KEMBAR78
gh-120298: Fix use-after-free in `list_richcompare_impl` by sobolevn · Pull Request #120303 · python/cpython · GitHub
Skip to content

Conversation

@sobolevn
Copy link
Member

@sobolevn sobolevn commented Jun 10, 2024

This code does the same thing as the code above it:

cpython/Objects/listobject.c

Lines 3360 to 3364 in 0ae8579

Py_INCREF(vitem);
Py_INCREF(witem);
int k = PyObject_RichCompareBool(vitem, witem, Py_EQ);
Py_DECREF(vitem);
Py_DECREF(witem);

And looks like it gets the job done. I've added tests for these two corner cases.

Copy link
Member

@serhiy-storchaka serhiy-storchaka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What bisect or deque do with this?

What tests were added for the similar case above?

@serhiy-storchaka
Copy link
Member

The corresponding test is test_equal_operator_modifying_operand in Lib/test/test_list.py (added in 2d5bf56, GH-17734). You can perhaps just add a case there.

@sobolevn
Copy link
Member Author

Yes, @serhiy-storchaka, you are correct. I simplified the reproduction to:

class evil(object):
    def __lt__(self, other):
        other.clear()
        return NotImplemented

a =   [ [ evil()]]

a[0] < a  # crash without this patch

I've updated tests to store this test near test_equal_operator_modifying_operand. Thanks a lot for the advice!

Copy link
Member

@serhiy-storchaka serhiy-storchaka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@sobolevn sobolevn merged commit 141baba into python:main Jun 11, 2024
@sobolevn sobolevn added needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes labels Jun 11, 2024
@miss-islington-app
Copy link

Thanks @sobolevn for the PR 🌮🎉.. I'm working now to backport this PR to: 3.12.
🐍🍒⛏🤖

@miss-islington-app
Copy link

Thanks @sobolevn for the PR 🌮🎉.. I'm working now to backport this PR to: 3.13.
🐍🍒⛏🤖

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Jun 11, 2024
…nGH-120303)

(cherry picked from commit 141baba)

Co-authored-by: Nikita Sobolev <mail@sobolevn.me>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Jun 11, 2024
…nGH-120303)

(cherry picked from commit 141baba)

Co-authored-by: Nikita Sobolev <mail@sobolevn.me>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@bedevere-app
Copy link

bedevere-app bot commented Jun 11, 2024

GH-120339 is a backport of this pull request to the 3.12 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.12 only security fixes label Jun 11, 2024
@bedevere-app
Copy link

bedevere-app bot commented Jun 11, 2024

GH-120340 is a backport of this pull request to the 3.13 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.13 bugs and security fixes label Jun 11, 2024
sobolevn added a commit that referenced this pull request Jun 11, 2024
…20303) (#120339)

gh-120298: Fix use-after-free in `list_richcompare_impl` (GH-120303)
(cherry picked from commit 141baba)

Co-authored-by: Nikita Sobolev <mail@sobolevn.me>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
sobolevn added a commit that referenced this pull request Jun 11, 2024
…20303) (#120340)

gh-120298: Fix use-after-free in `list_richcompare_impl` (GH-120303)
(cherry picked from commit 141baba)

Co-authored-by: Nikita Sobolev <mail@sobolevn.me>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
mrahtz pushed a commit to mrahtz/cpython that referenced this pull request Jun 30, 2024
…n#120303)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
noahbkim pushed a commit to hudson-trading/cpython that referenced this pull request Jul 11, 2024
…n#120303)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
estyxx pushed a commit to estyxx/cpython that referenced this pull request Jul 17, 2024
…n#120303)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants