search

pyca / bcrypt

Modern(-ish) password hashing for your software and your servers
Apache License 2.0
1.24k stars 165 forks source link

v3.1.4: Segfault on python -c "import bcrypt" #193

Closed patrickkidd closed 3 years ago

patrickkidd commented 4 years ago

I am getting the following segfault on python-3.6.4 built from source on macOS 10.5.3. The bug was introduced in bcrypt-3.1.4

Path:                  /Users/USER/*/python3.6
Identifier:            python3.6
Version:               ???
Code Type:             X86-64 (Native)
Parent Process:        bash [10818]
Responsible:           Terminal [10710]
User ID:               501

Date/Time:             2020-01-31 11:06:21.651 -0500
OS Version:            Mac OS X 10.15.3 (19D76)
Report Version:        12
Bridge OS Version:     4.2 (17P3050)
Anonymous UUID:        DE6007FC-8BDC-91D9-D093-77AE8648E82B

Sleep/Wake UUID:       4DB4D24C-98FE-497B-9977-7B3563B6D491

Time Awake Since Boot: 40000 seconds
Time Since Wake:       3200 seconds

System Integrity Protection: enabled

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x000001101f042028
Exception Note:        EXC_CORPSE_NOTIFY

Termination Signal:    Segmentation fault: 11
Termination Reason:    Namespace SIGNAL, Code 0xb
Terminating Process:   exc handler [98541]

VM Regions Near 0x1101f042028:
    __LINKEDIT             0000000119c37000-0000000119c6f000 [  224K] r--/r-- SM=COW  /usr/lib/dyld
--> 
    MALLOC_MEDIUM          00007f9c58000000-00007f9c58800000 [ 8192K] rw-/rwx SM=PRV  

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   python                          0x000000010ff29df1 _PyObject_Dump + 209 (object.c:454)
1   python                          0x000000010ff2d59a _Py_ForgetReference + 186 (object.c:1762)
2   python                          0x000000010ff28ee5 _Py_Dealloc + 37 (object.c:1786)
3   python                          0x000000010ff07125 free_keys_object + 341 (dictobject.c:560)
4   python                          0x000000010ff0c8c8 dict_dealloc + 552 (dictobject.c:2025)
5   python                          0x000000010ff28efa _Py_Dealloc + 58 (object.c:1787)
6   python                          0x000000011009e34e _PyImport_Fini + 142 (import.c:293)
7   python                          0x00000001100b6fcd Py_FinalizeEx + 189 (pylifecycle.c:646)
8   python                          0x00000001100eceb6 Py_Main + 4742 (main.c:829)
9   python                          0x000000010fe703d8 main + 472 (python.c:69)
10  libdyld.dylib                   0x00007fff702f77fd start + 1

Thread 0 crashed with X86 Thread State (64-bit):
  rax: 0x000001101f042000  rbx: 0x0000000000000000  rcx: 0x0000000000000000  rdx: 0x0000000110735057
  rdi: 0x00007fff9a109500  rsi: 0x0000000000000000  rbp: 0x00007ffedfd90240  rsp: 0x00007ffedfd901f0
   r8: 0x00000000000130a8   r9: 0x0000000000000000  r10: 0x00007fff9a109308  r11: 0x00007fff9a109300
  r12: 0x0000000000000000  r13: 0x0000000000000000  r14: 0x0000000000000000  r15: 0x0000000000000000
  rip: 0x000000010ff29df1  rfl: 0x0000000000010206  cr2: 0x000001101f042028

Logical CPU:     12
Error Code:      0x00000004 (no mapping for user data write)
Trap Number:     14

