Re: use after free in python notmuch2 bindings

Subject: Re: use after free in python notmuch2 bindings

Date: Fri, 07 Jan 2022 09:06:42 -0400

Cc:

David Bremner <david@tethera.net> writes:

> I've been attempting to port nmweb to the new bindings, but I got stuck
> on a bug that segfaults python. I attached a reduced version that
> reproduces the problem for me. It uses recent messages from the notmuch
> list; it others can't reproduce let me know and I will try to make
> something more self contained including a message set.
>

Attached is a slightly simpler (and more informative) reproducer

It produces the the following output for me

7f23164b6cd0 <notmuch2.Thread object at 0x7f23164b6cd0>
   87fsqijx7u.fsf@metapensiero.it <cdata 'struct _notmuch_message *' 0x137a000>
     7f23164b6a90 <NotmuchIter>
       87lf0anoiv.fsf@tethera.net <cdata 'struct _notmuch_message *' 0x13636f0>
         7f23164b6910 <NotmuchIter>
           87bl16jezh.fsf@metapensiero.it <cdata 'struct _notmuch_message *' 0x139a6b0>
             7f23164c3070 <NotmuchIter>
           87bl0vlbys.fsf@powell.devork.be <cdata 'struct _notmuch_message *' 0x139b8e0>
             7f23164c30d0 <NotmuchIter>
   87lf0anoiv.fsf@tethera.net <cdata 'struct _notmuch_message *' 0x13636f0>
     7f23164b68e0 <NotmuchIter>
       87bl16jezh.fsf@metapensiero.it <cdata 'struct _notmuch_message *' 0x139a6b0>
         7f23164b6a00 <NotmuchIter>
       87bl0vlbys.fsf@powell.devork.be <cdata 'struct _notmuch_message *' 0x139b8e0>
zsh: IOT instruction  python3 test.py

The IOT instruction is actually talloc aborting. If I leave in the call
to msg.header, it segfaults as before.

I noticed that the message struct 0x139b8e0 is visited twice, once as
part of the thread and once as part of reply-to-reply-to-reply.

I think the issue here is that bindings destroy the iterator for
replies, but the library docs say

"
 * The returned list will be destroyed when the thread is
 * destroyed.
"

Perhaps that needs to be worded more strongly, to forbid the user from
calling notmuch_messages_destroy. I still need to untangle the intended
ownership semantics to be sure.

test.py (text/x-python)

_______________________________________________
notmuch mailing list -- notmuch@notmuchmail.org
To unsubscribe send an email to notmuch-leave@notmuchmail.org

Previous message (by thread): Re: [PATCH 2/2] python-cffi: returned OwnedMessage objects from Message.replies

Thread:

David Bremner—use after free in python notmuch2 bindings [attachment, inbox, notmuch::bug, notmuch::fixed, unread]
- David Bremner—Re: use after free in python notmuch2 bindings [inbox, unread]
  - David Bremner—[PATCH 1/2] test: add known broken tests for recursive traversal of replies. [inbox, notmuch::fix, notmuch::patch, notmuch::pushed, unread]
    - David Bremner—[PATCH 2/2] python-cffi: returned OwnedMessage objects from Message.replies [inbox, notmuch::fix, notmuch::patch, notmuch::pushed, unread]
      - Floris Bruynooghe—Re: [PATCH 2/2] python-cffi: returned OwnedMessage objects from Message.replies [inbox, unread]
        David Bremner—Re: [PATCH 2/2] python-cffi: returned OwnedMessage objects from Message.replies [inbox, unread]
        Floris Bruynooghe—Re: [PATCH 2/2] python-cffi: returned OwnedMessage objects from Message.replies [inbox, unread]
        David Bremner—Re: [PATCH 2/2] python-cffi: returned OwnedMessage objects from Message.replies [inbox, unread]
    - David Bremner—Re: [PATCH 1/2] test: add known broken tests for recursive traversal of replies. [inbox, unread]