Skip to content

[backport to 3.5] bpo-29438: Fixed use-after-free in key sharing dict #40

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 13, 2017
Merged

[backport to 3.5] bpo-29438: Fixed use-after-free in key sharing dict #40

merged 1 commit into from
Feb 13, 2017

Conversation

methane
Copy link
Member

@methane methane commented Feb 12, 2017

No description provided.

@methane methane added the type-bug An unexpected behavior, bug, or error label Feb 12, 2017
@methane methane changed the title bpo-29438: Fixed use-after-free in key sharing dict [backport to 3.5] bpo-29438: Fixed use-after-free in key sharing dict Feb 12, 2017
serhiy-storchaka
serhiy-storchaka reviewed Feb 12, 2017
View reviewed changes
Objects/dictobject.c
@@ -3893,20 +3893,18 @@ _PyObjectDict_SetItem(PyTypeObject *tp, PyObject **dictptr,
}
if (value == NULL) {
res = PyDict_DelItem(dict, key);
if (cached != ((PyDictObject *)dict)->ma_keys) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why these lines are deleted?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In Python 3.5, PyDict_DelItem won't resize dict. So cached == dict->ma_keys in most cases.

One exception is callback called by weakref or __del__ inserts some items to the dict and resize happened.
In this case, cached != CACHED_KEYS(tp), so DK_DECREF(cached) will be "use-after-free".

In such case, the insertion from the callback would update CACHED_KEYS(tp) correctly.
So clearing CACHED_KEYS(tp) doesn't make sense for most case.

Even when the callback inserts items through __dict__ (not regular attribute access), skipping CACHED_KEYS(tp) = NULL
doesn't cause uncontrolled memory growth. And it happens very rarely.
So I think this code is not worth enough.

@methane methane merged commit 06a4fcb into python:3.5 Feb 13, 2017
@methane methane deleted the bpo29438/py35 branch February 13, 2017 00:16
@ziegenbalg ziegenbalg mentioned this pull request Nov 30, 2022
Closed
jaraco pushed a commit that referenced this pull request Dec 2, 2022
@Mariatta
Use cherry-picker v 0.2.5 (GH-40)
e954502
oraluben pushed a commit to oraluben/cpython that referenced this pull request Jun 25, 2023
@Fidget-Spinner
fix: add multiple jump target to metadata, special ops can be jump ta…
426daf1 
…rgets (python#40)
@gvanrossum gvanrossum mentioned this pull request Aug 22, 2023
Closed
@LinanV LinanV mentioned this pull request Oct 23, 2023
Closed
@kcatss kcatss mentioned this pull request Feb 20, 2024
Closed
@ngoldbaum ngoldbaum mentioned this pull request Sep 23, 2024
Closed
This was referenced Feb 11, 2025
Open
Closed
@DominiquePACCO DominiquePACCO mentioned this pull request Jun 3, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@serhiy-storchaka serhiy-storchaka serhiy-storchaka approved these changes

Assignees
No one assigned
Labels
type-bug An unexpected behavior, bug, or error
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@methane @serhiy-storchaka @Mariatta @the-knights-who-say-ni