Headline
CVE-2023-29824: BUG: Potential use-after-free bug in function `Py_FindObjects` · Issue #14713 · scipy/scipy
A use-after-free issue was discovered in Py_FindObjects() function in SciPy versions prior to 1.8.0.
Function PyList_New returns a new reference and is then assigned to variable result. Let’s assume it is not NULL. As a new reference it is, we assume (in our analyzer) the refcnt is 1. After the first Py_XDECREF, the refcnt becomes 0, and the PyObject that result points to will be destructed. Then the second Py_XDECREF will decrease the refcnt to -1, which is a potential use-after-free bug.
It is not the matter of X for NULL pointers, but the DECREF. This report is a use-after-free bug report, not a null pointer dereference report.
I made a test with the following code snippet, which is similar to the path in the report. The refcnt change of the PyObject is commented in the code.
void f() { PyObject *result = PyList_New(1); // <-- new reference returned (line 878) assert(result); printf("%ld\n", result->ob_refcnt); // 1
PyErr_NoMemory(); // <-- error happens, an exception is thrown (line 890) Py_XDECREF(result); // <-- destruction here (line 924) printf("%ld\n", result->ob_refcnt); // 0
if (PyErr_Occurred()) { Py_XDECREF(result); // <-- use after free here (line 931) printf("%ld\n", result->ob_refcnt); // -1 } }
Related news
Ubuntu Security Notice 6226-1 - It was discovered that SciPy did not properly manage memory operations during reference counting. An attacker could possibly use this issue to cause a denial of service. A use-after-free was discovered in SciPy when handling reference counts. An attacker could possibly use this to cause a denial of service. This issue only affected Ubuntu 20.04 LTS.