Skip to content

Use After Free on Py_INCREF #135636

New issue
New issue
Closed as not planned
Closed as not planned
Use After Free on Py_INCREF#135636
Labels
topic-ctypestype-crashA hard crash of the interpreter, possibly with a core dump
@haruki3hhh

Description

@haruki3hhh
haruki3hhh
opened on Jun 17, 2025

Crash report

What happened?

import ast
import ctypes
class CorruptedObject:
    def __init__(self):
        pass

def corrupt_object(obj):
    obj_addr = id(obj)
    ctypes.memmove(obj_addr, ctypes.byref(ctypes.c_void_p(0x1)), ctypes.sizeof(ctypes.c_void_p))
    return obj

corrupted = CorruptedObject()
corrupted = corrupt_object(corrupted)

ast.AST._fields = corrupted
t = ast.AST(arg1=123)

Compile Script:

#!/bin/bash -eu
./configure --with-address-sanitizer --without-pymalloc
ASAN_OPTIONS=detect_leaks=0 make -j$(nproc)
test -f python

Version

commit 7c685894cd9c2c669f09fad31365e3ad6c0c3861 (HEAD -> main, origin/main, origin/HEAD)

ASAN Report

=================================================================
==3399950==ERROR: AddressSanitizer: heap-use-after-free on address 0x51300001b260 at pc 0x55555593d5bc bp 0x7fffffffc8a0 sp 0x7fffffffc890
READ of size 4 at 0x51300001b260 thread T0
    #0 0x55555593d5bb in Py_INCREF Include/refcount.h:291
    #1 0x55555593d5bb in _Py_NewRef Include/refcount.h:539
    #2 0x55555593d5bb in _PyDict_GetItemRef_KnownHash Objects/dictobject.c:2386
    #3 0x55555593d5bb in PyDict_GetItemRef Objects/dictobject.c:2407
    #4 0x5555558169fd in PyMapping_GetOptionalItem Objects/abstract.c:210
    #5 0x555555bd359b in _PyEval_LoadName Python/ceval.c:3532
    #6 0x555555716fa0 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:9496
    #7 0x555555bd47d6 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:119
    #8 0x555555bd47d6 in _PyEval_Vector Python/ceval.c:1975
    #9 0x555555bd47d6 in PyEval_EvalCode Python/ceval.c:866
    #10 0x555555d1a00e in run_eval_code_obj Python/pythonrun.c:1365
    #11 0x555555d1a00e in run_mod Python/pythonrun.c:1436
    #12 0x555555d1eb87 in pyrun_file Python/pythonrun.c:1293
    #13 0x555555d1eb87 in _PyRun_SimpleFileObject Python/pythonrun.c:521
    #14 0x555555d1f6ac in _PyRun_AnyFileObject Python/pythonrun.c:81
    #15 0x555555d9bc2c in pymain_run_file_obj Modules/main.c:410
    #16 0x555555d9bc2c in pymain_run_file Modules/main.c:429
    #17 0x555555d9bc2c in pymain_run_python Modules/main.c:691
    #18 0x555555d9d50e in Py_RunMain Modules/main.c:772
    #19 0x555555d9d50e in pymain_main Modules/main.c:802
    #20 0x555555d9d50e in Py_BytesMain Modules/main.c:826
    #21 0x7ffff76101c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #22 0x7ffff761028a in __libc_start_main_impl ../csu/libc-start.c:360
    #23 0x555555740064 in _start (/workspaces/get_trace/ColdPatch/vuln/cpython/py-pr-126105/latest-cpython/python+0x1ec064) (BuildId: 116b37c120204afd1f0e685e4399db097a1a0823)