Binary Images:
       0x10fe6f000 -        0x1101d0ffb +python (0) <CCFD3D17-1997-3D4D-8639-46AC64B8B518> /Users/USER/*/python
       0x1106c7000 -        0x1106c8fff +_heapq.cpython-36dm-darwin.so (0) <7A9FC778-2D35-38B7-A574-777F92DE02C5> /Users/USER/*/_heapq.cpython-36dm-darwin.so
       0x11078e000 -        0x110795fff +_struct.cpython-36dm-darwin.so (0) <4B76F31E-85D4-3D49-8974-EB135F4D3C69> /Users/USER/*/_struct.cpython-36dm-darwin.so
       0x11079e000 -        0x1107a5fff +_bcrypt.abi3.so (???) <CDAE1F7F-AA09-3FA4-BCBE-3D05680CDE49> /Users/USER/*/_bcrypt.abi3.so
       0x1107aa000 -        0x1107d8ff3 +_cffi_backend.cpython-36dm-darwin.so (0) <1062A880-9055-326F-A36A-11381EAE0B29> /Users/USER/*/_cffi_backend.cpython-36dm-darwin.so
       0x1107f3000 -        0x1107f7ff7 +libffi.6.dylib (0) <05587F0C-3BC2-3918-B152-9E1E92AB7868> /usr/local/opt/libffi/lib/libffi.6.dylib
       0x119b6b000 -        0x119bfbcb7  dyld (733.8) <EBC07CB6-870A-3A8E-B48A-67F62EA161F3> /usr/lib/dyld
    0x7fff38bcf000 -     0x7fff3904ffe7  com.apple.CoreFoundation (6.9 - 1674.114) <5810CC45-FB5D-3A78-861F-7BE03F9B2FDD> /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
    0x7fff6cc5a000 -     0x7fff6cc5cff7  libDiagnosticMessagesClient.dylib (112) <45E85899-039F-3B99-8789-F497DD9916C2> /usr/lib/libDiagnosticMessagesClient.dylib
    0x7fff6d122000 -     0x7fff6d123ff3  libSystem.B.dylib (1281) <A2C26908-8802-3CA7-8B74-ED4A74AA152C> /usr/lib/libSystem.B.dylib
    0x7fff6d408000 -     0x7fff6d45bff7  libc++.1.dylib (800.7) <1D0CB627-8A78-329F-A679-1B5248FF4C59> /usr/lib/libc++.1.dylib
    0x7fff6d45c000 -     0x7fff6d470fff  libc++abi.dylib (800.7) <7AF668FB-901D-3F45-BA0D-710A235A8D1F> /usr/lib/libc++abi.dylib
    0x7fff6ded4000 -     0x7fff6ded6fff  libfakelink.dylib (149) <7296A5B3-EE44-34E6-810A-2A12C2D3EF68> /usr/lib/libfakelink.dylib
    0x7fff6dfe6000 -     0x7fff6e23eff7  libicucore.A.dylib (64252.0.1) <0F9294A7-6EC0-3279-BF92-3233C89DFA0A> /usr/lib/libicucore.A.dylib
    0x7fff6ef77000 -     0x7fff6efa8fc6  libobjc.A.dylib (781.2) <7B72F50A-5381-36D7-A616-65D3EA9748A5> /usr/lib/libobjc.A.dylib
    0x7fff6f653000 -     0x7fff6f665ffb  libz.1.dylib (76) <52250917-039C-3B46-8011-497FEACF3550> /usr/lib/libz.1.dylib
    0x7fff700c9000 -     0x7fff700ceff3  libcache.dylib (83) <11C19883-6F99-390D-AF2A-A85A99DDFC48> /usr/lib/system/libcache.dylib
    0x7fff700cf000 -     0x7fff700dafff  libcommonCrypto.dylib (60165) <FEE99884-61F0-3332-852B-B0BB8EFF2288> /usr/lib/system/libcommonCrypto.dylib
    0x7fff700db000 -     0x7fff700e2fff  libcompiler_rt.dylib (101.2) <D7367E6D-A27D-3209-A3DB-A6F44582E502> /usr/lib/system/libcompiler_rt.dylib
    0x7fff700e3000 -     0x7fff700ecfff  libcopyfile.dylib (166.40.1) <91670D15-CB30-3277-8AA9-9A299CEAAE27> /usr/lib/system/libcopyfile.dylib
    0x7fff700ed000 -     0x7fff70184fdb  libcorecrypto.dylib (866.80.2) <3B110D82-B403-31E8-8109-8BBC79C928CE> /usr/lib/system/libcorecrypto.dylib
    0x7fff7029b000 -     0x7fff702dcff0  libdispatch.dylib (1173.60.1) <5EF42E98-AD0D-3FAE-ABD4-46D791B8343F> /usr/lib/system/libdispatch.dylib
    0x7fff702dd000 -     0x7fff70312ff7  libdyld.dylib (733.8) <8B0DFE8A-42CF-32C8-B121-83C22BF25F69> /usr/lib/system/libdyld.dylib
    0x7fff70313000 -     0x7fff70313ffb  libkeymgr.dylib (30) <7DADC026-70A8-390F-95AF-F3F345760F24> /usr/lib/system/libkeymgr.dylib
    0x7fff70321000 -     0x7fff70321ff7  liblaunch.dylib (1738.80.8) <C4EA8803-E506-3514-9839-9BBECC819953> /usr/lib/system/liblaunch.dylib
    0x7fff70322000 -     0x7fff70327ff7  libmacho.dylib (949.0.1) <395ABE7C-D2B1-343D-A451-9CEA98FDC12E> /usr/lib/system/libmacho.dylib
