From 5953baca0a1f27b861f9db42a68f7777a62b4a3c Mon Sep 17 00:00:00 2001 From: Armin Rigo Date: Thu, 6 Jul 2006 07:58:18 +0000 Subject: A couple of examples about how to attack the fact that _PyType_Lookup() returns a borrowed ref. Many of the calls are open to attack. --- Lib/test/crashers/borrowed_ref_1.py | 29 ++++++++++++++++++++++++++++ Lib/test/crashers/borrowed_ref_2.py | 38 +++++++++++++++++++++++++++++++++++++ 2 files changed, 67 insertions(+) create mode 100644 Lib/test/crashers/borrowed_ref_1.py create mode 100644 Lib/test/crashers/borrowed_ref_2.py diff --git a/Lib/test/crashers/borrowed_ref_1.py b/Lib/test/crashers/borrowed_ref_1.py new file mode 100644 index 0000000..d16ede2 --- /dev/null +++ b/Lib/test/crashers/borrowed_ref_1.py @@ -0,0 +1,29 @@ +""" +_PyType_Lookup() returns a borrowed reference. +This attacks the call in dictobject.c. +""" + +class A(object): + pass + +class B(object): + def __del__(self): + print 'hi' + del D.__missing__ + +class D(dict): + class __missing__: + def __init__(self, *args): + pass + + +d = D() +a = A() +a.cycle = a +a.other = B() +del a + +prev = None +while 1: + d[5] + prev = (prev,) diff --git a/Lib/test/crashers/borrowed_ref_2.py b/Lib/test/crashers/borrowed_ref_2.py new file mode 100644 index 0000000..1a7b3ff --- /dev/null +++ b/Lib/test/crashers/borrowed_ref_2.py @@ -0,0 +1,38 @@ +""" +_PyType_Lookup() returns a borrowed reference. +This attacks PyObject_GenericSetAttr(). + +NB. on my machine this crashes in 2.5 debug but not release. +""" + +class A(object): + pass + +class B(object): + def __del__(self): + print "hi" + del C.d + +class D(object): + def __set__(self, obj, value): + self.hello = 42 + +class C(object): + d = D() + + def g(): + pass + + +c = C() +a = A() +a.cycle = a +a.other = B() + +lst = [None] * 1000000 +i = 0 +del a +while 1: + c.d = 42 # segfaults in PyMethod_New(im_func=D.__set__, im_self=d) + lst[i] = c.g # consume the free list of instancemethod objects + i += 1 -- cgit v0.12