject_AssertFailed") at Python/pylifecycle.c:3498
#7  0x00005555556db243 in _PyObject_AssertFailed (obj=obj@entry=0x7ffff7978f70, expr=expr@entry=0x0, 
    msg=msg@entry=0x555555931da4 "object has negative ref count", file=<optimized out>, line=<optimized out>, 
    function=function@entry=0x5555559330f0 <__func__.70> "_Py_NegativeRefcount") at Objects/object.c:3159
#8  0x00005555556db3a5 in _Py_NegativeRefcount (filename=<optimized out>, lineno=<optimized out>, op=op@entry=0x7ffff7978f70)
    at Objects/object.c:272
#9  0x00005555556fdb8c in Py_DECREF (filename=filename@entry=0x5555558f67f9 "./Include/refcount.h", lineno=lineno@entry=513, op=0x7ffff7978f70)
    at ./Include/refcount.h:394
#10 0x00005555556fdbcc in Py_XDECREF (op=<optimized out>) at ./Include/refcount.h:513
#11 0x00005555556fde89 in structseq_dealloc (op=op@entry=0x7ffff7885fe0) at Objects/structseq.c:140
#12 0x00005555556daa0b in _Py_Dealloc (op=op@entry=0x7ffff7885fe0) at Objects/object.c:3200
#13 0x00005555556c1f3f in Py_DECREF (filename=filename@entry=0x5555558f67f9 "./Include/refcount.h", lineno=lineno@entry=513, op=0x7ffff7885fe0)
    at ./Include/refcount.h:403
#14 0x00005555556c1f5e in Py_XDECREF (op=<optimized out>) at ./Include/refcount.h:513
#15 0x00005555556c2202 in dictkeys_decref (dk=dk@entry=0x7ffff786e8c0, use_qsbr=use_qsbr@entry=false) at Objects/dictobject.c:462
#16 0x00005555556cbca3 in dict_dealloc (self=self@entry=0x7ffff7818d70) at Objects/dictobject.c:3354
#17 0x00005555556daa0b in _Py_Dealloc (op=op@entry=0x7ffff7818d70) at Objects/object.c:3200
#18 0x00005555556d64b4 in Py_DECREF (filename=filename@entry=0x5555558f67f9 "./Include/refcount.h", lineno=lineno@entry=513, op=0x7ffff7818d70)
    at ./Include/refcount.h:403
#19 0x00005555556d653e in Py_XDECREF (op=<optimized out>) at ./Include/refcount.h:513
--Type <RET> for more, q to quit, c to continue without paging--
#20 0x00005555556d712a in module_dealloc (self=self@entry=0x7ffff7818dd0) at Objects/moduleobject.c:898
#21 0x00005555556daa0b in _Py_Dealloc (op=op@entry=0x7ffff7818dd0) at Objects/object.c:3200
#22 0x00005555556c1f3f in Py_DECREF (filename=filename@entry=0x5555558f67f9 "./Include/refcount.h", lineno=lineno@entry=513, op=0x7ffff7818dd0)
    at ./Include/refcount.h:403
#23 0x00005555556c1f5e in Py_XDECREF (op=<optimized out>) at ./Include/refcount.h:513
#24 0x00005555556c9053 in insertdict (interp=0x555555bb7100 <_PyRuntime+133440>, mp=mp@entry=0x7ffff79b0350, 
    key=key@entry=0x555555baa9c8 <_PyRuntime+82440>, hash=hash@entry=7796730224713609877, value=value@entry=0x555555b6a3a0 <_Py_NoneStruct>)
    at Objects/dictobject.c:1927
#25 0x00005555556c924c in setitem_take2_lock_held (mp=mp@entry=0x7ffff79b0350, key=key@entry=0x555555baa9c8 <_PyRuntime+82440>, 
    value=value@entry=0x555555b6a3a0 <_Py_NoneStruct>) at Objects/dictobject.c:2675
#26 0x00005555556c9802 in _PyDict_SetItem_Take2 (mp=mp@entry=0x7ffff79b0350, key=key@entry=0x555555baa9c8 <_PyRuntime+82440>, 
    value=value@entry=0x555555b6a3a0 <_Py_NoneStruct>) at Objects/dictobject.c:2683
#27 0x00005555556c984f in PyDict_SetItem (op=0x7ffff79b0350, key=0x555555baa9c8 <_PyRuntime+82440>, value=0x555555b6a3a0 <_Py_NoneStruct>)
    at ./Include/refcount.h:530
#28 0x00005555556ca0f0 in dict_ass_sub (mp=<optimized out>, v=<optimized out>, w=<optimized out>) at Objects/dictobject.c:3509
#29 0x00005555556672ec in PyObject_SetItem (o=o@entry=0x7ffff79b0350, key=<optimized out>, value=0x555555b6a3a0 <_Py_NoneStruct>)
    at Objects/abstract.c:237
#30 0x000055555583eea6 in finalize_remove_modules (modules=modules@entry=0x7ffff79b0350, verbose=verbose@entry=0) at Python/pylifecycle.c:1596
#31 0x000055555583f4c2 in finalize_modules (tstate=tstate@entry=0x555555bedf60 <_PyRuntime+358304>) at Python/pylifecycle.c:1745
#32 0x0000555555848495 in _Py_Finalize (runtime=runtime@entry=0x555555b967c0 <_PyRuntime>) at Python/pylifecycle.c:2255
#33 0x000055555584853d in Py_FinalizeEx () at Python/pylifecycle.c:2378
#34 0x00005555558749d1 in Py_RunMain () at Modules/main.c:774
#35 0x0000555555874a20 in pymain_main (args=args@entry=0x7fffffffdfa0) at Modules/main.c:802
#36 0x0000555555874aa0 in Py_BytesMain (argc=<optimized out>, argv=<optimized out>) at Modules/main.c:826
#37 0x00005555555ea912 in main (argc=<optimized out>, argv=<optimized out>) at ./Programs/python.c:15