0x51300001b260 is located 32 bytes inside of 328-byte region [0x51300001b240,0x51300001b388)
freed by thread T0 here:
    #0 0x7ffff79dd4d8 in free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 0x5555559f2bf3 in subtype_dealloc Objects/typeobject.c:2818
    #2 0x55555597dea5 in _Py_Dealloc Objects/object.c:3211
    #3 0x555555731295 in Py_DECREF_MORTAL Include/internal/pycore_object.h:482
    #4 0x555555731295 in PyStackRef_CLOSE Include/internal/pycore_stackref.h:701
    #5 0x555555731295 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:11297
    #6 0x555555bd47d6 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:119
    #7 0x555555bd47d6 in _PyEval_Vector Python/ceval.c:1975
    #8 0x555555bd47d6 in PyEval_EvalCode Python/ceval.c:866
    #9 0x555555d1a00e in run_eval_code_obj Python/pythonrun.c:1365
    #10 0x555555d1a00e in run_mod Python/pythonrun.c:1436
    #11 0x555555d1eb87 in pyrun_file Python/pythonrun.c:1293
    #12 0x555555d1eb87 in _PyRun_SimpleFileObject Python/pythonrun.c:521
    #13 0x555555d1f6ac in _PyRun_AnyFileObject Python/pythonrun.c:81
    #14 0x555555d9bc2c in pymain_run_file_obj Modules/main.c:410
    #15 0x555555d9bc2c in pymain_run_file Modules/main.c:429
    #16 0x555555d9bc2c in pymain_run_python Modules/main.c:691
    #17 0x555555d9d50e in Py_RunMain Modules/main.c:772
    #18 0x555555d9d50e in pymain_main Modules/main.c:802
    #19 0x555555d9d50e in Py_BytesMain Modules/main.c:826
    #20 0x7ffff76101c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #21 0x7ffff761028a in __libc_start_main_impl ../csu/libc-start.c:360
    #22 0x555555740064 in _start (/workspaces/get_trace/ColdPatch/vuln/cpython/py-pr-126105/latest-cpython/python+0x1ec064) (BuildId: 116b37c120204afd1f0e685e4399db097a1a0823)

previously allocated by thread T0 here:
    #0 0x7ffff79de9c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x555555a058fe in _PyObject_MallocWithType Include/internal/pycore_object_alloc.h:46
    #2 0x555555a058fe in _PyType_AllocNoTrack Objects/typeobject.c:2470
    #3 0x555555a05b64 in PyType_GenericAlloc Objects/typeobject.c:2501
    #4 0x5555559fe1a8 in type_call Objects/typeobject.c:2414
    #5 0x555555861f2d in _PyObject_MakeTpCall Objects/call.c:242
    #6 0x5555557259cb in _PyEval_EvalFrameDefault Python/generated_cases.c.h:1629
    #7 0x555555bd47d6 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:119
    #8 0x555555bd47d6 in _PyEval_Vector Python/ceval.c:1975
    #9 0x555555bd47d6 in PyEval_EvalCode Python/ceval.c:866
    #10 0x555555d1a00e in run_eval_code_obj Python/pythonrun.c:1365
    #11 0x555555d1a00e in run_mod Python/pythonrun.c:1436
    #12 0x555555d1eb87 in pyrun_file Python/pythonrun.c:1293
    #13 0x555555d1eb87 in _PyRun_SimpleFileObject Python/pythonrun.c:521
    #14 0x555555d1f6ac in _PyRun_AnyFileObject Python/pythonrun.c:81
    #15 0x555555d9bc2c in pymain_run_file_obj Modules/main.c:410
    #16 0x555555d9bc2c in pymain_run_file Modules/main.c:429
    #17 0x555555d9bc2c in pymain_run_python Modules/main.c:691
    #18 0x555555d9d50e in Py_RunMain Modules/main.c:772
    #19 0x555555d9d50e in pymain_main Modules/main.c:802
    #20 0x555555d9d50e in Py_BytesMain Modules/main.c:826
    #21 0x7ffff76101c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #22 0x7ffff761028a in __libc_start_main_impl ../csu/libc-start.c:360
    #23 0x555555740064 in _start (/workspaces/get_trace/ColdPatch/vuln/cpython/py-pr-126105/latest-cpython/python+0x1ec064) (BuildId: 116b37c120204afd1f0e685e4399db097a1a0823)

SUMMARY: AddressSanitizer: heap-use-after-free Include/refcount.h:291 in Py_INCREF

Reported By:

Ziyi Guo (Northwestern University)
Zheng Yu (Northwestern University)

CPython versions tested on:

CPython main branch

Operating systems tested on:

Linux

Output from running 'python -VV' on the command line:

Python 3.15.0a0 (heads/main:7c685894cd9, Jun 17 2025, 03:14:54) [GCC 13.3.0]

Metadata

Metadata

Assignees

No one assigned

    Labels

    topic-ctypestype-crashA hard crash of the interpreter, possibly with a core dump

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions