Segmentation Fault in append_history_file of readline #122431

kcatss · 2024-07-29T22:58:24Z

Crash report

What happened?

Crash report

What happened?

Build

apt-get install libreadline6-dev
./configure --with-pydebug --with-address-sanitizer

Root Cause

When calling readline.append_history_file, the first argument can be set to -2147483648, and a valid file path should be provided as the second argument. There is no proper validation logic for append_history, which can cause a crash

static PyObject *
readline_append_history_file(PyObject *module, PyObject *const *args, Py_ssize_t nargs)
{
    PyObject *return_value = NULL;
    int nelements;
    PyObject *filename_obj = Py_None;

    if (!_PyArg_CheckPositional("append_history_file", nargs, 1, 2)) {
        goto exit;
    }
    nelements = PyLong_AsInt(args[0]); //  input from user
    if (nelements == -1 && PyErr_Occurred()) {
        goto exit;
    }
    if (nargs < 2) {
        goto skip_optional;
    }
    filename_obj = args[1];
skip_optional:
    return_value = readline_append_history_file_impl(module, nelements, filename_obj);  // nelements : -2147483648
exit:
    return return_value;
}

static PyObject *
readline_append_history_file_impl(PyObject *module, int nelements,
                                  PyObject *filename_obj) 
/*[clinic end generated code: output=5df06fc9da56e4e4 input=784b774db3a4b7c5]*/
{
    ... 
    errno = err = append_history(
        nelements - libedit_append_replace_history_offset, filename); //   nelements : -2147483648
}

POC

import readline
readline.append_history_file(-2147483648, __file__)

ASAN

asan


AddressSanitizer:DEADLYSIGNAL
=================================================================
==10389==ERROR: AddressSanitizer: SEGV on unknown address 0x620c0002a900 (pc 0x7fdf36f7aee0 bp 0x604000003ed0 sp 0x7ffd4d0abf50 T0)
==10389==The signal is caused by a READ memory access.
    #0 0x7fdf36f7aee0  (/lib/x86_64-linux-gnu/libreadline.so.8+0x3dee0) python에서 안터지고 c gnu에서 터져요 그래서 이 코드가.
    #1 0x7fdf36fa169e in readline_append_history_file_impl Modules/readline.c:365
    #2 0x7fdf36fa192b in readline_append_history_file Modules/clinic/readline.c.h:154
    #3 0x564386c5b367 in cfunction_vectorcall_FASTCALL Objects/methodobject.c:425
    #4 0x564386b64981 in _PyObject_VectorcallTstate Include/internal/pycore_call.h:167
    #5 0x564386b64adc in PyObject_Vectorcall Objects/call.c:327
    #6 0x564386ec6fea in _PyEval_EvalFrameDefault Python/generated_cases.c.h:857
    #7 0x564386f0b295 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:119
    #8 0x564386f0b295 in _PyEval_Vector Python/ceval.c:1823
    #9 0x564386f0b4b6 in PyEval_EvalCode Python/ceval.c:621
    #10 0x56438701b139 in run_eval_code_obj Python/pythonrun.c:1292
    #11 0x56438701e07e in run_mod Python/pythonrun.c:1377
    #12 0x56438701ee5e in pyrun_file Python/pythonrun.c:1210
    #13 0x56438702133d in _PyRun_SimpleFileObject Python/pythonrun.c:459
    #14 0x564387021831 in _PyRun_AnyFileObject Python/pythonrun.c:77
    #15 0x5643870869dc in pymain_run_file_obj Modules/main.c:409
    #16 0x564387089854 in pymain_run_file Modules/main.c:428
    #17 0x56438708a465 in pymain_run_python Modules/main.c:696
    #18 0x56438708a5f5 in Py_RunMain Modules/main.c:775
    #19 0x56438708a7dc in pymain_main Modules/main.c:805
    #20 0x56438708ab54 in Py_BytesMain Modules/main.c:829
    #21 0x5643869c5b15 in main Programs/python.c:15
    #22 0x7fdf3a238d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #23 0x7fdf3a238e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #24 0x5643869c5a44 in _start (/cpython_latest/python+0x28aa44)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libreadline.so.8+0x3dee0)
==10389==ABORTING

CPython versions tested on:

CPython main branch

Operating systems tested on:

Linux

Output from running 'python -VV' on the command line:

Python 3.14.0a0 (heads/main:bb09ba6792, Jul 27 2024, 09:44:43) [GCC 11.4.0]

Linked PRs

The text was updated successfully, but these errors were encountered:

ZeroIntensity · 2024-07-30T04:24:20Z

I was able to reproduce this, but it's worth noting that this only occurs with the integer -2147483648. It doesn't occur on any numbers outside the 32-bit integer range (as that raises an OverflowError), nor does it happen on the positive 2147483648.

