Skip to content

gh-134744: Fix fcntl error handling #134748

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
May 27, 2025
Merged

gh-134744: Fix fcntl error handling #134748

merged 3 commits into from
May 27, 2025

Conversation

vstinner
Copy link
Member

@vstinner vstinner commented May 26, 2025
edited by bedevere-app bot
Loading

@bedevere-app bedevere-app bot mentioned this pull request May 26, 2025
Closed
@vstinner
Copy link
Member Author

@serhiy-storchaka: It seems like only the main branch is affected.

I wrote a patch adding tests but it doesn't check modified error paths:

diff --git a/Lib/test/test_fcntl.py b/Lib/test/test_fcntl.py
index e0e6782258f..e1c72c6ab7e 100644
--- a/Lib/test/test_fcntl.py
+++ b/Lib/test/test_fcntl.py
@@ -11,7 +11,7 @@
     cpython_only, get_pagesize, is_apple, requires_subprocess, verbose
 )
 from test.support.import_helper import import_module
-from test.support.os_helper import TESTFN, unlink
+from test.support.os_helper import TESTFN, unlink, make_bad_fd


 # Skip test if no fcntl module.
@@ -274,6 +274,13 @@ def test_fcntl_small_buffer(self):
     def test_fcntl_large_buffer(self):
         self._check_fcntl_not_mutate_len(2024)

+    @unittest.skipUnless(hasattr(fcntl, 'FICLONE'), 'need fcntl.FICLONE')
+    def test_bad_fd(self):
+        # gh-134744: Test error handling
+        fd = make_bad_fd()
+        with self.assertRaises(OSError):
+            fcntl.ioctl(fd, fcntl.F_DUPFD, 0)
+

 if __name__ == '__main__':
     unittest.main()
diff --git a/Lib/test/test_ioctl.py b/Lib/test/test_ioctl.py
index 3c7a58aa2bc..e2f94dbf5dd 100644
--- a/Lib/test/test_ioctl.py
+++ b/Lib/test/test_ioctl.py
@@ -5,7 +5,7 @@
 import threading
 import unittest
 from test import support
-from test.support import threading_helper
+from test.support import os_helper, threading_helper
 from test.support.import_helper import import_module
 fcntl = import_module('fcntl')
 termios = import_module('termios')
@@ -201,6 +201,15 @@ def test_ioctl_set_window_size(self):
         new_winsz = struct.unpack("HHHH", result)
         self.assertEqual(new_winsz[:2], (20, 40))

+    @unittest.skipUnless(hasattr(fcntl, 'FICLONE'), 'need fcntl.FICLONE')
+    def test_bad_fd(self):
+        # gh-134744: Test error handling
+        with open(__file__) as fp:
+            fd1 = fp.fileno()
+            fd2 = os_helper.make_bad_fd()
+            with self.assertRaises(OSError):
+                fcntl.ioctl(fd1, fcntl.FICLONE, fd2)
+

 if __name__ == "__main__":
     unittest.main()

@sergey-miryanov
Copy link
Contributor

@vstinner It seems that on 139 and 321 lines it may leak.

@vstinner
Copy link
Member Author

@vstinner It seems that on 139 and 321 lines it may leak.

Would you mind to elaborate? What leak? In which file?

@sergey-miryanov
Copy link
Contributor

Sorry, I was not clear.

In fcntlmodule.c

cpython/Modules/fcntlmodule.c

Lines 130 to 141 in 3c05251

if (ret < 0) {
if (async_err) {
PyErr_SetFromErrno(PyExc_OSError);
}
Py_DECREF(result);
return NULL;
}
if (ptr[len] != '\0') {
PyErr_SetString(PyExc_SystemError, "buffer overflow");
return NULL;
}
return result;

As you can see result decrefed on 134, but not on 139 lines.

cpython/Modules/fcntlmodule.c

Lines 312 to 323 in 3c05251

if (ret < 0) {
if (async_err) {
PyErr_SetFromErrno(PyExc_OSError);
}
Py_DECREF(result);
return NULL;
}
if (ptr[len] != '\0') {
PyErr_SetString(PyExc_SystemError, "buffer overflow");
return NULL;
}
return result;

Same here - it decrefed on 316, but not on 321.

