gh-106092: Fix use-after-free crash in frame_dealloc (#106875)

It was possible for the trashcan to delay the deallocation of a PyFrameObject until after its corresponding _PyInterpreterFrame has already been freed. So frame_dealloc needs to avoid dereferencing the f_frame pointer unless it first checks that the pointer still points to the interpreter frame within the frame object. Signed-off-by: Anders Kaseorg <andersk@mit.edu>
author: Anders Kaseorg <andersk@mit.edu> 2023-08-01 09:32:18 (GMT)
committer: GitHub <noreply@github.com> 2023-08-01 09:32:18 (GMT)
commit: 557b05c7a5334de5da3dc94c108c0121f10b9191 (patch)
tree: 84c4eaea106080031c7f7a1110b9ac546afb1b76 /Misc
parent: 052a0d1106fa3ee0c955a3b7ba48e82c49424e20 (diff)
download: cpython-557b05c7a5334de5da3dc94c108c0121f10b9191.zip
cpython-557b05c7a5334de5da3dc94c108c0121f10b9191.tar.gz
cpython-557b05c7a5334de5da3dc94c108c0121f10b9191.tar.bz2
1 files changed, 2 insertions, 0 deletions
diff --git a/Misc/NEWS.d/next/Core and Builtins/2023-07-18-16-13-51.gh-issue-106092.bObgRM.rst b/Misc/NEWS.d/next/Core and Builtins/2023-07-18-16-13-51.gh-issue-106092.bObgRM.rst
new file mode 100644
index 0000000..7fb5b45
--- /dev/null
+++ b/Misc/NEWS.d/next/Core and Builtins/2023-07-18-16-13-51.gh-issue-106092.bObgRM.rst
@@ -0,0 +1,2 @@
+Fix a segmentation fault caused by a use-after-free bug in ``frame_dealloc``
+when the trashcan delays the deallocation of a ``PyFrameObject``.
author	Anders Kaseorg <andersk@mit.edu>	2023-08-01 09:32:18 (GMT)
committer	GitHub <noreply@github.com>	2023-08-01 09:32:18 (GMT)
commit	557b05c7a5334de5da3dc94c108c0121f10b9191 (patch)
tree	84c4eaea106080031c7f7a1110b9ac546afb1b76 /Misc
parent	052a0d1106fa3ee0c955a3b7ba48e82c49424e20 (diff)
download	cpython-557b05c7a5334de5da3dc94c108c0121f10b9191.zip cpython-557b05c7a5334de5da3dc94c108c0121f10b9191.tar.gz cpython-557b05c7a5334de5da3dc94c108c0121f10b9191.tar.bz2