Bug: python-sip segmentation fault
artem rus
artem.rusanov at gmail.com
Wed Jan 12 20:42:49 GMT 2022
Hello.
It seems I found a use-after-free problem in sip4 and after code
inspection I suspect the problem exists in sip5 and sip6.
The bug is reported to debian bug tracker:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998897
The problem is two lines in objmap.c:
sip_api_instance_destroyed(sw);
sipSetNotInMap(sw);
Originally lines was in different order, but by changeset
1526:b493c6f3e015 4.18-maint
from repo https://www.riverbankcomputing.com/hg/sip
lines exchanged:
--- a/siplib/objmap.c Tue Jun 21 14:14:37 2016 +0100
+++ b/siplib/objmap.c Sun Jul 03 23:32:48 2016 +0100
@@ -270,9 +270,21 @@
}
else
{
- /* We are removing it from the map here. */
+ /*
+ * We are removing it from the map here. However, note
+ * that we first have to call the destructor before marking
+ * it as not being in the map, as the destructor itself
+ * might end up trying to remove the wrapper and its
+ * aliases from the map. In that case, if the wrapper is
+ * already marked as not in the map, the removal will just
+ * return early, leaving any potential aliases as stale
+ * entries in the map. If we later try to wrap a different
+ * object at the same address, we end up retrieving the
+ * stale alias entry from the object map, triggering a
+ * use-after-free when accessing its C++ object.
+ */
+ sip_api_common_dtor(sw);
sipSetNotInMap(sw);
- sip_api_common_dtor(sw);
}
sw = next;
Now line sip_api_instance_destroyed(sw) decreases refcounter and frees
memory (for my system refcounter after this line is always 0). Next
line tries to use freed memory and sometimes makes a segmentation
fault.
Can you check the problem in the latest sip and if it exists, fix it ?
Can you give me a patch for sip4 ?
Best regards
Artem Rusanov
More information about the PyQt
mailing list