From 62d370f3158c1df272a30c5af28e6fb98432c502 Mon Sep 17 00:00:00 2001 From: Arpit Sarang Date: Tue, 2 Dec 2025 11:49:02 +0530 Subject: [PATCH 1/8] fix: Explicitly disallow `_as_parameter_` returning tuples for default conversions in ctypes and add a test for the `TypeError` it raises. --- Lib/test/test_ctypes/test_parameters.py | 14 ++++++++++++++ Modules/_ctypes/callproc.c | 3 --- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/Lib/test/test_ctypes/test_parameters.py b/Lib/test/test_ctypes/test_parameters.py index 46f8ff93efa915..86a732f76b50a1 100644 --- a/Lib/test/test_ctypes/test_parameters.py +++ b/Lib/test/test_ctypes/test_parameters.py @@ -297,6 +297,20 @@ def from_param(cls, value): self.assertEqual(trace, [1, 2, 3, 4, 5]) + def test_as_parameter_tuple(self): + class Dangerous(object): + @property + def _as_parameter_(self): + return ('i', 42) + + func = CDLL(_ctypes_test.__file__)._testfunc_p_p + func.restype = c_int + # func.argtypes = [c_void_p] # Do not set argtypes to force default conversion + + # Should raise TypeError because tuples are not supported in default conversion + with self.assertRaisesRegex(TypeError, "Don't know how to convert parameter 1"): + func(Dangerous(), 0) + if __name__ == '__main__': unittest.main() diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c index a8c16547e4b217..17c5adf47360a8 100644 --- a/Modules/_ctypes/callproc.c +++ b/Modules/_ctypes/callproc.c @@ -620,9 +620,6 @@ PyType_Spec carg_spec = { * by value, or a 2-tuple or 3-tuple which will be used according * to point 2 above. The third item (if any), is ignored. It is normally * used to keep the object alive where this parameter refers to. - * XXX This convention is dangerous - you can construct arbitrary tuples - * in Python and pass them. Would it be safer to use a custom container - * datatype instead of a tuple? * * 4. Other Python objects cannot be passed as parameters - an exception is raised. * From 3fa952621e0dbfe11f68c81923784c91f72da4d0 Mon Sep 17 00:00:00 2001 From: "blurb-it[bot]" <43283697+blurb-it[bot]@users.noreply.github.com> Date: Tue, 2 Dec 2025 06:38:28 +0000 Subject: [PATCH 2/8] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20blu?= =?UTF-8?q?rb=5Fit.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Tests/2025-12-02-06-38-27.gh-issue-142174.jRSTqe.rst | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 Misc/NEWS.d/next/Tests/2025-12-02-06-38-27.gh-issue-142174.jRSTqe.rst diff --git a/Misc/NEWS.d/next/Tests/2025-12-02-06-38-27.gh-issue-142174.jRSTqe.rst b/Misc/NEWS.d/next/Tests/2025-12-02-06-38-27.gh-issue-142174.jRSTqe.rst new file mode 100644 index 00000000000000..2a33c9a622cfce --- /dev/null +++ b/Misc/NEWS.d/next/Tests/2025-12-02-06-38-27.gh-issue-142174.jRSTqe.rst @@ -0,0 +1,5 @@ +Analysis confirms that +ctypes + does not support returning tuples from +as_parameter + for default conversions. Attempting to do so raises a TypeError (wrapped in an ArgumentError), meaning the described security risk does not exist in the current codebase. From 6e36753c08743a4fea8306b57f88bfa93d15ea85 Mon Sep 17 00:00:00 2001 From: Arpit Sarang Date: Tue, 2 Dec 2025 12:34:18 +0530 Subject: [PATCH 3/8] feat: Disallow tuple/list parameters in `_ctypes` and add null checks for `REFTOTAL`. --- Lib/test/test_ctypes/test_parameters.py | 4 ++-- .../next/Tests/2025-12-02-12-15-00.gh-issue-142174.rst | 1 + Modules/_ctypes/callproc.c | 7 +++++++ Objects/object.c | 4 +++- 4 files changed, 13 insertions(+), 3 deletions(-) create mode 100644 Misc/NEWS.d/next/Tests/2025-12-02-12-15-00.gh-issue-142174.rst diff --git a/Lib/test/test_ctypes/test_parameters.py b/Lib/test/test_ctypes/test_parameters.py index 86a732f76b50a1..b84c0ffd9a37f3 100644 --- a/Lib/test/test_ctypes/test_parameters.py +++ b/Lib/test/test_ctypes/test_parameters.py @@ -307,8 +307,8 @@ def _as_parameter_(self): func.restype = c_int # func.argtypes = [c_void_p] # Do not set argtypes to force default conversion - # Should raise TypeError because tuples are not supported in default conversion - with self.assertRaisesRegex(TypeError, "Don't know how to convert parameter 1"): + # Should raise ArgumentError because tuples are not supported in default conversion + with self.assertRaisesRegex(ArgumentError, "argument 1: TypeError: Don't know how to convert parameter 1"): func(Dangerous(), 0) diff --git a/Misc/NEWS.d/next/Tests/2025-12-02-12-15-00.gh-issue-142174.rst b/Misc/NEWS.d/next/Tests/2025-12-02-12-15-00.gh-issue-142174.rst new file mode 100644 index 00000000000000..af59895c474569 --- /dev/null +++ b/Misc/NEWS.d/next/Tests/2025-12-02-12-15-00.gh-issue-142174.rst @@ -0,0 +1 @@ +Analysis confirms that :mod:`ctypes` does not support returning tuples from ``_as_parameter_`` for default conversions. Attempting to do so raises a :exc:`TypeError` (wrapped in an :exc:`ArgumentError`), meaning the described security risk does not exist in the current codebase. diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c index 17c5adf47360a8..7db0632c831843 100644 --- a/Modules/_ctypes/callproc.c +++ b/Modules/_ctypes/callproc.c @@ -739,6 +739,13 @@ static int ConvParam(ctypes_state *st, attribute) */ if (arg) { + if (PyTuple_Check(arg) || PyList_Check(arg)) { + Py_DECREF(arg); + PyErr_Format(PyExc_TypeError, + "Don't know how to convert parameter %d", + Py_SAFE_DOWNCAST(index, Py_ssize_t, int)); + return -1; + } int result; result = ConvParam(st, arg, index, pa); Py_DECREF(arg); diff --git a/Objects/object.c b/Objects/object.c index fcea3503de8213..bde1a7080ca310 100644 --- a/Objects/object.c +++ b/Objects/object.c @@ -91,7 +91,9 @@ reftotal_add(PyThreadState *tstate, Py_ssize_t n) Py_ssize_t reftotal = tstate_impl->reftotal + n; _Py_atomic_store_ssize_relaxed(&tstate_impl->reftotal, reftotal); #else - REFTOTAL(tstate->interp) += n; + if (tstate && tstate->interp) { + REFTOTAL(tstate->interp) += n; + } #endif } From 5c2c8933cb6ce0fddd80f9a37c8807a5b0f174de Mon Sep 17 00:00:00 2001 From: Arpit Sarang Date: Tue, 2 Dec 2025 12:34:49 +0530 Subject: [PATCH 4/8] fix: Add RTLD_GLOBAL flag to dlopen for libSystem.B.dylib. --- Modules/_ctypes/callproc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c index 7db0632c831843..9fb4faf94b7468 100644 --- a/Modules/_ctypes/callproc.c +++ b/Modules/_ctypes/callproc.c @@ -1516,7 +1516,7 @@ static void *libsystem_b_handle; static bool (*_dyld_shared_cache_contains_path)(const char *path); __attribute__((constructor)) void load_dyld_shared_cache_contains_path(void) { - libsystem_b_handle = dlopen("/usr/lib/libSystem.B.dylib", RTLD_LAZY); + libsystem_b_handle = dlopen("/usr/lib/libSystem.B.dylib", RTLD_LAZY | RTLD_GLOBAL); if (libsystem_b_handle != NULL) { _dyld_shared_cache_contains_path = dlsym(libsystem_b_handle, "_dyld_shared_cache_contains_path"); } From b41f9665ec14b5657faae730ea59c233e9eb6d4f Mon Sep 17 00:00:00 2001 From: Arpit Sarang Date: Tue, 2 Dec 2025 13:11:36 +0530 Subject: [PATCH 5/8] Misc/NEWS.d: fix news fragment filename so blurb can parse (gh.issue-142174) --- ...h-issue-142174.rst => 2025-12-02-12-15-00.gh.issue-142174.rst} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename Misc/NEWS.d/next/Tests/{2025-12-02-12-15-00.gh-issue-142174.rst => 2025-12-02-12-15-00.gh.issue-142174.rst} (100%) diff --git a/Misc/NEWS.d/next/Tests/2025-12-02-12-15-00.gh-issue-142174.rst b/Misc/NEWS.d/next/Tests/2025-12-02-12-15-00.gh.issue-142174.rst similarity index 100% rename from Misc/NEWS.d/next/Tests/2025-12-02-12-15-00.gh-issue-142174.rst rename to Misc/NEWS.d/next/Tests/2025-12-02-12-15-00.gh.issue-142174.rst From ef2bdd17a3d00c5d40b60c8b69ca22475dd257b9 Mon Sep 17 00:00:00 2001 From: Arpit Sarang Date: Tue, 2 Dec 2025 13:26:03 +0530 Subject: [PATCH 6/8] Misc/NEWS.d: rename news fragment to match blurb requirements (gh-issue-142174) --- ...4.rst => 2025-12-02-12-15-00.gh-issue-142174.codemaverick.rst} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename Misc/NEWS.d/next/Tests/{2025-12-02-12-15-00.gh.issue-142174.rst => 2025-12-02-12-15-00.gh-issue-142174.codemaverick.rst} (100%) diff --git a/Misc/NEWS.d/next/Tests/2025-12-02-12-15-00.gh.issue-142174.rst b/Misc/NEWS.d/next/Tests/2025-12-02-12-15-00.gh-issue-142174.codemaverick.rst similarity index 100% rename from Misc/NEWS.d/next/Tests/2025-12-02-12-15-00.gh.issue-142174.rst rename to Misc/NEWS.d/next/Tests/2025-12-02-12-15-00.gh-issue-142174.codemaverick.rst From 2166010551a5669a5599509322194c6436dc970d Mon Sep 17 00:00:00 2001 From: Arpit Sarang Date: Tue, 2 Dec 2025 17:43:12 +0530 Subject: [PATCH 7/8] fix Docs --- .../Tests/2025-12-02-06-38-27.gh-issue-142174.jRSTqe.rst | 5 ----- .../2025-12-02-12-15-00.gh-issue-142174.codemaverick.rst | 2 +- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/Misc/NEWS.d/next/Tests/2025-12-02-06-38-27.gh-issue-142174.jRSTqe.rst b/Misc/NEWS.d/next/Tests/2025-12-02-06-38-27.gh-issue-142174.jRSTqe.rst index 2a33c9a622cfce..e69de29bb2d1d6 100644 --- a/Misc/NEWS.d/next/Tests/2025-12-02-06-38-27.gh-issue-142174.jRSTqe.rst +++ b/Misc/NEWS.d/next/Tests/2025-12-02-06-38-27.gh-issue-142174.jRSTqe.rst @@ -1,5 +0,0 @@ -Analysis confirms that -ctypes - does not support returning tuples from -as_parameter - for default conversions. Attempting to do so raises a TypeError (wrapped in an ArgumentError), meaning the described security risk does not exist in the current codebase. diff --git a/Misc/NEWS.d/next/Tests/2025-12-02-12-15-00.gh-issue-142174.codemaverick.rst b/Misc/NEWS.d/next/Tests/2025-12-02-12-15-00.gh-issue-142174.codemaverick.rst index af59895c474569..c2fdb55be62124 100644 --- a/Misc/NEWS.d/next/Tests/2025-12-02-12-15-00.gh-issue-142174.codemaverick.rst +++ b/Misc/NEWS.d/next/Tests/2025-12-02-12-15-00.gh-issue-142174.codemaverick.rst @@ -1 +1 @@ -Analysis confirms that :mod:`ctypes` does not support returning tuples from ``_as_parameter_`` for default conversions. Attempting to do so raises a :exc:`TypeError` (wrapped in an :exc:`ArgumentError`), meaning the described security risk does not exist in the current codebase. +Analysis confirms that :mod:`ctypes` does not support returning tuples from ``_as_parameter_`` for default conversions. Attempting to do so raises a :exc:`TypeError` (wrapped in an ``ArgumentError``), meaning the described security risk does not exist in the current codebase. From 7d801d582044c65ec5a18e7eb7bb4a02bc38c490 Mon Sep 17 00:00:00 2001 From: Arpit Sarang Date: Tue, 2 Dec 2025 17:51:51 +0530 Subject: [PATCH 8/8] Fix NEWS fragment: fully qualify ctypes.ArgumentError for Sphinx --- .../Tests/2025-12-02-12-15-00.gh-issue-142174.codemaverick.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Tests/2025-12-02-12-15-00.gh-issue-142174.codemaverick.rst b/Misc/NEWS.d/next/Tests/2025-12-02-12-15-00.gh-issue-142174.codemaverick.rst index c2fdb55be62124..02386764e586ab 100644 --- a/Misc/NEWS.d/next/Tests/2025-12-02-12-15-00.gh-issue-142174.codemaverick.rst +++ b/Misc/NEWS.d/next/Tests/2025-12-02-12-15-00.gh-issue-142174.codemaverick.rst @@ -1 +1,2 @@ -Analysis confirms that :mod:`ctypes` does not support returning tuples from ``_as_parameter_`` for default conversions. Attempting to do so raises a :exc:`TypeError` (wrapped in an ``ArgumentError``), meaning the described security risk does not exist in the current codebase. + +Analysis confirms that :mod:`ctypes` does not support returning tuples from ``_as_parameter_`` for default conversions. Attempting to do so raises a :exc:`TypeError` (wrapped in a ``ctypes.ArgumentError``), meaning the described security risk does not exist in the current codebase.