    0x7fff70328000 -     0x7fff7032aff7  libquarantine.dylib (110.40.3) <560961FC-1FEF-3F07-8406-17A36558870E> /usr/lib/system/libquarantine.dylib
    0x7fff7032b000 -     0x7fff7032cff7  libremovefile.dylib (48) <E99833DE-CB1D-31AB-A948-2739AF503599> /usr/lib/system/libremovefile.dylib
    0x7fff7032d000 -     0x7fff70344fff  libsystem_asl.dylib (377.60.2) <21A259BC-F892-34EB-9A67-11232AD8913A> /usr/lib/system/libsystem_asl.dylib
    0x7fff70345000 -     0x7fff70345fff  libsystem_blocks.dylib (74) <8B23F806-8153-3163-B5D8-2C3327E211D8> /usr/lib/system/libsystem_blocks.dylib
    0x7fff70346000 -     0x7fff703cdff7  libsystem_c.dylib (1353.60.8) <99202CC3-2E27-3680-A8FF-5C516C485E90> /usr/lib/system/libsystem_c.dylib
    0x7fff703ce000 -     0x7fff703d1ffb  libsystem_configuration.dylib (1061.80.3) <8A149700-51AA-3205-A9D4-FF2A7BFC5412> /usr/lib/system/libsystem_configuration.dylib
    0x7fff703d2000 -     0x7fff703d5ff7  libsystem_coreservices.dylib (114) <CCC076FA-310D-3FC9-950D-41E0F8DDA5D2> /usr/lib/system/libsystem_coreservices.dylib
    0x7fff703d6000 -     0x7fff703defff  libsystem_darwin.dylib (1353.60.8) <31ACD3CC-6DD9-3F2E-B163-9342BE1D0AB0> /usr/lib/system/libsystem_darwin.dylib
    0x7fff703df000 -     0x7fff703e6ffb  libsystem_dnssd.dylib (1096.60.2) <BEBB815A-065A-365E-9701-8E05A8CF2040> /usr/lib/system/libsystem_dnssd.dylib
    0x7fff703e7000 -     0x7fff703e8ffb  libsystem_featureflags.dylib (17) <340AD606-7C39-3E6A-BAC3-EA1273FC27A4> /usr/lib/system/libsystem_featureflags.dylib
    0x7fff703e9000 -     0x7fff70436fff  libsystem_info.dylib (538) <B0EBAE05-01AD-3D8E-92CC-5704394FF94A> /usr/lib/system/libsystem_info.dylib
    0x7fff70437000 -     0x7fff70463ff7  libsystem_kernel.dylib (6153.81.5) <23909F45-79C3-34C9-A28F-337915925E5E> /usr/lib/system/libsystem_kernel.dylib
    0x7fff70464000 -     0x7fff704abfcf  libsystem_m.dylib (3178) <7D775039-51B8-356E-82D7-98449065518A> /usr/lib/system/libsystem_m.dylib
    0x7fff704ac000 -     0x7fff704d3fff  libsystem_malloc.dylib (283.60.1) <00190446-C6A8-3EA6-92D1-850EA85C84CE> /usr/lib/system/libsystem_malloc.dylib
    0x7fff704d4000 -     0x7fff704e1ffb  libsystem_networkextension.dylib (1095.60.2) <1E7A59D0-BBCD-3CB0-8AD1-D442A1A5268E> /usr/lib/system/libsystem_networkextension.dylib
    0x7fff704e2000 -     0x7fff704ebff3  libsystem_notify.dylib (241) <AB3FAC47-A830-3158-8D99-DBC728CED1D6> /usr/lib/system/libsystem_notify.dylib
    0x7fff704ec000 -     0x7fff704f5fef  libsystem_platform.dylib (220) <3DAFCC01-B768-3FFC-AC59-47AAE86BBEA1> /usr/lib/system/libsystem_platform.dylib
    0x7fff704f6000 -     0x7fff70500fff  libsystem_pthread.dylib (416.60.2) <AAF506F4-9455-3CC4-8E0B-6791E3C0993C> /usr/lib/system/libsystem_pthread.dylib
    0x7fff70501000 -     0x7fff70505fff  libsystem_sandbox.dylib (1217.80.1) <C8F3841A-9364-3414-9E3F-9DE3D5FECF0C> /usr/lib/system/libsystem_sandbox.dylib
    0x7fff70506000 -     0x7fff70508fff  libsystem_secinit.dylib (62.80.1) <32F36517-9A1C-3D30-85C8-611A2F5E2355> /usr/lib/system/libsystem_secinit.dylib
    0x7fff70509000 -     0x7fff70510ffb  libsystem_symptoms.dylib (1238.60.1) <2EDF9CE8-4091-30A8-B125-0F25E579694A> /usr/lib/system/libsystem_symptoms.dylib
    0x7fff70511000 -     0x7fff70527ff2  libsystem_trace.dylib (1147.80.3) <AE11B1AC-352A-37F0-BCA9-055609070104> /usr/lib/system/libsystem_trace.dylib
    0x7fff70529000 -     0x7fff7052effb  libunwind.dylib (35.4) <E867ACDE-EADE-3C91-A2A4-0C401788FD47> /usr/lib/system/libunwind.dylib
    0x7fff7052f000 -     0x7fff70564ffe  libxpc.dylib (1738.80.8) <51E3E807-9133-3605-BB5F-D59ED6404ABF> /usr/lib/system/libxpc.dylib