FWIW, this is not a type validation problem, as the issue suggested -- that's all done by the clinic. I guess a fix could be to special-case -2147483648, but it's probably better to just raise a ValueError on numbers less than zero.

ZeroIntensity · 2024-07-30T04:36:16Z

This is possibly a bug upstream, in the GNU readline. Looks like append_history, outside of CPython, segfaults for only that number as well:

#include <editline/readline.h>

int main(void) {
    append_history(-2147483646, "test.c"); // OK
    append_history(-2147483647, "test.c"); // OK
    append_history(-2147483649, "test.c"); // Technically ok, due to integer underflow
    append_history(-2147483648, "test.c"); // Segfault
    return 0;
}

ZeroIntensity · 2024-07-30T05:26:28Z

Issue has been reported upstream. In the meantime, would the best solution be to special-case raising an exception if INT_MIN was passed?

…#122469) Co-authored-by: Victor Stinner <vstinner@python.org>

…_file` (pythonGH-122469) (cherry picked from commit 208b0fb) Co-authored-by: Peter Bierma <zintensitydev@gmail.com> Co-authored-by: Victor Stinner <vstinner@python.org>

…y_file` (GH-122469) (#127642) gh-122431: Disallow negative values in `readline.append_history_file` (GH-122469) (cherry picked from commit 208b0fb) Co-authored-by: Peter Bierma <zintensitydev@gmail.com> Co-authored-by: Victor Stinner <vstinner@python.org>

…y_file` (GH-122469) (#127641) gh-122431: Disallow negative values in `readline.append_history_file` (GH-122469) (cherry picked from commit 208b0fb) Co-authored-by: Peter Bierma <zintensitydev@gmail.com> Co-authored-by: Victor Stinner <vstinner@python.org>

…_file` (python#122469) Co-authored-by: Victor Stinner <vstinner@python.org>

kcatss added the type-crash A hard crash of the interpreter, possibly with a core dump label Jul 29, 2024

ZeroIntensity mentioned this issue Jul 30, 2024

gh-122431: Disallow negative values in readline.append_history_file #122469

Merged

ZeroIntensity mentioned this issue Aug 8, 2024

[3.12] gh-122695: Fix double-free when using gc.get_referents with a freed _asyncio.FutureIter #122834

Closed

ZeroIntensity added extension-modules C modules in the Modules dir 3.12 only security fixes 3.13 bugs and security fixes 3.14 bugs and security fixes labels Sep 23, 2024

vstinner added a commit that referenced this issue Dec 5, 2024

gh-122431: Disallow negative values in readline.append_history_file (…

208b0fb

…#122469) Co-authored-by: Victor Stinner <vstinner@python.org>

This was referenced Dec 5, 2024

[3.13] gh-122431: Disallow negative values in readline.append_history_file (GH-122469) #127641

Merged

[3.12] gh-122431: Disallow negative values in readline.append_history_file (GH-122469) #127642

Merged

vstinner closed this as completed Dec 5, 2024

srinivasreddy pushed a commit to srinivasreddy/cpython that referenced this issue Jan 8, 2025

pythongh-122431: Disallow negative values in `readline.append_history…

2c29398

…_file` (python#122469) Co-authored-by: Victor Stinner <vstinner@python.org>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Segmentation Fault in append_history_file of readline #122431

Segmentation Fault in append_history_file of readline #122431

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Segmentation Fault in append_history_file of readline #122431

Segmentation Fault in append_history_file of readline #122431

Comments

Uh oh!

Crash report

What happened?

Crash report

What happened?

Build

Root Cause

POC

ASAN

CPython versions tested on:

Operating systems tested on:

Output from running 'python -VV' on the command line:

Linked PRs

Uh oh!

Uh oh!

Uh oh!

Uh oh!