Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential null pointer dereference in PySys_AddWarnOptionUnicode #126108

Open
federicovalenso opened this issue Oct 29, 2024 · 3 comments
Open

Potential null pointer dereference in PySys_AddWarnOptionUnicode #126108

federicovalenso opened this issue Oct 29, 2024 · 3 comments
Labels
3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes easy interpreter-core (Objects, Python, Grammar, and Parser dirs) type-bug An unexpected behavior, bug, or error

Comments

@federicovalenso
Copy link
Contributor

federicovalenso commented Oct 29, 2024
edited by bedevere-app bot
Loading

Bug report

Bug description:

Pointer tstate is compared to a NULL value here, but above there is a dereference. Stack trace: _PySys_AddWarnOptionWithError -> get_warnoptions -> _PySys_GetAttr. Correct code should look like this:

void
PySys_AddWarnOptionUnicode(PyObject *option)
{
    PyThreadState *tstate = _PyThreadState_GET();
    if (tstate && _PySys_AddWarnOptionWithError(tstate, option) < 0) {
        /* No return value, therefore clear error state if possible */
        _PyErr_Clear(tstate);
    }
}

CPython versions tested on:

3.11

Operating systems tested on:

No response

Linked PRs
@federicovalenso federicovalenso added the type-bug An unexpected behavior, bug, or error label Oct 29, 2024
@picnixz picnixz changed the title Potential null pointer dereference Potential null pointer dereference in PySys_AddWarnOptionUnicode Oct 29, 2024
@picnixz picnixz added interpreter-core (Objects, Python, Grammar, and Parser dirs) easy 3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes labels Oct 29, 2024
@picnixz
Copy link
Contributor

picnixz commented Oct 29, 2024
edited
Loading

Thanks for spotting this. This still happens on main. Feel free to open a PR (I can do it as well if you want).

Note: 3.11 is security-only and this does not seem to count as a security issue unless someone is able to provide me a PoC of an exploit using that null pointer dereference.

@picnixz
Copy link
Contributor

picnixz commented Oct 29, 2024

cc @sobolevn since you are working on this batch of issues

@sobolevn
Copy link
Member

I haven't seen this one yet :)

@bedevere-app bedevere-app bot mentioned this issue Oct 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes easy interpreter-core (Objects, Python, Grammar, and Parser dirs) type-bug An unexpected behavior, bug, or error
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sobolevn @picnixz @federicovalenso