External Modification Summary:
  Calls made by other processes targeting this process:
    task_for_pid: 0
    thread_create: 0
    thread_set_state: 0
  Calls made by this process:
    task_for_pid: 0
    thread_create: 0
    thread_set_state: 0
  Calls made by all processes on this machine:
    task_for_pid: 45033
    thread_create: 0
    thread_set_state: 0

VM Region Summary:
ReadOnly portion of Libraries: Total=370.1M resident=0K(0%) swapped_out_or_unallocated=370.1M(100%)
Writable regions: Total=458.5M written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=458.5M(100%)

                                VIRTUAL   REGION 
REGION TYPE                        SIZE    COUNT (non-coalesced) 
===========                     =======  ======= 
Activity Tracing                   256K        1 
Kernel Alloc Once                    8K        1 
MALLOC                           102.1M       24 
MALLOC guard page                   24K        5 
MALLOC_MEDIUM (reserved)         336.0M        3         reserved VM address space (unallocated)
STACK GUARD                          4K        1 
Stack                             16.0M        1 
VM_ALLOCATE                       3840K       15 
__DATA                            2696K       52 
__DATA_CONST                        44K        6 
__LINKEDIT                       354.8M        8 
__OBJC_RO                         32.0M        1 
__OBJC_RW                         1780K        2 
__TEXT                            15.3M       50 
__UNICODE                          564K        1 
shared memory                       12K        3 
===========                     =======  ======= 
TOTAL                            865.2M      174 
TOTAL, minus reserved VM space   529.2M      174
reaperhulk commented 4 years ago

Do you see the same segfault with the binary wheel? What flags were used during compilation?

patrickkidd commented 4 years ago

Do you see the same segfault with the binary wheel? What flags were used during compilation?

