From e1a29feb864297e388c6bd6390ac700ccd6fb66e Mon Sep 17 00:00:00 2001
From: wangkaiqiang <wangkaiqiang@inspur.com>
Date: Wed, 17 Jan 2024 15:18:57 +0800
Subject: [PATCH] Fix posible crash in heapq with custom comparison operators

---
 00408-CVE-2022-48560.patch | 141 +++++++++++++++++++++++++++++++++++++
 python3.spec               |  14 +++-
 2 files changed, 154 insertions(+), 1 deletion(-)
 create mode 100644 00408-CVE-2022-48560.patch

diff --git a/00408-CVE-2022-48560.patch b/00408-CVE-2022-48560.patch
new file mode 100644
index 0000000..c2924d0
--- /dev/null
+++ b/00408-CVE-2022-48560.patch
@@ -0,0 +1,141 @@
+From f154e5583386b06dc3a188677231bd43da2646ce Mon Sep 17 00:00:00 2001
+From: wangkaiqiang <wangkaiqiang@inspur.com>
+Date: Wed, 17 Jan 2024 15:12:09 +0800
+Subject: [PATCH]  Fix posible crash in heapq with custom comparison operators
+
+---
+ Lib/test/test_heapq.py                        | 31 ++++++++++++++++
+ .../2020-01-22-15-53-37.bpo-39421.O3nG7u.rst  |  2 ++
+ Modules/_heapqmodule.c                        | 35 ++++++++++++++-----
+ 3 files changed, 59 insertions(+), 9 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Core and Builtins/2020-01-22-15-53-37.bpo-39421.O3nG7u.rst
+
+diff --git a/Lib/test/test_heapq.py b/Lib/test/test_heapq.py
+index 2f8c648..7c3fb02 100644
+--- a/Lib/test/test_heapq.py
++++ b/Lib/test/test_heapq.py
+@@ -414,6 +414,37 @@ class TestErrorHandling:
+         with self.assertRaises((IndexError, RuntimeError)):
+             self.module.heappop(heap)
+ 
++    def test_comparison_operator_modifiying_heap(self):
++        # See bpo-39421: Strong references need to be taken
++        # when comparing objects as they can alter the heap
++        class EvilClass(int):
++            def __lt__(self, o):
++                heap.clear()
++                return NotImplemented
++
++        heap = []
++        self.module.heappush(heap, EvilClass(0))
++        self.assertRaises(IndexError, self.module.heappushpop, heap, 1)
++
++    def test_comparison_operator_modifiying_heap_two_heaps(self):
++
++        class h(int):
++            def __lt__(self, o):
++                list2.clear()
++                return NotImplemented
++
++        class g(int):
++            def __lt__(self, o):
++                list1.clear()
++                return NotImplemented
++
++        list1, list2 = [], []
++
++        self.module.heappush(list1, h(0))
++        self.module.heappush(list2, g(0))
++
++        self.assertRaises((IndexError, RuntimeError), self.module.heappush, list1, g(1))
++        self.assertRaises((IndexError, RuntimeError), self.module.heappush, list2, h(1))
+ 
+ class TestErrorHandlingPython(TestErrorHandling, TestCase):
+     module = py_heapq
+diff --git a/Misc/NEWS.d/next/Core and Builtins/2020-01-22-15-53-37.bpo-39421.O3nG7u.rst b/Misc/NEWS.d/next/Core and Builtins/2020-01-22-15-53-37.bpo-39421.O3nG7u.rst
+new file mode 100644
+index 0000000..bae0081
+--- /dev/null
++++ b/Misc/NEWS.d/next/Core and Builtins/2020-01-22-15-53-37.bpo-39421.O3nG7u.rst	
+@@ -0,0 +1,2 @@
++Fix possible crashes when operating with the functions in the :mod:`heapq`
++module and custom comparison operators.
+diff --git a/Modules/_heapqmodule.c b/Modules/_heapqmodule.c
+index b499e1f..0fb35ff 100644
+--- a/Modules/_heapqmodule.c
++++ b/Modules/_heapqmodule.c
+@@ -29,7 +29,11 @@ siftdown(PyListObject *heap, Py_ssize_t startpos, Py_ssize_t pos)
+     while (pos > startpos) {
+         parentpos = (pos - 1) >> 1;
+         parent = arr[parentpos];
++        Py_INCREF(newitem);
++        Py_INCREF(parent);
+         cmp = PyObject_RichCompareBool(newitem, parent, Py_LT);
++        Py_DECREF(parent);
++        Py_DECREF(newitem);
