KEMBAR78
crash in long_vectorcall in longobject.c · Issue #114050 · python/cpython · GitHub
Skip to content

crash in long_vectorcall in longobject.c #114050

@kcatss

Description

@kcatss

Crash report

What happened?

PyErr_Format function has wrong a format string %s.
So, the format string must be removed.
A python executable with building attached patch file do work well.

  1. trigger code
class evil(1):
    pass
  1. Root cause source location
static PyObject *
long_vectorcall(PyObject *type, PyObject * const*args,
                 size_t nargsf, PyObject *kwnames)
{
    Py_ssize_t nargs = PyVectorcall_NARGS(nargsf);
    if (kwnames != NULL) {
        PyThreadState *tstate = PyThreadState_GET();
        return _PyObject_MakeTpCall(tstate, type, args, nargs, kwnames);
    }
    switch (nargs) {
        case 0:
            return _PyLong_GetZero();
        case 1:
            return PyNumber_Long(args[0]);
        case 2:
            return long_new_impl(_PyType_CAST(type), args[0], args[1]);
        default:
            return PyErr_Format(PyExc_TypeError,
                                "int expected at most 2 argument%s, got %zd", // <-- here
                                nargs);
    }
}
  1. patch file
    bugfix.patch

  2. asan log

asan

==146567==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000003 (pc 0xffffa3159950 bp 0xffffcc068cc0 sp 0xffffcc068cc0 T0)
==146567==The signal is caused by a READ memory access.
==146567==Hint: address points to the zero page.
#0 0xffffa3159950 (/lib/aarch64-linux-gnu/libc.so.6+0x99950)
#1 0xffffa334e078 in __interceptor_strlen ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:387
#2 0xaaaaca78de70 in unicode_fromformat_write_cstr Objects/unicodeobject.c:2384
#3 0xaaaaca78f3f0 in unicode_fromformat_arg Objects/unicodeobject.c:2697
#4 0xaaaaca78fa1c in PyUnicode_FromFormatV Objects/unicodeobject.c:2816
#5 0xaaaaca926bc4 in PyErr_FormatV Python/errors.c:1161
#6 0xaaaaca9246e4 in PyErr_Format Python/errors.c:1196
#7 0xaaaaca62187c in long_vectorcall Objects/longobject.c:6173
#8 0xaaaaca58a540 in PyObject_VectorcallDictTstate Objects/call.c:135
#9 0xaaaaca58a7b8 in PyObject_VectorcallDict Objects/call.c:159
#10 0xaaaaca861a10 in builtin___build_class
Python/bltinmodule.c:216
#11 0xaaaaca66cc70 in cfunction_vectorcall_FASTCALL_KEYWORDS Objects/methodobject.c:441
#12 0xaaaaca58661c in _PyObject_VectorcallTstate Include/internal/pycore_call.h:168
#13 0xaaaaca586758 in PyObject_Vectorcall Objects/call.c:327
#14 0xaaaaca8a2120 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:4344
#15 0xaaaaca8d5574 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:115
#16 0xaaaaca8d5574 in _PyEval_Vector Python/ceval.c:1783
#17 0xaaaaca8d573c in PyEval_EvalCode Python/ceval.c:591
#18 0xaaaaca9cb214 in run_eval_code_obj Python/pythonrun.c:1294
#19 0xaaaaca9ce108 in run_mod Python/pythonrun.c:1379
#20 0xaaaaca9cebfc in PyRun_InteractiveOneObjectEx Python/pythonrun.c:287
#21 0xaaaaca9d0ce8 in _PyRun_InteractiveLoopObject Python/pythonrun.c:136
#22 0xaaaaca9d16c8 in _PyRun_AnyFileObject Python/pythonrun.c:71
#23 0xaaaaca9d181c in PyRun_AnyFileExFlags Python/pythonrun.c:103
#24 0xaaaacaa2dbd0 in pymain_run_stdin Modules/main.c:517
#25 0xaaaacaa2f9b8 in pymain_run_python Modules/main.c:631
#26 0xaaaacaa2fc18 in Py_RunMain Modules/main.c:707
#27 0xaaaacaa2fe08 in pymain_main Modules/main.c:737
#28 0xaaaacaa30144 in Py_BytesMain Modules/main.c:761
#29 0xaaaaca3eb4dc in main Programs/python.c:15
#30 0xffffa30e73f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#31 0xffffa30e74c8 in __libc_start_main_impl ../csu/libc-start.c:392
#32 0xaaaaca3eb3ec in _start (/home/kk/projects/cpython/python+0x27b3ec)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/aarch64-linux-gnu/libc.so.6+0x99950)
==146567==ABORTING

  1. work well stdout in interpreter
>>> class evil(1):
... 	pass
...
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
    class evil(1):
TypeError: int expected at most 2 arguments, got 3
>>>

CPython versions tested on:

CPython main branch

Operating systems tested on:

Linux

Output from running 'python -VV' on the command line:

Python 3.13.0a2 (tags/v3.13.0a2-dirty:9c4347ef8b, Jan 14 2024, 06:56:06) [GCC 11.4.0]

Linked PRs

Metadata

Metadata

Assignees

No one assigned

    Labels

    3.13bugs and security fixeseasyinterpreter-core(Objects, Python, Grammar, and Parser dirs)type-crashA hard crash of the interpreter, possibly with a core dump

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions