From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <notmuch-bounces@notmuchmail.org>
Received: from mp11.migadu.com ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms0.migadu.com with LMTPS
	id uNNtC+062GENOgAAgWs5BA
	(envelope-from <notmuch-bounces@notmuchmail.org>)
	for <larch@yhetil.org>; Fri, 07 Jan 2022 14:06:53 +0100
Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp11.migadu.com with LMTPS
	id IIf/CO062GFLOAEA9RJhRA
	(envelope-from <notmuch-bounces@notmuchmail.org>)
	for <larch@yhetil.org>; Fri, 07 Jan 2022 14:06:53 +0100
Received: from mail.notmuchmail.org (yantan.tethera.net [IPv6:2a01:4f9:c011:7a79::1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id CF117179E7
	for <larch@yhetil.org>; Fri,  7 Jan 2022 14:06:52 +0100 (CET)
Received: from yantan.tethera.net (localhost [127.0.0.1])
	by mail.notmuchmail.org (Postfix) with ESMTP id B81685F713;
	Fri,  7 Jan 2022 13:06:47 +0000 (UTC)
Received: from fethera.tethera.net (fethera.tethera.net [198.245.60.197])
	by mail.notmuchmail.org (Postfix) with ESMTP id 159175F6CB
	for <notmuch@notmuchmail.org>; Fri,  7 Jan 2022 13:06:45 +0000 (UTC)
Received: by fethera.tethera.net (Postfix, from userid 1001)
	id 278345FC42; Fri,  7 Jan 2022 08:06:44 -0500 (EST)
Received: (nullmailer pid 2755917 invoked by uid 1000);
	Fri, 07 Jan 2022 13:06:42 -0000
From: David Bremner <david@tethera.net>
To: notmuch@notmuchmail.org
Subject: Re: use after free in python notmuch2 bindings
In-Reply-To: <87sfu6utxg.fsf@tethera.net>
References: <87sfu6utxg.fsf@tethera.net>
Date: Fri, 07 Jan 2022 09:06:42 -0400
Message-ID: <87o84nu23h.fsf@tethera.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Message-ID-Hash: 7GJL2VLZPFDZO7SI622RRLFPYIOJTLTK
X-Message-ID-Hash: 7GJL2VLZPFDZO7SI622RRLFPYIOJTLTK
X-MailFrom: david@tethera.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-notmuch.notmuchmail.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.3
Precedence: list
List-Id: "Use and development of the notmuch mail system." <notmuch.notmuchmail.org>
List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
List-Owner: <mailto:notmuch-owner@notmuchmail.org>
List-Post: <mailto:notmuch@notmuchmail.org>
List-Subscribe: <mailto:notmuch-join@notmuchmail.org>
List-Unsubscribe: <mailto:notmuch-leave@notmuchmail.org>
X-Migadu-Flow: FLOW_IN
X-Migadu-Country: DE
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1641560812;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-owner:list-unsubscribe:list-subscribe:list-post;
	bh=DttLuh8EpNiy1gCTW5qZuHbL/9bZ823FzXrgTYflO+Q=;
	b=WyVDiCA5pmkJQ1//KXwyp87A8HGY6v47n8bFasjtIjc/Z7lr1n0c7o10MNCjXv9DPMC79B
	QEfU2zu+MuxFWQksruLXThhetLygZXgsYgE12wJlOLk/lxxKrCn9A94IImrJfkYK7o+kEu
	A7gIMhWJ7nXVbrU3m8D8eq6gnK34OcoMMSjLXQQTpin+8vrG/+GMbJ/YV3P2uIKkIDjcci
	2Qy2bszgB6s5J/g2jsrx8BTdK+3jvdJREDwrkn0AXv+w4UAg83rYWFWoKiFxJeuHbOUFT6
	yEHAd6G9vaVBhEUfRCI/EfHjeG+X7amILD3WnZS8j776NIC0YCPSAWw/GY4L7w==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1641560812; a=rsa-sha256; cv=none;
	b=SYYluY6wJbwiEY/SSzpjbZFkrKH9FKPqHXnqpC5cw7dIvcKdfZR+C8R51rBwjYnZPo++el
	h9QPct43dbRk2i80JN4dul4Nonm/b5TWeD5ooVHq/bLgtpaOraMOe3/16kTsoFngOrgmo7
	SFVa7d+GQkrjj//dtbeUkA8sIZKNeeROS8Z/PuDxT2MxpsMzFFfRM/nVgdZBMp2auVR1zZ
	8feO6UgZubcYej4TMWnqBRGMwbY8TmiQGKnodEzwAbos5NZTLZnbluhur7hoBD9Y37W68S
	nZ2A3RqQr3+EXjYBQgTMYEgrkz3eVHmfsQ/orFFJTPCOrT5ezg3nFYJxPOx01w==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=none;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of notmuch-bounces@notmuchmail.org designates 2a01:4f9:c011:7a79::1 as permitted sender) smtp.mailfrom=notmuch-bounces@notmuchmail.org
X-Migadu-Spam-Score: -2.28
Authentication-Results: aspmx1.migadu.com;
	dkim=none;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of notmuch-bounces@notmuchmail.org designates 2a01:4f9:c011:7a79::1 as permitted sender) smtp.mailfrom=notmuch-bounces@notmuchmail.org
X-Migadu-Queue-Id: CF117179E7
X-Spam-Score: -2.28
X-Migadu-Scanner: scn1.migadu.com
X-TUID: yyePj9GvcOuX


--=-=-=
Content-Type: text/plain

David Bremner <david@tethera.net> writes:

> I've been attempting to port nmweb to the new bindings, but I got stuck
> on a bug that segfaults python. I attached a reduced version that
> reproduces the problem for me. It uses recent messages from the notmuch
> list; it others can't reproduce let me know and I will try to make
> something more self contained including a message set.
>

Attached is a slightly simpler (and more informative) reproducer

It produces the the following output for me

7f23164b6cd0 <notmuch2.Thread object at 0x7f23164b6cd0>
   87fsqijx7u.fsf@metapensiero.it <cdata 'struct _notmuch_message *' 0x137a000>
     7f23164b6a90 <NotmuchIter>
       87lf0anoiv.fsf@tethera.net <cdata 'struct _notmuch_message *' 0x13636f0>
         7f23164b6910 <NotmuchIter>
           87bl16jezh.fsf@metapensiero.it <cdata 'struct _notmuch_message *' 0x139a6b0>
             7f23164c3070 <NotmuchIter>
           87bl0vlbys.fsf@powell.devork.be <cdata 'struct _notmuch_message *' 0x139b8e0>
             7f23164c30d0 <NotmuchIter>
   87lf0anoiv.fsf@tethera.net <cdata 'struct _notmuch_message *' 0x13636f0>
     7f23164b68e0 <NotmuchIter>
       87bl16jezh.fsf@metapensiero.it <cdata 'struct _notmuch_message *' 0x139a6b0>
         7f23164b6a00 <NotmuchIter>
       87bl0vlbys.fsf@powell.devork.be <cdata 'struct _notmuch_message *' 0x139b8e0>
zsh: IOT instruction  python3 test.py

The IOT instruction is actually talloc aborting. If I leave in the call
to msg.header, it segfaults as before.

I noticed that the message struct 0x139b8e0 is visited twice, once as
part of the thread and once as part of reply-to-reply-to-reply.

I think the issue here is that bindings destroy the iterator for
replies, but the library docs say

"
 * The returned list will be destroyed when the thread is
 * destroyed.
"

Perhaps that needs to be worded more strongly, to forbid the user from
calling notmuch_messages_destroy. I still need to untangle the intended
ownership semantics to be sure.


--=-=-=
Content-Type: text/x-python
Content-Disposition: inline; filename=test.py

from notmuch2 import Database

def show_msgs(msgs, level):
    print('{:s} {:x} {:s}'.format(' ' * level*4, id(msgs), str(msgs)))
    for msg in msgs:
        print('{:s} {:s} {:s}'.format(' ' * (level*4+2), msg.messageid, str(msg._msg_p)))
        replies=msg.replies()
        show_msgs(replies, level+1)
    

db = Database(config=Database.CONFIG.SEARCH)
msg=db.find("87fsqijx7u.fsf@metapensiero.it")
threads = db.threads(query="thread:"+msg.threadid)
thread = next (threads)

show_msgs(thread, 0)

--=-=-=
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--=-=-=--