René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Segmentation Fault in pthread_getcpuclockid function in time module","articleBody":"### What happened?\r\n\r\n### Version\r\nPython 3.13.0a3+ (heads/main:b3f0b698da, Feb 12 2024, 03:56:25) [GCC 11.4.0]\r\nbisect from commit e14679c78464d1e0e16786c2a0e9bcebe49e842b\r\n\r\n### Root Cause\r\n\r\nthe time_pthread_getcpuclockid function retrieves an element from the user input. but improper validation of the thread id trigger segmentation fault\r\n\r\n\r\n```c\r\ntime_pthread_getcpuclockid(PyObject *self, PyObject *args)\r\n{\r\n    unsigned long thread_id;\r\n    int err;\r\n    clockid_t clk_id;\r\n    if (!PyArg_ParseTuple(args, \"k:pthread_getcpuclockid\", \u0026thread_id)) {\r\n        return NULL;\r\n    }\r\n    err = pthread_getcpuclockid((pthread_t)thread_id, \u0026clk_id); // \u003c-- thread_id from args\r\n    if (err) {\r\n        errno = err;\r\n        PyErr_SetFromErrno(PyExc_OSError);\r\n        return NULL;\r\n    }\r\n#ifdef _Py_MEMORY_SANITIZER\r\n    __msan_unpoison(\u0026clk_id, sizeof(clk_id));\r\n#endif\r\n    return PyLong_FromLong(clk_id);\r\n}\r\n```\r\n\r\n### POC\r\n\r\nimport time\r\ntime.pthread_getcpuclockid(-1)\r\n\r\n\r\n\u003cdetails\u003e\r\n  \u003csummary\u003easan\u003c/summary\u003e\r\n\r\n```\r\nAddressSanitizer:DEADLYSIGNAL\r\n=================================================================\r\n==9985==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000002ce (pc 0x7f5176af3159 bp 0x7ffcb8437230 sp 0x7ffcb8437178 T0)\r\n==9985==The signal is caused by a READ memory access.\r\n==9985==Hint: address points to the zero page.\r\n    #0 0x7f5176af3159 in __pthread_getcpuclockid nptl/pthread_getcpuclockid.c:32\r\n    #1 0x564afa3983a1 in time_pthread_getcpuclockid Modules/timemodule.c:380\r\n    #2 0x564af9eafacf in cfunction_call Objects/methodobject.c:551\r\n    #3 0x564af9dc0393 in _PyObject_MakeTpCall Objects/call.c:242\r\n    #4 0x564af9dc0a94 in _PyObject_VectorcallTstate Include/internal/pycore_call.h:166\r\n    #5 0x564af9dc0ac0 in PyObject_Vectorcall Objects/call.c:327\r\n    #6 0x564afa0cd313 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:815\r\n    #7 0x564afa11a855 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:115\r\n    #8 0x564afa11a855 in _PyEval_Vector Python/ceval.c:1788\r\n    #9 0x564afa11aa76 in PyEval_EvalCode Python/ceval.c:592\r\n    #10 0x564afa2245d9 in run_eval_code_obj Python/pythonrun.c:1294\r\n    #11 0x564afa227522 in run_mod Python/pythonrun.c:1379\r\n    #12 0x564afa228302 in pyrun_file Python/pythonrun.c:1215\r\n    #13 0x564afa22a8f0 in _PyRun_SimpleFileObject Python/pythonrun.c:464\r\n    #14 0x564afa22ac8c in _PyRun_AnyFileObject Python/pythonrun.c:77\r\n    #15 0x564afa2872c0 in pymain_run_file_obj Modules/main.c:357\r\n    #16 0x564afa289a71 in pymain_run_file Modules/main.c:376\r\n    #17 0x564afa28a682 in pymain_run_python Modules/main.c:628\r\n    #18 0x564afa28a812 in Py_RunMain Modules/main.c:707\r\n    #19 0x564afa28a9f9 in pymain_main Modules/main.c:737\r\n    #20 0x564afa28ad71 in Py_BytesMain Modules/main.c:761\r\n    #21 0x564af9c24b05 in main Programs/python.c:15\r\n    #22 0x7f5176a86d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58\r\n    #23 0x7f5176a86e3f in __libc_start_main_impl ../csu/libc-start.c:392\r\n    #24 0x564af9c24a34 in _start (/cpython/python+0x26fa34)\r\n\r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV nptl/pthread_getcpuclockid.c:32 in __pthread_getcpuclockid\r\n==9985==ABORTING\r\n```\r\n\r\n\r\n\u003c/details\u003e\r\n\r\n\r\n### CPython versions tested on:\r\n\r\nCPython main branch\r\n\r\n### Operating systems tested on:\r\n\r\nLinux\r\n\r\n### Output from running 'python -VV' on the command line:\r\n\r\nPython 3.13.0a3+ (heads/main:b3f0b698da, Feb 12 2024, 03:56:25) [GCC 11.4.0]","author":{"url":"https://github.com/kcatss","@type":"Person","name":"kcatss"},"datePublished":"2024-02-12T22:36:50.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":1},"url":"https://github.com/115378/cpython/issues/115378"}