From b9dbc7d6e1ad5700ed0084f63215db97a2c9bcbb Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 1 Jul 2013 23:42:28 +0200 Subject: Issue #18328: Reorder ops in PyThreadState_Delete*() functions. Now the tstate is first removed from TLS and then deallocated. CID 1019639 (#1 of 1): Use after free (USE_AFTER_FREE) use_after_free: Using freed pointer tstate. --- Misc/NEWS | 3 +++ Python/pystate.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/Misc/NEWS b/Misc/NEWS index cdc0225..dd6d8d1 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -12,6 +12,9 @@ What's New in Python 3.3.3 release candidate 1? Core and Builtins ----------------- +- Issue #18328: Reorder ops in PyThreadState_Delete*() functions. Now the + tstate is first removed from TLS and then deallocated. + - Issue #18184: PyUnicode_FromFormat() and PyUnicode_FromFormatV() now raise OverflowError when an argument of %c format is out of range. diff --git a/Python/pystate.c b/Python/pystate.c index cfd61d0..772aa53 100644 --- a/Python/pystate.c +++ b/Python/pystate.c @@ -388,11 +388,11 @@ PyThreadState_Delete(PyThreadState *tstate) { if (tstate == _Py_atomic_load_relaxed(&_PyThreadState_Current)) Py_FatalError("PyThreadState_Delete: tstate is still current"); - tstate_delete_common(tstate); #ifdef WITH_THREAD if (autoInterpreterState && PyThread_get_key_value(autoTLSkey) == tstate) PyThread_delete_key_value(autoTLSkey); #endif /* WITH_THREAD */ + tstate_delete_common(tstate); } @@ -406,9 +406,9 @@ PyThreadState_DeleteCurrent() Py_FatalError( "PyThreadState_DeleteCurrent: no current tstate"); _Py_atomic_store_relaxed(&_PyThreadState_Current, NULL); - tstate_delete_common(tstate); if (autoInterpreterState && PyThread_get_key_value(autoTLSkey) == tstate) PyThread_delete_key_value(autoTLSkey); + tstate_delete_common(tstate); PyEval_ReleaseLock(); } #endif /* WITH_THREAD */ -- cgit v0.12