@serhiy-storchaka
Copy link
Member

Thank you @vstinner. The code is the same in 3.14 and main, but 3.13 is not affected. It is my fail.

For testing you need to pass a large bytes object (more than 1024 bytes). Simply pass b'\0' * 2048, it should fail with bad file descriptor.

Thank you @sergey-miryanov for noticing a leak.

@vstinner
Copy link
Member Author

Ok, I added tests and I fixed the reference leak spotted by @sergey-miryanov.

@vstinner
Copy link
Member Author

@serhiy-storchaka: Would you mind to review my fix?

@vstinner
Copy link
Member Author

Thank you @vstinner. The code is the same in 3.14 and main, but 3.13 is not affected. It is my fail.

3.14 doesn't seem to be affected, the code is different.

        if (ret < 0) {
            return !async_err ? PyErr_SetFromErrno(PyExc_OSError) : NULL;
        }

serhiy-storchaka
serhiy-storchaka approved these changes May 27, 2025
View reviewed changes
Copy link
Member

@serhiy-storchaka serhiy-storchaka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. 👍

@serhiy-storchaka
Copy link
Member

Ah, so both bugs was introduced while adding a buffer overflow check.

@vstinner vstinner merged commit 9300a59 into python:main May 27, 2025
42 checks passed
@vstinner vstinner deleted the fcntl branch May 27, 2025 13:09
@serhiy-storchaka
Copy link
Member

It would be nice to backport the tests.

vstinner added a commit to vstinner/cpython that referenced this pull request May 27, 2025
@vstinner
pythongh-134744: Fix fcntl error handling (python#134748)
34ac00c 
Fix also reference leak on buffer overflow.

(cherry picked from commit 9300a59)
@bedevere-app
Copy link

bedevere-app bot commented May 27, 2025

GH-134795 is a backport of this pull request to the 3.14 branch.

@vstinner
Copy link
Member Author

It would be nice to backport the tests.

I wrote #134795 to backport tests. I had to modify tests since Python 3.14 only supports buffer up to 1024 bytes.

vstinner added a commit that referenced this pull request May 27, 2025
@vstinner
[3.14] gh-134744: Fix fcntl error handling (#134748) (#134795)
8a6a6f3 
gh-134744: Fix fcntl error handling (#134748)

Fix also reference leak on buffer overflow.

(cherry picked from commit 9300a59)
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request May 27, 2025
@vstinner @miss-islington
[3.14] pythongh-134744: Fix fcntl error handling (pythonGH-134748) (p…
968d688 
…ythonGH-134795)

pythongh-134744: Fix fcntl error handling (pythonGH-134748)

Fix also reference leak on buffer overflow.
(cherry picked from commit 8a6a6f3)

Co-authored-by: Victor Stinner <vstinner@python.org>
(cherry picked from commit 9300a59)
@miss-islington miss-islington mentioned this pull request May 27, 2025
Merged
vstinner added a commit that referenced this pull request May 28, 2025
@miss-islington @vstinner
[3.13] gh-134744: Fix fcntl error handling (GH-134748) (GH-134795) (#…
7410402 
…134798)

[3.14] gh-134744: Fix fcntl error handling (GH-134748) (GH-134795)

gh-134744: Fix fcntl error handling (GH-134748)

Fix also reference leak on buffer overflow.
(cherry picked from commit 8a6a6f3)


(cherry picked from commit 9300a59)

Co-authored-by: Victor Stinner <vstinner@python.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@serhiy-storchaka serhiy-storchaka serhiy-storchaka approved these changes

Assignees
No one assigned
Labels
skip news
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vstinner @sergey-miryanov @serhiy-storchaka