diff options
Diffstat (limited to 'meta/recipes-devtools/python/python/CVE-2018-1000030-1.patch')
-rw-r--r-- | meta/recipes-devtools/python/python/CVE-2018-1000030-1.patch | 138 |
1 files changed, 138 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python/CVE-2018-1000030-1.patch b/meta/recipes-devtools/python/python/CVE-2018-1000030-1.patch new file mode 100644 index 0000000000..06ad4c695d --- /dev/null +++ b/meta/recipes-devtools/python/python/CVE-2018-1000030-1.patch | |||
@@ -0,0 +1,138 @@ | |||
1 | From 6401e5671781eb217ee1afb4603cc0d1b0367ae6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Serhiy Storchaka <storchaka@gmail.com> | ||
3 | Date: Fri, 10 Nov 2017 12:58:55 +0200 | ||
4 | Subject: [PATCH] [2.7] bpo-31530: Stop crashes when iterating over a file on | ||
5 | multiple threads. (#3672) | ||
6 | |||
7 | CVE: CVE-2018-1000030 | ||
8 | Upstream-Status: Backport [https://github.com/python/cpython/commit/6401e5671781eb217ee1afb4603cc0d1b0367ae6] | ||
9 | |||
10 | Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> | ||
11 | --- | ||
12 | Lib/test/test_file2k.py | 32 ++++++++++++++++++++++ | ||
13 | .../2017-09-20-18-28-09.bpo-31530.CdLOM7.rst | 4 +++ | ||
14 | Objects/fileobject.c | 19 +++++++++++-- | ||
15 | 3 files changed, 52 insertions(+), 3 deletions(-) | ||
16 | create mode 100644 Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst | ||
17 | |||
18 | diff --git a/Lib/test/test_file2k.py b/Lib/test/test_file2k.py | ||
19 | index e39ef7042e..d8966e034e 100644 | ||
20 | --- a/Lib/test/test_file2k.py | ||
21 | +++ b/Lib/test/test_file2k.py | ||
22 | @@ -652,6 +652,38 @@ class FileThreadingTests(unittest.TestCase): | ||
23 | self.f.writelines('') | ||
24 | self._test_close_open_io(io_func) | ||
25 | |||
26 | + def test_iteration_torture(self): | ||
27 | + # bpo-31530: Crash when concurrently iterate over a file. | ||
28 | + with open(self.filename, "wb") as fp: | ||
29 | + for i in xrange(2**20): | ||
30 | + fp.write(b"0"*50 + b"\n") | ||
31 | + with open(self.filename, "rb") as f: | ||
32 | + def iterate(): | ||
33 | + try: | ||
34 | + for l in f: | ||
35 | + pass | ||
36 | + except IOError: | ||
37 | + pass | ||
38 | + self._run_workers(iterate, 10) | ||
39 | + | ||
40 | + def test_iteration_seek(self): | ||
41 | + # bpo-31530: Crash when concurrently seek and iterate over a file. | ||
42 | + with open(self.filename, "wb") as fp: | ||
43 | + for i in xrange(10000): | ||
44 | + fp.write(b"0"*50 + b"\n") | ||
45 | + with open(self.filename, "rb") as f: | ||
46 | + it = iter([1] + [0]*10) # one thread reads, others seek | ||
47 | + def iterate(): | ||
48 | + try: | ||
49 | + if next(it): | ||
50 | + for l in f: | ||
51 | + pass | ||
52 | + else: | ||
53 | + for i in range(100): | ||
54 | + f.seek(i*100, 0) | ||
55 | + except IOError: | ||
56 | + pass | ||
57 | + self._run_workers(iterate, 10) | ||
58 | |||
59 | @unittest.skipUnless(os.name == 'posix', 'test requires a posix system.') | ||
60 | class TestFileSignalEINTR(unittest.TestCase): | ||
61 | diff --git a/Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst b/Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst | ||
