Skip to content

Commit

Permalink
pythongh-106092: Fix use-after-free crash in frame_dealloc
Browse files Browse the repository at this point in the history
It was possible for the trashcan to delay the deallocation of a
PyFrameObject until after its corresponding _PyInterpreterFrame has
already been freed.  So frame_dealloc needs to avoid dereferencing the
f_frame pointer unless it first checks that the pointer still points
to valid memory.

Signed-off-by: Anders Kaseorg <[email protected]>
  • Loading branch information
andersk committed Jul 18, 2023
1 parent a293fa5 commit e8a16a6
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 6 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
Fix a segmentation fault caused by a use-after-free bug in ``frame_dealloc``
when the trashcan delays the deallocation of a ``PyFrameObject``.
13 changes: 7 additions & 6 deletions Objects/frameobject.c
Original file line number Diff line number Diff line change
Expand Up @@ -879,20 +879,21 @@ frame_dealloc(PyFrameObject *f)
/* It is the responsibility of the owning generator/coroutine
* to have cleared the generator pointer */

assert(f->f_frame->owner != FRAME_OWNED_BY_GENERATOR ||
_PyFrame_GetGenerator(f->f_frame)->gi_frame_state == FRAME_CLEARED);

if (_PyObject_GC_IS_TRACKED(f)) {
_PyObject_GC_UNTRACK(f);
}

Py_TRASHCAN_BEGIN(f, frame_dealloc);
PyObject *co = NULL;

/* GH-106092: If f->f_frame was on the stack and we reached the maximum
* nesting depth for deallocations, the trashcan may have delayed this
* deallocation until after f->f_frame is freed. Avoid dereferencing
* f->f_frame unless we know it still points to valid memory. */
_PyInterpreterFrame *frame = (_PyInterpreterFrame *)f->_f_frame_data;

/* Kill all local variables including specials, if we own them */
if (f->f_frame->owner == FRAME_OWNED_BY_FRAME_OBJECT) {
assert(f->f_frame == (_PyInterpreterFrame *)f->_f_frame_data);
_PyInterpreterFrame *frame = (_PyInterpreterFrame *)f->_f_frame_data;
if (f->f_frame == frame && frame->owner == FRAME_OWNED_BY_FRAME_OBJECT) {
/* Don't clear code object until the end */
co = frame->f_executable;
frame->f_executable = NULL;
Expand Down

0 comments on commit e8a16a6

Please sign in to comment.