Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Found segmentation fault in Pillow #11

Closed
glandium opened this issue Sep 29, 2024 · 5 comments
Closed

Found segmentation fault in Pillow #11

glandium opened this issue Sep 29, 2024 · 5 comments

Comments

@glandium
Copy link
Collaborator

As I'm well past the fuzzing tests from #9, I'm filing separately, but it might be the same underlying problem.

This one happens during Tests/test_file_jpeg.py::TestFileJpeg::test_qtables:

#0  0x00007ffff7d7cfaf in unlink_chunk (p=p@entry=0x7fffe8011630, 
    av=0x7fffe8000030) at ./malloc/malloc.c:1622
#1  0x00007ffff7d7fdcd in _int_malloc (av=av@entry=0x7fffe8000030, 
    bytes=bytes@entry=512) at ./malloc/malloc.c:4303
#2  0x00007ffff7d816e2 in __libc_calloc (n=n@entry=1, 
    elem_size=<optimized out>) at ./malloc/malloc.c:3674
#3  0x00007ffff6ed2a73 in _setimage (decoder=0x4ac44180b40, 
    args=<optimized out>) at src/decode.c:204
#4  0x000055555564ff77 in method_vectorcall_VARARGS (func=0x4ac52040820, 
    args=0x7ffff74e0bd0, nargsf=<optimized out>, kwnames=0x0)
    at Objects/descrobject.c:324
#5  0x000055555563fbb3 in _PyObject_VectorcallTstate (kwnames=<optimized out>, 
    nargsf=<optimized out>, args=<optimized out>, callable=0x4ac52040820, 
    tstate=0x555555bc7280) at ./Include/internal/pycore_call.h:168
#6  PyObject_Vectorcall (callable=0x4ac52040820, args=<optimized out>, 
    nargsf=<optimized out>, kwnames=<optimized out>) at Objects/call.c:327
#7  0x00005555555d60d2 in _PyEval_EvalFrameDefault (tstate=0x7fffe8011630, 
    frame=0x10000040, throwflag=-402652448) at Python/generated_cases.c.h:813
#8  0x0000555555642e36 in _PyObject_VectorcallTstate (kwnames=0x4ac440241c0, 
    nargsf=3, args=0x4ac440a0690, callable=0x4ac40411ae0, 
    tstate=0x555555bc7280) at ./Include/internal/pycore_call.h:168
#9  method_vectorcall (method=<optimized out>, args=0x4ac440a0698, 
    nargsf=<optimized out>, kwnames=0x4ac440241c0) at Objects/classobject.c:62
#10 0x0000555555641285 in _PyVectorcall_Call (tstate=0x555555bc7280, 
    func=0x555555642cd0 <method_vectorcall>, callable=0x4ac44025900, 
    tuple=<optimized out>, kwargs=<optimized out>) at Objects/call.c:285
#11 0x00005555555d5903 in _PyEval_EvalFrameDefault (tstate=0x7fffe8011630, 
    frame=0x10000040, throwflag=-402652448) at Python/generated_cases.c.h:1355
#12 0x0000555555642e36 in _PyObject_VectorcallTstate (kwnames=0x4ac44025080, 
    nargsf=2, args=0x4ac44080d80, callable=0x4ac3fa53b60, 
    tstate=0x555555bc7280) at ./Include/internal/pycore_call.h:168
#13 method_vectorcall (method=<optimized out>, args=0x4ac44080d88, 
    nargsf=<optimized out>, kwnames=0x4ac44025080) at Objects/classobject.c:62
#14 0x0000555555641285 in _PyVectorcall_Call (tstate=0x555555bc7280, 
    func=0x555555642cd0 <method_vectorcall>, callable=0x4ac44025e80, 
    tuple=<optimized out>, kwargs=<optimized out>) at Objects/call.c:285
#15 0x00005555555d5903 in _PyEval_EvalFrameDefault (tstate=0x7fffe8011630, 
    frame=0x10000040, throwflag=-402652448) at Python/generated_cases.c.h:1355
#16 0x0000555555642e36 in _PyObject_VectorcallTstate (kwnames=0x4ac440300f0, 
    nargsf=1, args=0x4ac44090c80, callable=0x4ac3fa556e0, 
    tstate=0x555555bc7280) at ./Include/internal/pycore_call.h:168
#17 method_vectorcall (method=<optimized out>, args=0x4ac44090c88,

The fact the crash happens in system malloc suggests something really bad happening.
@glandium
Copy link
Collaborator Author

It's worth noting it doesn't always crash. Sometime it ends with a ConcurrencyError.

@glandium
Copy link
Collaborator Author

It looks like when the crash happens it comes from a use-after-free. I haven't dug deep enough yet, but here is a pernosco debugging session from when the crash occurred: https://pernos.co/debug/lkC9KVox-a-m2pWWMd9Eeg/index.html

@glandium
Copy link
Collaborator Author

This comment over the testcase could be relevant (my system is using libjpeg-turbo):
/~https://github.com/python-pillow/Pillow/blob/c6e07d02721a65618e5a1a6ecc91ea1049c3a6a1/Tests/test_file_jpeg.py#L541-L543

@glandium
Copy link
Collaborator Author

It's worth noting it doesn't always crash. Sometime it ends with a ConcurrencyError.

When ConcurrencyErrors happen on this testcase, they're mostly related to truncated reads, and it seems the crashes could be a consequence of read problems.

@tonybaloney tonybaloney mentioned this issue Oct 3, 2024
Closed
@radarhere radarhere mentioned this issue Oct 29, 2024
Merged
@radarhere
Copy link

python-pillow/Pillow#8512 has been merged. --require-gil-disabled should now pass for this particular test in Pillow main.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@glandium @tonybaloney @radarhere