62 | new file mode 100644 | ||
63 | index 0000000000..a6cb6c9e9b | ||
64 | --- /dev/null | ||
65 | +++ b/Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst | ||
66 | @@ -0,0 +1,4 @@ | ||
67 | +Fixed crashes when iterating over a file on multiple threads. | ||
68 | +seek() and next() methods of file objects now raise an exception during | ||
69 | +concurrent operation on the same file object. | ||
70 | +A lock can be used to prevent the error. | ||
71 | diff --git a/Objects/fileobject.c b/Objects/fileobject.c | ||
72 | index 7e07a5376f..2f63c374d1 100644 | ||
73 | --- a/Objects/fileobject.c | ||
74 | +++ b/Objects/fileobject.c | ||
75 | @@ -430,7 +430,7 @@ close_the_file(PyFileObject *f) | ||
76 | if (f->ob_refcnt > 0) { | ||
77 | PyErr_SetString(PyExc_IOError, | ||
78 | "close() called during concurrent " | ||
79 | - "operation on the same file object."); | ||
80 | + "operation on the same file object"); | ||
81 | } else { | ||
82 | /* This should not happen unless someone is | ||
83 | * carelessly playing with the PyFileObject | ||
84 | @@ -438,7 +438,7 @@ close_the_file(PyFileObject *f) | ||
85 | * pointer. */ | ||
86 | PyErr_SetString(PyExc_SystemError, | ||
87 | "PyFileObject locking error in " | ||
88 | - "destructor (refcnt <= 0 at close)."); | ||
89 | + "destructor (refcnt <= 0 at close)"); | ||
90 | } | ||
91 | return NULL; | ||
92 | } | ||
93 | @@ -762,6 +762,12 @@ file_seek(PyFileObject *f, PyObject *args) | ||
94 | |||
95 | if (f->f_fp == NULL) | ||
96 | return err_closed(); | ||
97 | + if (f->unlocked_count > 0) { | ||
98 | + PyErr_SetString(PyExc_IOError, | ||
99 | + "seek() called during concurrent " | ||
100 | + "operation on the same file object"); | ||
101 | + return NULL; | ||
102 | + } | ||
103 | drop_readahead(f); | ||
104 | whence = 0; | ||
105 | if (!PyArg_ParseTuple(args, "O|i:seek", &offobj, &whence)) | ||
106 | @@ -2238,6 +2244,7 @@ readahead(PyFileObject *f, Py_ssize_t bufsize) | ||
107 | { | ||
108 | Py_ssize_t chunksize; | ||
109 | |||
110 | + assert(f->unlocked_count == 0); | ||
111 | if (f->f_buf != NULL) { | ||
112 | if( (f->f_bufend - f->f_bufptr) >= 1) | ||
113 | return 0; | ||
114 | @@ -2279,6 +2286,12 @@ readahead_get_line_skip(PyFileObject *f, Py_ssize_t skip, Py_ssize_t bufsize) | ||
115 | char *buf; | ||
116 | Py_ssize_t len; | ||
117 | |||
118 | + if (f->unlocked_count > 0) { | ||
119 | + PyErr_SetString(PyExc_IOError, | ||
120 | + "next() called during concurrent " | ||
121 | + "operation on the same file object"); | ||
122 | + return NULL; | ||
123 | + } | ||
124 | if (f->f_buf == NULL) | ||
125 | if (readahead(f, bufsize) < 0) | ||
126 | return NULL; | ||
127 | @@ -2692,7 +2705,7 @@ int PyObject_AsFileDescriptor(PyObject *o) | ||
128 | } | ||
129 | else { | ||
130 | PyErr_SetString(PyExc_TypeError, | ||
131 | - "argument must be an int, or have a fileno() method."); | ||
132 | + "argument must be an int, or have a fileno() method"); | ||
133 | return -1; | ||
134 | } | ||
135 | |||
136 | -- | ||
137 | 2.13.3 | ||
138 | |||