+         if (cmp < 0)
+             return -1;
+         if (size != PyList_GET_SIZE(heap)) {
+@@ -71,10 +75,13 @@ siftup(PyListObject *heap, Py_ssize_t pos)
+         /* Set childpos to index of smaller child.   */
+         childpos = 2*pos + 1;    /* leftmost child position  */
+         if (childpos + 1 < endpos) {
+-            cmp = PyObject_RichCompareBool(
+-                arr[childpos],
+-                arr[childpos + 1],
+-                Py_LT);
++            PyObject* a = arr[childpos];
++            PyObject* b = arr[childpos + 1];
++            Py_INCREF(a);
++            Py_INCREF(b);
++            cmp = PyObject_RichCompareBool(a, b, Py_LT);
++            Py_DECREF(a);
++            Py_DECREF(b);
+             if (cmp < 0)
+                 return -1;
+             childpos += ((unsigned)cmp ^ 1);   /* increment when cmp==0 */
+@@ -229,7 +236,10 @@ heappushpop(PyObject *self, PyObject *args)
+         return item;
+     }
+ 
+-    cmp = PyObject_RichCompareBool(PyList_GET_ITEM(heap, 0), item, Py_LT);
++    PyObject* top = PyList_GET_ITEM(heap, 0);
++    Py_INCREF(top);
++    cmp = PyObject_RichCompareBool(top, item, Py_LT);
++    Py_DECREF(top);
+     if (cmp < 0)
+         return NULL;
+     if (cmp == 0) {
+@@ -383,7 +393,11 @@ siftdown_max(PyListObject *heap, Py_ssize_t startpos, Py_ssize_t pos)
+     while (pos > startpos) {
+         parentpos = (pos - 1) >> 1;
+         parent = arr[parentpos];
++        Py_INCREF(parent);
++        Py_INCREF(newitem);
+         cmp = PyObject_RichCompareBool(parent, newitem, Py_LT);
++        Py_DECREF(parent);
++        Py_DECREF(newitem);
+         if (cmp < 0)
+             return -1;
+         if (size != PyList_GET_SIZE(heap)) {
+@@ -425,10 +439,13 @@ siftup_max(PyListObject *heap, Py_ssize_t pos)
+         /* Set childpos to index of smaller child.   */
+         childpos = 2*pos + 1;    /* leftmost child position  */
+         if (childpos + 1 < endpos) {
+-            cmp = PyObject_RichCompareBool(
+-                arr[childpos + 1],
+-                arr[childpos],
+-                Py_LT);
++            PyObject* a = arr[childpos + 1];
++            PyObject* b = arr[childpos];
++            Py_INCREF(a);
++            Py_INCREF(b);
++            cmp = PyObject_RichCompareBool(a, b, Py_LT);
++            Py_DECREF(a);
++            Py_DECREF(b);
+             if (cmp < 0)
+                 return -1;
+             childpos += ((unsigned)cmp ^ 1);   /* increment when cmp==0 */
+-- 
+2.31.1
+
diff --git a/python3.spec b/python3.spec
index 5ba9ec4..9dc688c 100644
--- a/python3.spec
+++ b/python3.spec
@@ -15,7 +15,7 @@ URL: https://www.python.org/
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
 Version: %{pybasever}.8
-Release: 53%{anolis_release}%{?dist}.1
+Release: 54%{anolis_release}%{?dist}.1
 License: Python
 
 
@@ -790,6 +790,14 @@ Patch399: 00399-cve-2023-24329.patch
 # Backported from Python 3.8
 Patch404: 00404-cve-2023-40217.patch
 
+# 00408 #
+# CVE-2022-48560
+#
+# Security fix for CVE-2022-48560: python3: use after free in heappushpop()
+# of heapq module
+# Resolved upstream: https://github.com/python/cpython/issues/83602
+Patch408: 00408-CVE-2022-48560.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -1145,6 +1153,7 @@ git apply %{PATCH351}
 %patch394 -p1
 %patch399 -p1
 %patch404 -p1
+%patch408 -p1
 
 %patch1000 -p1
 %patch1001 -p1
@@ -2082,6 +2091,9 @@ fi
 # ======================================================
 
 %changelog
+* Wed Jan 17 2024 Kaiqiang Wang <wangkaiqiang@inspur.com> - 3.6.8-54.0.1.1
+- Security fix for CVE-2022-48560
+
 * Tue Jan 09 2024  hezhongkun <hezhongkun@inspur.com> - 3.6.8-53.0.1.1
 - Fix CVE-2023-40217: Check for & avoid the ssl
 
-- 
Gitee