Skip to content

_PyPegen_raise_error_known_location() uses wrong build format #95876

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
tiran opened this issue Aug 11, 2022 · 0 comments
Closed

_PyPegen_raise_error_known_location() uses wrong build format #95876

tiran opened this issue Aug 11, 2022 · 0 comments
Assignees
@tiran @pablogsal
Labels
3.11 only security fixes 3.12 only security fixes type-bug An unexpected behavior, bug, or error

Comments

@tiran
Copy link
Member

tiran commented Aug 11, 2022

Bug report

_PyPegen_raise_error_known_location() uses Py_BuildValue() to generate a tuple for SyntaxError. The format string uses wrong values for all integer constants. lineno, col_number, end_lineno, and end_col_number are Py_ssize_t. The i format string handles int. This causes memory corruption on 64bit operation systems with strict ABI (e.g. wasm64).

cpython/Parser/pegen_errors.c

Lines 373 to 376 in b9e956f

}
tmp = Py_BuildValue("(OiiNii)", p->tok->filename, lineno, col_number, error_line, end_lineno, end_col_number);
if (!tmp) {
goto error;

I can reliable crash the interpreter with a syntax error like 1+=1. Notice the <ensc object at 0x1> in the object dump.

$ node --experimental-wasm-memory64 ./python.js -c "1+=1"
  File "<string>", line 1
object address  : 0x973e10
object refcount : 2
object type     : 0x2bc868
object type name: SyntaxError
object repr     : SyntaxError("'literal' is an illegal expression for augmented assignment", ('<string>', 1, 0, <ensc object at 0x1>, 10590200, 0))
lost sys.stderr
Aborted(Runtime error: The application has corrupted its heap memory area (address zero)!)
exiting due to exception: RuntimeError: Aborted(Runtime error: The application has corrupted its heap memory area (address zero)!),RuntimeError: Aborted(Runtime error: The application has corrupted its heap memory area (address zero)!)
    at abort (/home/heimes/dev/python/cpython/builddir/wasm64-emscripten-node-debug/python.js:971:11)
    at checkStackCookie (/home/heimes/dev/python/cpython/builddir/wasm64-emscripten-node-debug/python.js:733:47)
    at exitRuntime (/home/heimes/dev/python/cpython/builddir/wasm64-emscripten-node-debug/python.js:800:3)
    at exitJS (/home/heimes/dev/python/cpython/builddir/wasm64-emscripten-node-debug/python.js:7254:9)
    at callMain (/home/heimes/dev/python/cpython/builddir/wasm64-emscripten-node-debug/python.js:9476:5)
    at doRun (/home/heimes/dev/python/cpython/builddir/wasm64-emscripten-node-debug/python.js:9525:23)
    at run (/home/heimes/dev/python/cpython/builddir/wasm64-emscripten-node-debug/python.js:9540:5)
    at runCaller (/home/heimes/dev/python/cpython/builddir/wasm64-emscripten-node-debug/python.js:9448:19)
    at removeRunDependency (/home/heimes/dev/python/cpython/builddir/wasm64-emscripten-node-debug/python.js:936:7)
    at receiveInstance (/home/heimes/dev/python/cpython/builddir/wasm64-emscripten-node-debug/python.js:1106:5)

The fix is trivial, use n instead of i. https://docs.python.org/3/c-api/arg.html#c.Py_BuildValue

Your environment

CPython main
wasm64-emscripten (EMSDK 3.1.18) with Node 16
@tiran tiran added type-bug An unexpected behavior, bug, or error 3.11 only security fixes 3.12 only security fixes labels Aug 11, 2022
@tiran tiran self-assigned this Aug 11, 2022
tiran added a commit to tiran/cpython that referenced this issue Aug 11, 2022
@tiran
pythongh-95876: Fix format string in pegen error location code
59c3828
@bedevere-bot bedevere-bot mentioned this issue Aug 11, 2022
Merged
@tiran tiran mentioned this issue Aug 11, 2022
Closed
pablogsal pushed a commit that referenced this issue Aug 11, 2022
@tiran
gh-95876: Fix format string in pegen error location code (#95877)
b4c857d
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Aug 11, 2022
@tiran @miss-islington
pythongh-95876: Fix format string in pegen error location code (pytho…
383df7b 
…nGH-95877)

(cherry picked from commit b4c857d)

Co-authored-by: Christian Heimes <christian@python.org>
@bedevere-bot bedevere-bot mentioned this issue Aug 11, 2022
Merged
miss-islington added a commit that referenced this issue Aug 11, 2022
@miss-islington @tiran
gh-95876: Fix format string in pegen error location code (GH-95877)
1221e8c 
(cherry picked from commit b4c857d)

Co-authored-by: Christian Heimes <christian@python.org>
@bedevere-bot bedevere-bot mentioned this issue Aug 11, 2022
Merged
tiran added a commit to tiran/cpython that referenced this issue Aug 11, 2022
@tiran
[3.10] pythongh-95876: Fix format string in pegen error location code (
98c5309 
…pythonGH-95877).

(cherry picked from commit b4c857d)

Co-authored-by: Christian Heimes <christian@python.org>
miss-islington pushed a commit that referenced this issue Aug 11, 2022
@tiran
[3.10] gh-95876: Fix format string in pegen error location code (GH-9…
2a6b67f 
…5877 (GH-95901)

(cherry picked from commit b4c857d)

Co-authored-by: Christian Heimes <christian@python.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tiran tiran

@pablogsal pablogsal

Labels
3.11 only security fixes 3.12 only security fixes type-bug An unexpected behavior, bug, or error
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tiran @pablogsal @lysnikolaou