gh-123083: Fix a potential use-after-free in ``STORE_ATTR_WITH_HINT`` (gh-123092)

author: Donghee Na <donghee.na@python.org> 2024-08-22 14:49:09 (GMT)
committer: GitHub <noreply@github.com> 2024-08-22 14:49:09 (GMT)
commit: 297f2e093ec95800ae2184330b8408c875523467 (patch)
tree: 5c1b6debe984d76e5874136146b854f98847cbb4 /Python
parent: 4abc1c1456413f3d2692257545a33bb16b24f900 (diff)
download: cpython-297f2e093ec95800ae2184330b8408c875523467.zip
cpython-297f2e093ec95800ae2184330b8408c875523467.tar.gz
cpython-297f2e093ec95800ae2184330b8408c875523467.tar.bz2
3 files changed, 21 insertions, 18 deletions
diff --git a/Python/bytecodes.c b/Python/bytecodes.c
index 838af3e..bc41813 100644
--- a/Python/bytecodes.c
+++ b/Python/bytecodes.c
@@ -2235,18 +2235,19 @@ dummy_func(
             DEOPT_IF(!DK_IS_UNICODE(dict->ma_keys));
             PyDictUnicodeEntry *ep = DK_UNICODE_ENTRIES(dict->ma_keys) + hint;
             DEOPT_IF(ep->me_key != name);
+            /* Ensure dict is GC tracked if it needs to be */
+            if (!_PyObject_GC_IS_TRACKED(dict) && _PyObject_GC_MAY_BE_TRACKED(PyStackRef_AsPyObjectBorrow(value))) {
+                _PyObject_GC_TRACK(dict);
+            }
             old_value = ep->me_value;
             PyDict_WatchEvent event = old_value == NULL ? PyDict_EVENT_ADDED : PyDict_EVENT_MODIFIED;
             new_version = _PyDict_NotifyEvent(tstate->interp, event, dict, name, PyStackRef_AsPyObjectBorrow(value));
             ep->me_value = PyStackRef_AsPyObjectSteal(value);
+            dict->ma_version_tag = new_version; // PEP 509
+            // old_value should be DECREFed after GC track checking is done, if not, it could raise a segmentation fault,
+            // when dict only holds the strong reference to value in ep->me_value.
             Py_XDECREF(old_value);
             STAT_INC(STORE_ATTR, hit);
-            /* Ensure dict is GC tracked if it needs to be */
-            if (!_PyObject_GC_IS_TRACKED(dict) && _PyObject_GC_MAY_BE_TRACKED(PyStackRef_AsPyObjectBorrow(value))) {
-                _PyObject_GC_TRACK(dict);
-            }
-            /* PEP 509 */
-            dict->ma_version_tag = new_version;
             PyStackRef_CLOSE(owner);
         }
 
diff --git a/Python/executor_cases.c.h b/Python/executor_cases.c.h
index 55b06a0..4274d51 100644
--- a/Python/executor_cases.c.h
+++ b/Python/executor_cases.c.h
@@ -2637,18 +2637,19 @@
                 UOP_STAT_INC(uopcode, miss);
                 JUMP_TO_JUMP_TARGET();
             }
+            /* Ensure dict is GC tracked if it needs to be */
+            if (!_PyObject_GC_IS_TRACKED(dict) && _PyObject_GC_MAY_BE_TRACKED(PyStackRef_AsPyObjectBorrow(value))) {
+                _PyObject_GC_TRACK(dict);
+            }
             old_value = ep->me_value;
             PyDict_WatchEvent event = old_value == NULL ? PyDict_EVENT_ADDED : PyDict_EVENT_MODIFIED;
             new_version = _PyDict_NotifyEvent(tstate->interp, event, dict, name, PyStackRef_AsPyObjectBorrow(value));
             ep->me_value = PyStackRef_AsPyObjectSteal(value);
+            dict->ma_version_tag = new_version; // PEP 509
+            // old_value should be DECREFed after GC track checking is done, if not, it could raise a segmentation fault,
+            // when dict only holds the strong reference to value in ep->me_value.
             Py_XDECREF(old_value);
             STAT_INC(STORE_ATTR, hit);
-            /* Ensure dict is GC tracked if it needs to be */
-            if (!_PyObject_GC_IS_TRACKED(dict) && _PyObject_GC_MAY_BE_TRACKED(PyStackRef_AsPyObjectBorrow(value))) {
-                _PyObject_GC_TRACK(dict);
-            }
-            /* PEP 509 */
-            dict->ma_version_tag = new_version;
             PyStackRef_CLOSE(owner);
             stack_pointer += -2;
             assert(WITHIN_STACK_BOUNDS());
diff --git a/Python/generated_cases.c.h b/Python/generated_cases.c.h
index 67bde83..181940d 100644
--- a/Python/generated_cases.c.h
+++ b/Python/generated_cases.c.h
@@ -6917,18 +6917,19 @@
                 DEOPT_IF(!DK_IS_UNICODE(dict->ma_keys), STORE_ATTR);
                 PyDictUnicodeEntry *ep = DK_UNICODE_ENTRIES(dict->ma_keys) + hint;
                 DEOPT_IF(ep->me_key != name, STORE_ATTR);
+                /* Ensure dict is GC tracked if it needs to be */
+                if (!_PyObject_GC_IS_TRACKED(dict) && _PyObject_GC_MAY_BE_TRACKED(PyStackRef_AsPyObjectBorrow(value))) {
+                    _PyObject_GC_TRACK(dict);
+                }
                 old_value = ep->me_value;
                 PyDict_WatchEvent event = old_value == NULL ? PyDict_EVENT_ADDED : PyDict_EVENT_MODIFIED;
                 new_version = _PyDict_NotifyEvent(tstate->interp, event, dict, name, PyStackRef_AsPyObjectBorrow(value));
                 ep->me_value = PyStackRef_AsPyObjectSteal(value);
+                dict->ma_version_tag = new_version; // PEP 509
+                // old_value should be DECREFed after GC track checking is done, if not, it could raise a segmentation fault,
+                // when dict only holds the strong reference to value in ep->me_value.
                 Py_XDECREF(old_value);
                 STAT_INC(STORE_ATTR, hit);
-                /* Ensure dict is GC tracked if it needs to be */
-                if (!_PyObject_GC_IS_TRACKED(dict) && _PyObject_GC_MAY_BE_TRACKED(PyStackRef_AsPyObjectBorrow(value))) {
-                    _PyObject_GC_TRACK(dict);
-                }
-                /* PEP 509 */
-                dict->ma_version_tag = new_version;
                 PyStackRef_CLOSE(owner);
             }
             stack_pointer += -2;
author	Donghee Na <donghee.na@python.org>	2024-08-22 14:49:09 (GMT)
committer	GitHub <noreply@github.com>	2024-08-22 14:49:09 (GMT)
commit	297f2e093ec95800ae2184330b8408c875523467 (patch)
tree	5c1b6debe984d76e5874136146b854f98847cbb4 /Python
parent	4abc1c1456413f3d2692257545a33bb16b24f900 (diff)
download	cpython-297f2e093ec95800ae2184330b8408c875523467.zip cpython-297f2e093ec95800ae2184330b8408c875523467.tar.gz cpython-297f2e093ec95800ae2184330b8408c875523467.tar.bz2