Issue28962
Created on 2016-12-13 16:28 by JelleZijlstra, last changed 2022-04-11 14:58 by admin. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| baderror.py | JelleZijlstra, 2016-12-13 16:28 | |||
| Messages (5) | |||
|---|---|---|---|
| msg283118 - (view) | Author: Jelle Zijlstra (JelleZijlstra) *  |
Date: 2016-12-13 16:28 | |
$ cat baderror.py
class BadError(Exception):
def __init__(self):
self.i = 0
def __hash__(self):
self.i += 1
return self.i
e = BadError()
raise e from e
$ ./python.exe -V
Python 3.5.2+
$ ./python.exe baderror.py
Segmentation fault: 11
I have reproduced this with Python 3.3, 3.4, 3.5, and 3.6; I assume it's been present throughout the 3 series.
This is because print_exception_recursive in pythonrun.c keeps following the __cause__ chain, and here the exception is its own __cause__. It uses a set to ensure that it breaks cycles, but that doesn't help here because of the exception's incorrect __hash__ method.
|
|||
| msg283139 - (view) | Author: Josh Rosenberg (josh.r) *  |
Date: 2016-12-13 20:15 | |
Is this something that needs to be defended against? My understanding is that it's pretty easy to segfault CPython in a number of ways if you can execute 100% arbitrary code. The only way to cause this problem is if you can define malicious exceptions and cause one to be raised from itself, neither of which occurs in reasonable code. |
|||
| msg283831 - (view) | Author: Xavier Combelle (xcombelle) * | Date: 2016-12-22 13:16 | |
To my knowledge it is not the kind of arbitrary code which could segfault python code. It is far different for example that the fact by using bytecode magic you can segfault the interpreter, as this last case is explicitly warned in documentation. |
|||
| msg314241 - (view) | Author: Serhiy Storchaka (serhiy.storchaka) * |
Date: 2018-03-22 09:58 | |
Seems it was fixed somewhere between 3.6.3 and 3.6.5+.
Traceback (most recent call last):
File "baderror.py", line 10, in <module>
raise e from e
__main__.BadError
3.5 is now in security-only fixes stage, and this doesn't look like a security issue.
|
|||
| msg318531 - (view) | Author: Serhiy Storchaka (serhiy.storchaka) * |
Date: 2018-06-03 09:59 | |
It was fixed in issue28603. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:58:40 | admin | set | github: 73148 |
| 2018-06-03 09:59:49 | serhiy.storchaka | set | status: open -> closed resolution: out of date messages: + msg318531 stage: resolved |
| 2018-06-03 09:36:43 | serhiy.storchaka | set | superseder: traceback module can't format/print unhashable exceptions |
| 2018-03-22 09:58:11 | serhiy.storchaka | set | versions: - Python 3.3 |
| 2018-03-22 09:58:00 | serhiy.storchaka | set | nosy:
+ serhiy.storchaka messages:
+ msg314241 |
| 2016-12-22 13:16:49 | xcombelle | set | nosy:
+ xcombelle messages: + msg283831 |
| 2016-12-13 20:47:06 | serhiy.storchaka | set | dependencies: + CPython hangs on error __context__ set to the error itself |
| 2016-12-13 20:15:24 | josh.r | set | nosy:
+ josh.r messages: + msg283139 |
| 2016-12-13 16:28:07 | JelleZijlstra | create | |