1 files changed, 138 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python/CVE-2018-1000030-1.patch b/meta/recipes-devtools/python/python/CVE-2018-1000030-1.patch
new file mode 100644
index 0000000000..06ad4c695d
--- /dev/null
+++ b/meta/recipes-devtools/python/python/CVE-2018-1000030-1.patch
@@ -0,0 +1,138 @@
+From 6401e5671781eb217ee1afb4603cc0d1b0367ae6 Mon Sep 17 00:00:00 2001
+From: Serhiy Storchaka <storchaka@gmail.com>
+Date: Fri, 10 Nov 2017 12:58:55 +0200
+Subject: [PATCH] [2.7] bpo-31530: Stop crashes when iterating over a file on
+ multiple threads. (#3672)
+CVE: CVE-2018-1000030
+Upstream-Status: Backport [https://github.com/python/cpython/commit/6401e5671781eb217ee1afb4603cc0d1b0367ae6]
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ Lib/test/test_file2k.py                            | 32 ++++++++++++++++++++++
+ .../2017-09-20-18-28-09.bpo-31530.CdLOM7.rst       |  4 +++
+ Objects/fileobject.c                               | 19 +++++++++++--
+ 3 files changed, 52 insertions(+), 3 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst
+diff --git a/Lib/test/test_file2k.py b/Lib/test/test_file2k.py
+index e39ef7042e..d8966e034e 100644
+--- a/Lib/test/test_file2k.py
+++ b/Lib/test/test_file2k.py
+@@ -652,6 +652,38 @@ class FileThreadingTests(unittest.TestCase):
+             self.f.writelines('')
+         self._test_close_open_io(io_func)
+ 
+    def test_iteration_torture(self):
+        # bpo-31530: Crash when concurrently iterate over a file.
+        with open(self.filename, "wb") as fp:
+            for i in xrange(2**20):
+                fp.write(b"0"*50 + b"\n")
+        with open(self.filename, "rb") as f:
+            def iterate():
+                try:
+                    for l in f:
+                        pass
+                except IOError:
+                    pass
+            self._run_workers(iterate, 10)
+
+    def test_iteration_seek(self):
+        # bpo-31530: Crash when concurrently seek and iterate over a file.
+        with open(self.filename, "wb") as fp:
+            for i in xrange(10000):
+                fp.write(b"0"*50 + b"\n")
+        with open(self.filename, "rb") as f:
+            it = iter([1] + [0]*10)  # one thread reads, others seek
+            def iterate():
+                try:
+                    if next(it):
+                        for l in f:
+                            pass
+                    else:
+                        for i in range(100):
+                            f.seek(i*100, 0)
+                except IOError:
+                    pass
+            self._run_workers(iterate, 10)
+ 
+ @unittest.skipUnless(os.name == 'posix', 'test requires a posix system.')
+ class TestFileSignalEINTR(unittest.TestCase):
+diff --git a/Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst b/Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst
+new file mode 100644
+index 0000000000..a6cb6c9e9b
+--- /dev/null
+++ b/Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst       
+@@ -0,0 +1,4 @@
+Fixed crashes when iterating over a file on multiple threads.
+seek() and next() methods of file objects now raise an exception during
+concurrent operation on the same file object.
+A lock can be used to prevent the error.
