Joseph Barillari
2010-May-10 21:51 UTC
[Secure-testing-team] Bug#581058: Running pylint on a file with just "import numpy" corrupts memory
Package: pylint Version: 0.20.0-1 Severity: grave Tags: upstream security Justification: user security hole For the record, I''m not certain that this is a bug in pylint and not a bug in numpy. However, since I couldn''t reproduce it with pylint''s stable version (pylint 0.14.0-2.2, python-logilab-astng 0.17.2-2.1, and python-logilab-common 0.30.0-2), but _could_ reproduce it with python-numpy''s stable version (1:1.1.0-3+lenny1), I believe pylint or python-logilab-common or python-logilab-astng is the proximate cause of the bug. Steps to reproduce: Create a file "t.py" with the single line: import numpy Run pylint on this file and glibc will throw a memory corruption warning and hang: $ /usr/bin/pylint -e t.py No config file found, using default configuration /usr/lib/pymodules/python2.5/logilab/common/configuration.py:716: DeprecationWarning: "_config_parser" attribute has been renamed to "cfgfile_parser" warn(msg, DeprecationWarning) *** glibc detected *** /usr/bin/python: corrupted double-linked list: 0x0955c120 *** You can also run it under gdb for a bit more detail: jdb at slim:~/gtp$ gdb python GNU gdb (GDB) 7.1-debian Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i486-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /usr/bin/python...Reading symbols from /usr/lib/debug/usr/bin/python2.5...done. done. (gdb) run /usr/bin/pylint -e t.py Starting program: /usr/bin/python /usr/bin/pylint -e t.py [Thread debugging using libthread_db enabled] No config file found, using default configuration /usr/lib/pymodules/python2.5/logilab/common/configuration.py:716: DeprecationWarning: "_config_parser" attribute has been renamed to "cfgfile_parser" warn(msg, DeprecationWarning) *** glibc detected *** /usr/bin/python: corrupted double-linked list: 0x087f7410 *** ^C Program received signal SIGINT, Interrupt. 0xb7fe1424 in __kernel_vsyscall () (gdb) bt #0 0xb7fe1424 in __kernel_vsyscall () #1 0xb7f15b63 in __lll_lock_wait_private () at ../nptl/sysdeps/unix/sysv/linux/i386/i686/../i486/lowlevellock.S:95 #2 0xb7eaa91d in _L_lock_9675 () from /lib/i686/cmov/libc.so.6 #3 0xb7ea90d6 in *__GI___libc_free (mem=0x8800dc0) at malloc.c:3736 #4 0xb7ff418c in _dl_scope_free (old=0x8800dc0) at dl-open.c:175 #5 0xb7feed8f in _dl_map_object_deps (map=0x88251c0, preloads=0x0, npreloads=<value optimized out>, trace_mode=0, open_mode=-2147483648) at dl-deps.c:668 #6 0xb7ff43e0 in dl_open_worker (a=0xbfffe7a0) at dl-open.c:326 #7 0xb7ff0186 in _dl_catch_error (objname=0xbfffe7c8, errstring=0xbfffe7c4, mallocedp=0xbfffe7cf, operate=0xb7ff4230 <dl_open_worker>, args=0xbfffe7a0) at dl-error.c:178 #8 0xb7ff3d3e in _dl_open (file=0xb7f5c35d "libgcc_s.so.1", mode=-2147483647, caller_dlopen=0x0, nsid=-1208495168, argc=4, argv=0xbffff4c4, env=0xbffff4d8) at dl-open.c:616 #9 0xb7f3f082 in do_dlopen (ptr=0xbfffe920) at dl-libc.c:86 #10 0xb7ff0186 in _dl_catch_error (objname=0xbfffe8fc, errstring=0xbfffe8f8, mallocedp=0xbfffe903, operate=0xb7f3f020 <do_dlopen>, args=0xbfffe920) at dl-error.c:178 #11 0xb7f3f181 in dlerror_run (operate=<value optimized out>, args=<value optimized out>) at dl-libc.c:47 #12 0xb7f3f2ab in *__GI___libc_dlopen_mode (name=0xb7f5c35d "libgcc_s.so.1", mode=-2147483647) at dl-libc.c:160 #13 0xb7f1d238 in init () at ../sysdeps/i386/backtrace.c:44 #14 0xb7fba460 in pthread_once () at ../nptl/sysdeps/unix/sysv/linux/i386/pthread_once.S:122 #15 0xb7f1d42d in *__GI___backtrace (array=0xbfffef00, size=64) at ../sysdeps/i386/backtrace.c:121 #16 0xb7e9a6db in __libc_message (do_abort=2, fmt=0xb7f610e8 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:152 #17 0xb7ea4824 in malloc_printerr (action=2, str=0xb7f5db6c "corrupted double-linked list", ptr=0x87f7410) at malloc.c:6239 #18 0xb7ea62df in _int_free (av=0xb7f7d3c0, p=0x7f741008) at malloc.c:4925 #19 0xb7ea90dd in *__GI___libc_free (mem=0x87f7538) at malloc.c:3738 #20 0xb7926819 in ?? () from /usr/lib/python2.5/site-packages/numpy/core/umath.so #21 0x08086659 in insertdict (mp=0xb794fe6c, key=0x87f7538, hash=-128066157, value=0x8146b78) at ../Objects/dictobject.c:420 #22 0x080883a2 in PyDict_SetItem (op=0x87a79bc, key=0x87be360, value=0x8146b78) at ../Objects/dictobject.c:645 #23 0x0808a3f4 in _PyModule_Clear (m=0x82acb0c) at ../Objects/moduleobject.c:136 #24 0x080df7a1 in PyImport_Cleanup () at ../Python/import.c:492 #25 0x080ea5f1 in Py_Finalize () at ../Python/pythonrun.c:399 #26 0x080e9cb7 in Py_Exit () at ../Python/pythonrun.c:1618 #27 handle_system_exit () at ../Python/pythonrun.c:1054 #28 0x080ea27d in PyErr_PrintEx (set_sys_last_vars=<value optimized out>) at ../Python/pythonrun.c:1064 #29 0x080eb2f3 in PyRun_SimpleFileExFlags (fp=0xbffff654, filename=0xbffff654 "/usr/bin/pylint", closeit=1, flags=0xbffff3fc) at ../Python/pythonrun.c:883 #30 0x08059401 in Py_Main (argc=4, argv=0xbffff4c4) at ../Modules/main.c:532 #31 0x0805877b in main (argc=4, argv=0xbffff4c4) at ../Modules/python.c:23 (gdb) By contrast, if you download to the old version of pylint and the logilab libraries described above, pylint runs without a problem: $ /usr/bin/pylint -e t.py No config file found, using default configuration $ Since this bug causes memory corruption and could presumably be exploited for nefarious purposes, I marked it "grave". -- System Information: Debian Release: squeeze/sid APT prefers oldstable APT policy: (500, ''oldstable''), (500, ''unstable''), (500, ''testing''), (500, ''stable'') Architecture: i386 (i686) Kernel: Linux 2.6.32-trunk-686 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages pylint depends on: ii python 2.5.4-9 An interactive high-level object-o ii python-logilab-astng 0.20.0-1 rebuild a new abstract syntax tree ii python-logilab-common 0.50.1-1 useful miscellaneous modules used ii python-support 1.0.8 automated rebuilding support for P Versions of packages pylint recommends: ii python-tk 2.6.5-1 Tkinter - Writing Tk applications pylint suggests no packages. -- no debconf information