I see it with the current binary wheel:

turin:~ patrick$ pip install --only-binary :all bcrypt
Collecting bcrypt
  Using cached bcrypt-3.1.7-cp34-abi3-macosx_10_6_intel.whl (53 kB)
Requirement already satisfied: six>=1.4.1 in ./dev/vendor/sysroot-dev/lib/python3.6/site-packages (from bcrypt) (1.14.0)
Requirement already satisfied: cffi>=1.1 in ./dev/vendor/sysroot-dev/lib/python3.6/site-packages (from bcrypt) (1.13.2)
Requirement already satisfied: pycparser in ./dev/vendor/sysroot-dev/lib/python3.6/site-packages (from cffi>=1.1->bcrypt) (2.19)
Installing collected packages: bcrypt
Successfully installed bcrypt-3.1.7
turin:~ patrick$ python -c "import bcrypt"
* ob
object  : <refcnt 0 at 0x10c209c98>
type    : tuple
refcount: 0
address : 0x10c209c98
* op->_ob_prev->_ob_next
object  : <refcnt 0 at 0x10c209c97>Segmentation fault: 11
turin:~ patrick$

Here is how I configured Python-3.6.4:

export CFLAGS="-I$(brew --prefix openssl)/include -I$(xcrun --show-sdk-path)/usr/include -Wno-nullability-completeness -Wno-strict-prototypes"
export LDFLAGS="-L$(brew --prefix openssl)/lib -I$(xcrun --show-sdk-path)/usr/lib"
cp ../../../src/Python-$PYTHON_VERSION-Setup.dist ./Modules
./configure --prefix=$SYSROOT -with-ensurepip=install --with-system-expat --with-pydebug
reaperhulk commented 4 years ago

Okay, I believe compiling with pydebug enabled makes it abi incompatible with the wheel (a fact that the wheel tags and pip don’t handle well for reasons I don’t know).

I don’t know why it’s crashing when you compile it yourself though...

patrickkidd commented 4 years ago

The diff from 3.1.3..3.1.4 - the change that breaks it - looks pretty minimal, though I don't know much about travis or Jenkins.

I attached to the process with Xcode. I wish I had some CPython object printers for lldb. But it is failing in the Py_TYPE line below (as indicated in the stack trace in the original post):

        /* XXX(twouters) cast refcount to long until %zd is
           universally available */
        fprintf(stderr, "\n"
            "type    : %s\n"
            "refcount: %ld\n"
            "address : %p\n",
            Py_TYPE(op)==NULL ? "NULL" : Py_TYPE(op)->tp_name,
            (long)op->ob_refcnt,
            op);

... called from the second _PyObject_Dump() here:

    if (op == &refchain ||
        op->_ob_prev->_ob_next != op || op->_ob_next->_ob_prev != op) {
        fprintf(stderr, "* ob\n");
        _PyObject_Dump(op);
        fprintf(stderr, "* op->_ob_prev->_ob_next\n");
        _PyObject_Dump(op->_ob_prev->_ob_next);
        fprintf(stderr, "* op->_ob_next->_ob_prev\n");
        _PyObject_Dump(op->_ob_next->_ob_prev);
        Py_FatalError("UNREF invalid object");
    }
reaperhulk commented 4 years ago

Is this still replicable on 3.2.0 with 10.15.6? Does it happen with Python 3.6.12? The C diff from 3.1.3 to 3.1.4 is just some include ordering and include guards so it is extremely weird that this would be happening (and apparently only on your machine). You might also make sure you're on latest cffi.

alex commented 3 years ago

no response in several months, closing.

patrickkidd commented 3 years ago

Sorry, somehow I either missed the replies or failed to respond.

This does not occur with the following two setups:

I don't have access to macOS 10.15.* anymore, sorry.