Closed as not planned
Closed as not planned
Copy link
Description
What happened?
Version
Python 3.13.0a3+ (heads/main:b3f0b698da, Feb 12 2024, 03:56:25) [GCC 11.4.0]
bisect from commit e14679c
Root Cause
the time_pthread_getcpuclockid function retrieves an element from the user input. but improper validation of the thread id trigger segmentation fault
time_pthread_getcpuclockid(PyObject *self, PyObject *args)
{
unsigned long thread_id;
int err;
clockid_t clk_id;
if (!PyArg_ParseTuple(args, "k:pthread_getcpuclockid", &thread_id)) {
return NULL;
}
err = pthread_getcpuclockid((pthread_t)thread_id, &clk_id); // <-- thread_id from args
if (err) {
errno = err;
PyErr_SetFromErrno(PyExc_OSError);
return NULL;
}
#ifdef _Py_MEMORY_SANITIZER
__msan_unpoison(&clk_id, sizeof(clk_id));
#endif
return PyLong_FromLong(clk_id);
}POC
import time
time.pthread_getcpuclockid(-1)
asan
AddressSanitizer:DEADLYSIGNAL
=================================================================
==9985==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000002ce (pc 0x7f5176af3159 bp 0x7ffcb8437230 sp 0x7ffcb8437178 T0)
==9985==The signal is caused by a READ memory access.
==9985==Hint: address points to the zero page.
#0 0x7f5176af3159 in __pthread_getcpuclockid nptl/pthread_getcpuclockid.c:32
#1 0x564afa3983a1 in time_pthread_getcpuclockid Modules/timemodule.c:380
#2 0x564af9eafacf in cfunction_call Objects/methodobject.c:551
#3 0x564af9dc0393 in _PyObject_MakeTpCall Objects/call.c:242
#4 0x564af9dc0a94 in _PyObject_VectorcallTstate Include/internal/pycore_call.h:166
#5 0x564af9dc0ac0 in PyObject_Vectorcall Objects/call.c:327
#6 0x564afa0cd313 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:815
#7 0x564afa11a855 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:115
#8 0x564afa11a855 in _PyEval_Vector Python/ceval.c:1788
#9 0x564afa11aa76 in PyEval_EvalCode Python/ceval.c:592
#10 0x564afa2245d9 in run_eval_code_obj Python/pythonrun.c:1294
#11 0x564afa227522 in run_mod Python/pythonrun.c:1379
#12 0x564afa228302 in pyrun_file Python/pythonrun.c:1215
#13 0x564afa22a8f0 in _PyRun_SimpleFileObject Python/pythonrun.c:464
#14 0x564afa22ac8c in _PyRun_AnyFileObject Python/pythonrun.c:77
#15 0x564afa2872c0 in pymain_run_file_obj Modules/main.c:357
#16 0x564afa289a71 in pymain_run_file Modules/main.c:376
#17 0x564afa28a682 in pymain_run_python Modules/main.c:628
#18 0x564afa28a812 in Py_RunMain Modules/main.c:707
#19 0x564afa28a9f9 in pymain_main Modules/main.c:737
#20 0x564afa28ad71 in Py_BytesMain Modules/main.c:761
#21 0x564af9c24b05 in main Programs/python.c:15
#22 0x7f5176a86d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#23 0x7f5176a86e3f in __libc_start_main_impl ../csu/libc-start.c:392
#24 0x564af9c24a34 in _start (/cpython/python+0x26fa34)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV nptl/pthread_getcpuclockid.c:32 in __pthread_getcpuclockid
==9985==ABORTING
CPython versions tested on:
CPython main branch
Operating systems tested on:
Linux
Output from running 'python -VV' on the command line:
Python 3.13.0a3+ (heads/main:b3f0b698da, Feb 12 2024, 03:56:25) [GCC 11.4.0]
Metadata
Metadata
Assignees
Labels
A hard crash of the interpreter, possibly with a core dumpA hard crash of the interpreter, possibly with a core dump