Segmentation Fault in append_history_file of readline #122431
Description
Crash report
What happened?
Crash report
What happened?
Build
apt-get install libreadline6-dev
./configure --with-pydebug --with-address-sanitizer
Root Cause
When calling readline.append_history_file, the first argument can be set to -2147483648, and a valid file path should be provided as the second argument. There is no proper validation logic for append_history, which can cause a crash
static PyObject *
readline_append_history_file(PyObject *module, PyObject *const *args, Py_ssize_t nargs)
{
PyObject *return_value = NULL;
int nelements;
PyObject *filename_obj = Py_None;
if (!_PyArg_CheckPositional("append_history_file", nargs, 1, 2)) {
goto exit;
}
nelements = PyLong_AsInt(args[0]); // input from user
if (nelements == -1 && PyErr_Occurred()) {
goto exit;
}
if (nargs < 2) {
goto skip_optional;
}
filename_obj = args[1];
skip_optional:
return_value = readline_append_history_file_impl(module, nelements, filename_obj); // nelements : -2147483648
exit:
return return_value;
}static PyObject *
readline_append_history_file_impl(PyObject *module, int nelements,
PyObject *filename_obj)
/*[clinic end generated code: output=5df06fc9da56e4e4 input=784b774db3a4b7c5]*/
{
...
errno = err = append_history(
nelements - libedit_append_replace_history_offset, filename); // nelements : -2147483648
}POC
import readline
readline.append_history_file(-2147483648, __file__)ASAN
asan
AddressSanitizer:DEADLYSIGNAL
=================================================================
==10389==ERROR: AddressSanitizer: SEGV on unknown address 0x620c0002a900 (pc 0x7fdf36f7aee0 bp 0x604000003ed0 sp 0x7ffd4d0abf50 T0)
==10389==The signal is caused by a READ memory access.
#0 0x7fdf36f7aee0 (/lib/x86_64-linux-gnu/libreadline.so.8+0x3dee0) python에서 안터지고 c gnu에서 터져요 그래서 이 코드가.
#1 0x7fdf36fa169e in readline_append_history_file_impl Modules/readline.c:365
#2 0x7fdf36fa192b in readline_append_history_file Modules/clinic/readline.c.h:154
#3 0x564386c5b367 in cfunction_vectorcall_FASTCALL Objects/methodobject.c:425
#4 0x564386b64981 in _PyObject_VectorcallTstate Include/internal/pycore_call.h:167
#5 0x564386b64adc in PyObject_Vectorcall Objects/call.c:327
#6 0x564386ec6fea in _PyEval_EvalFrameDefault Python/generated_cases.c.h:857
#7 0x564386f0b295 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:119
#8 0x564386f0b295 in _PyEval_Vector Python/ceval.c:1823
#9 0x564386f0b4b6 in PyEval_EvalCode Python/ceval.c:621
#10 0x56438701b139 in run_eval_code_obj Python/pythonrun.c:1292
#11 0x56438701e07e in run_mod Python/pythonrun.c:1377
#12 0x56438701ee5e in pyrun_file Python/pythonrun.c:1210
#13 0x56438702133d in _PyRun_SimpleFileObject Python/pythonrun.c:459
#14 0x564387021831 in _PyRun_AnyFileObject Python/pythonrun.c:77
#15 0x5643870869dc in pymain_run_file_obj Modules/main.c:409
#16 0x564387089854 in pymain_run_file Modules/main.c:428
#17 0x56438708a465 in pymain_run_python Modules/main.c:696
#18 0x56438708a5f5 in Py_RunMain Modules/main.c:775
#19 0x56438708a7dc in pymain_main Modules/main.c:805
#20 0x56438708ab54 in Py_BytesMain Modules/main.c:829
#21 0x5643869c5b15 in main Programs/python.c:15
#22 0x7fdf3a238d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#23 0x7fdf3a238e3f in __libc_start_main_impl ../csu/libc-start.c:392
#24 0x5643869c5a44 in _start (/cpython_latest/python+0x28aa44)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libreadline.so.8+0x3dee0)
==10389==ABORTING
CPython versions tested on:
CPython main branch
Operating systems tested on:
Linux
Output from running 'python -VV' on the command line:
Python 3.14.0a0 (heads/main:bb09ba6792, Jul 27 2024, 09:44:43) [GCC 11.4.0]