Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clear audit hooks after destructors #85334

Open
zooba opened this issue Jun 29, 2020 · 7 comments
Open

Clear audit hooks after destructors #85334

zooba opened this issue Jun 29, 2020 · 7 comments
Labels
3.8 (EOL) end of life 3.9 only security fixes 3.10 only security fixes interpreter-core (Objects, Python, Grammar, and Parser dirs) type-security A security issue

Comments

@zooba
Copy link
Member

zooba commented Jun 29, 2020

BPO 41162
Nosy @tiran, @zooba, @zkonge, @frankli0324
PRs
  • bpo-41162: Clear audit hooks after destructors #21222
  • [3.9] bpo-41162: Clear audit hooks later during finalization (GH-21222) #21302
  • [3.8] bpo-41162: Clear audit hooks later during finalization (GH-21222) #21303
  • [3.9] bpo-41162: Fix improperly merged change so that final hooks are called before types are cleared #21304
  • Files
  • clearaudithook.patch
  • Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
    closed_at = None
    created_at = <Date 2020-06-29.16:28:11.224>
    labels = ['type-security', 'interpreter-core', '3.8', '3.9', '3.10']
    title = 'Clear audit hooks after destructors'
    updated_at = <Date 2020-07-06.19:23:17.309>
    user = 'https://github.com/zooba'

    bugs.python.org fields:

    activity = <Date 2020-07-06.19:23:17.309>
    actor = 'steve.dower'
    assignee = 'none'
    closed = False
    closed_date = None
    closer = None
    components = ['Interpreter Core']
    creation = <Date 2020-06-29.16:28:11.224>
    creator = 'steve.dower'
    dependencies = []
    files = ['49276']
    hgrepos = []
    issue_num = 41162
    keywords = ['patch']
    message_count = 7.0
    messages = ['372601', '372610', '372892', '372958', '372965', '372970', '373158']
    nosy_count = 4.0
    nosy_names = ['christian.heimes', 'steve.dower', 'zkonge', 'frankli']
    pr_nums = ['21222', '21302', '21303', '21304']
    priority = 'normal'
    resolution = None
    stage = 'patch review'
    status = 'open'
    superseder = None
    type = 'security'
    url = 'https://bugs.python.org/issue41162'
    versions = ['Python 3.8', 'Python 3.9', 'Python 3.10']

    @zooba
    Copy link
    Member Author

    zooba commented Jun 29, 2020

    Because of when _Py_ClearAuditHooks is called during finalization, it is possible that __del__ destructors will be called after hooks have been cleared. Audit events that would be raised here are dropped.

    We should ensure these events are received by any known hooks for the interpreter (Python) or the runtime (C).

    (Thanks to Frank Li for the report.)

    @zooba zooba added 3.8 (EOL) end of life 3.9 only security fixes 3.10 only security fixes interpreter-core (Objects, Python, Grammar, and Parser dirs) type-security A security issue labels Jun 29, 2020
    @zkonge
    Copy link
    Mannequin

    zkonge mannequin commented Jun 29, 2020

    Patch attached below works well, but with less functionality for users' audit hook.
    Pure Python audit hook implement looks safe enough.
    Should we need call _PySys_ClearAuditHooks earlier for more functionality?

    @zooba
    Copy link
    Member Author

    zooba commented Jul 2, 2020

    PR 21222 (with test updates) is a good fix, though we know there can still be arbitrary code executed afterwards. But it's not in a place where we can reliably hook.

    Probably the best thing to do is to make sure that events are raised for anything that would be required to add code there. Though that may not be feasible either, but since nobody should be doing that kind of thing deliberately, detection is just as valuable as prevention.

    @zooba
    Copy link
    Member Author

    zooba commented Jul 3, 2020

    New changeset daa0fe0 by Konge in branch 'master':
    bpo-41162: Clear audit hooks later during finalization (GH-21222)
    daa0fe0

    @zooba
    Copy link
    Member Author

    zooba commented Jul 3, 2020

    New changeset e1d4fdc by Steve Dower in branch '3.9':
    bpo-41162: Clear audit hooks later during finalization (GH-21222)
    e1d4fdc

    @zooba
    Copy link
    Member Author

    zooba commented Jul 3, 2020

    New changeset b9e288c by Steve Dower in branch '3.8':
    bpo-41162: Clear audit hooks later during finalization (GH-21222)
    b9e288c

    @zooba
    Copy link
    Member Author

    zooba commented Jul 6, 2020

    Merged the initial fix, but we now need to find any exploitable paths that remain.

    Considering how late in finalization they now run, they're very unlikely to succeed at doing anything interesting. However, they'd also qualify as bugs (potentially crashes), so we'll want to find ways to make them run earlier anyway.

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Labels
    3.8 (EOL) end of life 3.9 only security fixes 3.10 only security fixes interpreter-core (Objects, Python, Grammar, and Parser dirs) type-security A security issue
    Projects
    None yet
    Development

    No branches or pull requests

    1 participant