Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

stringlib bytearray.join function has the potential to leak memory when used with a custom iterator #112625

Closed
chilaxan opened this issue Dec 2, 2023 · 1 comment
Closed

stringlib bytearray.join function has the potential to leak memory when used with a custom iterator #112625

chilaxan opened this issue Dec 2, 2023 · 1 comment
Assignees
@serhiy-storchaka
Labels
3.11 only security fixes 3.12 bugs and security fixes 3.13 new features, bugs and security fixes type-bug An unexpected behavior, bug, or error

Comments

@chilaxan
Copy link
Contributor

chilaxan commented Dec 2, 2023
edited by bedevere-app bot

Bug report

Bug description:

If a custom iterator is passed into bytearray.join, and then it frees the bytearray inside of its __iter__, then memory can be read after it is freed:

# stringlib_join_ReadAfterFree.py

def ReadAfterFree(size, do):
    b = bytearray(size)
    class T:
        def __iter__(self):
            b.clear()
            self.v = do()
            yield b''
            yield b''

    c = b.join(t:=T())
    return memoryview(c).cast('P'), t.v

if __name__ == '__main__':
    leak, obj = ReadAfterFree(bytearray.__basicsize__, lambda: bytearray(8))
    print('bytearray:', obj)
    print('leaked memory of buffer:', leak.tolist())
~/Desktop/Coding/cpython_source git:(main) ./python.exe ../python/stringlib_join_ReadAfterFree.py
bytearray: bytearray(b'\x00\x00\x00\x00\x00\x00\x00\x00')
leaked memory of buffer: [1, 4305259912, 8, 9, 4307812848, 4307812848, 0]

CPython versions tested on:

CPython main branch

Operating systems tested on:

macOS

Linked PRs
@chilaxan chilaxan added the type-bug An unexpected behavior, bug, or error label Dec 2, 2023
@bedevere-app bedevere-app bot mentioned this issue Dec 2, 2023
Merged
chilaxan added a commit to chilaxan/cpython that referenced this issue Dec 2, 2023
@chilaxan
add tests for Issue python#112625
bb1b8f8
@serhiy-storchaka serhiy-storchaka self-assigned this Dec 3, 2023
serhiy-storchaka pushed a commit that referenced this issue Dec 4, 2023
@chilaxan
gh-112625: Protect bytearray from being freed by misbehaving iterator…
0e732d0 
… inside bytearray.join (GH-112626)
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Dec 4, 2023
@chilaxan @miss-islington
pythongh-112625: Protect bytearray from being freed by misbehaving it…
74f292a 
…erator inside bytearray.join (pythonGH-112626)

(cherry picked from commit 0e732d0)

Co-authored-by: chilaxan <chilaxan@gmail.com>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Dec 4, 2023
@chilaxan @miss-islington
pythongh-112625: Protect bytearray from being freed by misbehaving it…
61cb10a 
…erator inside bytearray.join (pythonGH-112626)

(cherry picked from commit 0e732d0)

Co-authored-by: chilaxan <chilaxan@gmail.com>
This was referenced Dec 4, 2023
Merged
Merged
serhiy-storchaka pushed a commit that referenced this issue Dec 4, 2023
@miss-islington @chilaxan
[3.11] gh-112625: Protect bytearray from being freed by misbehaving i…
7e89dd9 
…terator inside bytearray.join (GH-112626) (GH-112694)

(cherry picked from commit 0e732d0)

Co-authored-by: chilaxan <chilaxan@gmail.com>
@serhiy-storchaka
Copy link
Member

Thank you for your report and your PR @chilaxan.

@serhiy-storchaka serhiy-storchaka added 3.11 only security fixes 3.12 bugs and security fixes 3.13 new features, bugs and security fixes labels Dec 4, 2023
serhiy-storchaka pushed a commit that referenced this issue Dec 4, 2023
@miss-islington @chilaxan
[3.12] gh-112625: Protect bytearray from being freed by misbehaving i…
29a5ff0 
…terator inside bytearray.join (GH-112626) (GH-112693)

(cherry picked from commit 0e732d0)

Co-authored-by: chilaxan <chilaxan@gmail.com>
aisk pushed a commit to aisk/cpython that referenced this issue Feb 11, 2024
@chilaxan @aisk
pythongh-112625: Protect bytearray from being freed by misbehaving it…
420ecea 
…erator inside bytearray.join (pythonGH-112626)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@serhiy-storchaka serhiy-storchaka

Labels
3.11 only security fixes 3.12 bugs and security fixes 3.13 new features, bugs and security fixes type-bug An unexpected behavior, bug, or error
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@serhiy-storchaka @chilaxan