Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GH-96569: Add two NULL checks to avoid undefined behavior. #96585

Merged
merged 4 commits into from
Sep 6, 2022
Merged

GH-96569: Add two NULL checks to avoid undefined behavior. #96585

merged 4 commits into from
Sep 6, 2022

Conversation

markshannon
Copy link
Member

@markshannon markshannon commented Sep 5, 2022
edited by bedevere-bot
Loading

@markshannon markshannon added the needs backport to 3.11 only security fixes label Sep 5, 2022
kumaraditya303
kumaraditya303 reviewed Sep 5, 2022
View reviewed changes
Python/pystate.c Outdated
@@ -2197,7 +2197,7 @@ _PyThreadState_PushFrame(PyThreadState *tstate, size_t size)
assert(size < INT_MAX/sizeof(PyObject *));
PyObject **base = tstate->datastack_top;
PyObject **top = base + size;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding size to NULL base is undefined behavior. top should be calculated after NULL check.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And similar to the other check, the addition itself might already be undefined behaviour, if it's more than one past the array length.

serhiy-storchaka
serhiy-storchaka reviewed Sep 5, 2022
View reviewed changes
Include/internal/pycore_frame.h Outdated
@@ -194,7 +194,8 @@ _PyFrame_LocalsToFast(_PyInterpreterFrame *frame, int clear);
static inline bool
_PyThreadState_HasStackSpace(PyThreadState *tstate, int size)
{
return tstate->datastack_top + size < tstate->datastack_limit;
return tstate->datastack_top != NULL &&
tstate->datastack_top + size < tstate->datastack_limit;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tstate->datastack_top + size may be an undefined behavior if it is past the array end.

size < tstate->datastack_limit - tstate->datastack_top does not have an UB in that case.

I do not know whether this actually happens.

Copy link
Contributor

@matthiasgoergens matthiasgoergens Sep 6, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be precise, tstate->datastack_limit - tstate->datastack_top needs both pointers to point to entries in the same array to be defined (I think). And from looking at the source, that seems to be the case.

@matthiasgoergens
Copy link
Contributor

matthiasgoergens commented Sep 6, 2022
edited
Loading

Btw, you might want to fix _PyThreadState_HasStackSpace in Include/internal/pycore_frame.h and then use that in these instances, instead of manually implementing the same logic?

(It's inline so the resulting machine code should be the same?)

The fix could be to use the difference approach that serhiy-storchaka suggested. And perhaps add a comment to that function with an explanation?

@markshannon
Copy link
Member Author

Thanks @matthiasgoergens and @serhiy-storchaka for your suggestions.

matthiasgoergens
matthiasgoergens approved these changes Sep 6, 2022
View reviewed changes
Copy link
Contributor

@matthiasgoergens matthiasgoergens left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not that my approval means anything. :)

@matthiasgoergens

This comment was marked as resolved.

Sign in to view
@markshannon markshannon merged commit 222f10c into python:main Sep 6, 2022
@miss-islington
Copy link
Contributor

Thanks @markshannon for the PR 🌮🎉.. I'm working now to backport this PR to: 3.11.
🐍🍒⛏🤖

@miss-islington
Copy link
Contributor

Sorry, @markshannon, I could not cleanly backport this to 3.11 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker 222f10ca2d01c86fa2c53c2edd6884f117324297 3.11

@markshannon markshannon mentioned this pull request Sep 6, 2022
Merged
@markshannon markshannon deleted the fix-undefined-behavior branch September 26, 2023 12:50
@ZeroIntensity ZeroIntensity removed the needs backport to 3.11 only security fixes label Feb 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matthiasgoergens matthiasgoergens matthiasgoergens approved these changes

@serhiy-storchaka serhiy-storchaka serhiy-storchaka left review comments

@kumaraditya303 kumaraditya303 kumaraditya303 left review comments

Assignees

@markshannon markshannon

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@markshannon @matthiasgoergens @miss-islington @serhiy-storchaka @kumaraditya303 @bedevere-bot @ZeroIntensity