+diff --git a/Objects/fileobject.c b/Objects/fileobject.c
+index 7e07a5376f..2f63c374d1 100644
+--- a/Objects/fileobject.c
+++ b/Objects/fileobject.c
+@@ -430,7 +430,7 @@ close_the_file(PyFileObject *f)
+             if (f->ob_refcnt > 0) {
+                 PyErr_SetString(PyExc_IOError,
+                     "close() called during concurrent "
+-                    "operation on the same file object.");
+                    "operation on the same file object");
+             } else {
+                 /* This should not happen unless someone is
+                  * carelessly playing with the PyFileObject
+@@ -438,7 +438,7 @@ close_the_file(PyFileObject *f)
+                  * pointer. */
+                 PyErr_SetString(PyExc_SystemError,
+                     "PyFileObject locking error in "
+-                    "destructor (refcnt <= 0 at close).");
+                    "destructor (refcnt <= 0 at close)");
+             }
+             return NULL;
+         }
+@@ -762,6 +762,12 @@ file_seek(PyFileObject *f, PyObject *args)
+ 
+     if (f->f_fp == NULL)
+         return err_closed();
+    if (f->unlocked_count > 0) {
+        PyErr_SetString(PyExc_IOError,
+            "seek() called during concurrent "
+            "operation on the same file object");
+        return NULL;
+    }
+     drop_readahead(f);
+     whence = 0;
+     if (!PyArg_ParseTuple(args, "O|i:seek", &offobj, &whence))
+@@ -2238,6 +2244,7 @@ readahead(PyFileObject *f, Py_ssize_t bufsize)
+ {
+     Py_ssize_t chunksize;
+ 
+    assert(f->unlocked_count == 0);
+     if (f->f_buf != NULL) {
+         if( (f->f_bufend - f->f_bufptr) >= 1)
+             return 0;
+@@ -2279,6 +2286,12 @@ readahead_get_line_skip(PyFileObject *f, Py_ssize_t skip, Py_ssize_t bufsize)
+     char *buf;
+     Py_ssize_t len;
+ 
+    if (f->unlocked_count > 0) {
+        PyErr_SetString(PyExc_IOError,
+            "next() called during concurrent "
+            "operation on the same file object");
+        return NULL;
+    }
+     if (f->f_buf == NULL)
+         if (readahead(f, bufsize) < 0)
+             return NULL;
+@@ -2692,7 +2705,7 @@ int PyObject_AsFileDescriptor(PyObject *o)
+     }
+     else {
+         PyErr_SetString(PyExc_TypeError,
+-                        "argument must be an int, or have a fileno() method.");
+                        "argument must be an int, or have a fileno() method");
+         return -1;
+     }
+ 
+-- 
+2.13.3

diff --git a/meta/recipes-devtools/python/python/CVE-2018-1000030-1.patch b/meta/recipes-devtools/python/python/CVE-2018-1000030-1.patch new file mode 100644 index 0000000000..06ad4c695d --- /dev/null +++ b/meta/recipes-devtools/python/python/CVE-2018-1000030-1.patch
@@ -0,0 +1,138 @@
	1	From 6401e5671781eb217ee1afb4603cc0d1b0367ae6 Mon Sep 17 00:00:00 2001
	2	From: Serhiy Storchaka <storchaka@gmail.com>
	3	Date: Fri, 10 Nov 2017 12:58:55 +0200
	4	Subject: [PATCH] [2.7] bpo-31530: Stop crashes when iterating over a file on
	5	multiple threads. (#3672)
	6
	7	CVE: CVE-2018-1000030
	8	Upstream-Status: Backport [https://github.com/python/cpython/commit/6401e5671781eb217ee1afb4603cc0d1b0367ae6]
	9
	10	Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
	11	---
	12	Lib/test/test_file2k.py \| 32 ++++++++++++++++++++++
	13	.../2017-09-20-18-28-09.bpo-31530.CdLOM7.rst \| 4 +++
	14	Objects/fileobject.c \| 19 +++++++++++--
	15	3 files changed, 52 insertions(+), 3 deletions(-)
	16	create mode 100644 Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst
	17
	18	diff --git a/Lib/test/test_file2k.py b/Lib/test/test_file2k.py
	19	index e39ef7042e..d8966e034e 100644
	20	--- a/Lib/test/test_file2k.py
	21	+++ b/Lib/test/test_file2k.py
	22	@@ -652,6 +652,38 @@ class FileThreadingTests(unittest.TestCase):
	23	self.f.writelines('')
	24	self._test_close_open_io(io_func)
	25
	26	+ def test_iteration_torture(self):
	27	+ # bpo-31530: Crash when concurrently iterate over a file.
	28	+ with open(self.filename, "wb") as fp:
	29	+ for i in xrange(2**20):
	30	+ fp.write(b"0"*50 + b"\n")
	31	+ with open(self.filename, "rb") as f:
	32	+ def iterate():
	33	+ try:
	34	+ for l in f:
	35	+ pass
	36	+ except IOError:
	37	+ pass
	38	+ self._run_workers(iterate, 10)
	39	+
	40	+ def test_iteration_seek(self):
	41	+ # bpo-31530: Crash when concurrently seek and iterate over a file.
	42	+ with open(self.filename, "wb") as fp:
	43	+ for i in xrange(10000):
	44	+ fp.write(b"0"*50 + b"\n")
	45	+ with open(self.filename, "rb") as f:
	46	+ it = iter([1] + [0]*10) # one thread reads, others seek
	47	+ def iterate():
	48	+ try:
	49	+ if next(it):
	50	+ for l in f:
	51	+ pass
	52	+ else:
	53	+ for i in range(100):
	54	+ f.seek(i*100, 0)
	55	+ except IOError:
	56	+ pass
	57	+ self._run_workers(iterate, 10)
	58
	59	@unittest.skipUnless(os.name == 'posix', 'test requires a posix system.')
	60	class TestFileSignalEINTR(unittest.TestCase):
	61	diff --git a/Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst b/Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst
	62	new file mode 100644
	63	index 0000000000..a6cb6c9e9b
	64	--- /dev/null
	65	+++ b/Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst
	66	@@ -0,0 +1,4 @@
	67	+Fixed crashes when iterating over a file on multiple threads.
	68	+seek() and next() methods of file objects now raise an exception during
	69	+concurrent operation on the same file object.
	70	+A lock can be used to prevent the error.
	71	diff --git a/Objects/fileobject.c b/Objects/fileobject.c
	72	index 7e07a5376f..2f63c374d1 100644
	73	--- a/Objects/fileobject.c
	74	+++ b/Objects/fileobject.c
	75	@@ -430,7 +430,7 @@ close_the_file(PyFileObject *f)
	76	if (f->ob_refcnt > 0) {
	77	PyErr_SetString(PyExc_IOError,
	78	"close() called during concurrent "
	79	- "operation on the same file object.");
	80	+ "operation on the same file object");
	81	} else {
	82	/* This should not happen unless someone is
	83	* carelessly playing with the PyFileObject
	84	@@ -438,7 +438,7 @@ close_the_file(PyFileObject *f)
	85	* pointer. */
	86	PyErr_SetString(PyExc_SystemError,
	87	"PyFileObject locking error in "
	88	- "destructor (refcnt <= 0 at close).");
	89	+ "destructor (refcnt <= 0 at close)");
	90	}
	91	return NULL;
	92	}
	93	@@ -762,6 +762,12 @@ file_seek(PyFileObject f, PyObject args)
	94
	95	if (f->f_fp == NULL)
	96	return err_closed();
	97	+ if (f->unlocked_count > 0) {
	98	+ PyErr_SetString(PyExc_IOError,
	99	+ "seek() called during concurrent "
	100	+ "operation on the same file object");
	101	+ return NULL;
	102	+ }
	103	drop_readahead(f);
	104	whence = 0;
	105	if (!PyArg_ParseTuple(args, "O\|i:seek", &offobj, &whence))
	106	@@ -2238,6 +2244,7 @@ readahead(PyFileObject *f, Py_ssize_t bufsize)
	107	{
	108	Py_ssize_t chunksize;
	109
	110	+ assert(f->unlocked_count == 0);
	111	if (f->f_buf != NULL) {
	112	if( (f->f_bufend - f->f_bufptr) >= 1)
	113	return 0;
	114	@@ -2279,6 +2286,12 @@ readahead_get_line_skip(PyFileObject *f, Py_ssize_t skip, Py_ssize_t bufsize)
	115	char *buf;
	116	Py_ssize_t len;
	117
	118	+ if (f->unlocked_count > 0) {
	119	+ PyErr_SetString(PyExc_IOError,
	120	+ "next() called during concurrent "
	121	+ "operation on the same file object");
	122	+ return NULL;
	123	+ }
	124	if (f->f_buf == NULL)
	125	if (readahead(f, bufsize) < 0)
	126	return NULL;
	127	@@ -2692,7 +2705,7 @@ int PyObject_AsFileDescriptor(PyObject *o)
	128	}
	129	else {
	130	PyErr_SetString(PyExc_TypeError,
	131	- "argument must be an int, or have a fileno() method.");
	132	+ "argument must be an int, or have a fileno() method");
	133	return -1;
	134	}
	135
	136	--
	137	2.13.3
	138