gh-143309: fix UAF in os.execve when the environment is concurrently mutated

picnixz · picnixz · commit 243b880d12a8 · 2025-12-31T20:48:25.000+01:00
diff --git a/Lib/test/test_os/test_os.py b/Lib/test/test_os/test_os.py
@@ -2624,6 +2624,34 @@ def test_execve_invalid_env(self):
         with self.assertRaises(ValueError):
             os.execve(args[0], args, newenv)
 
+    def test_execve_env_concurrent_mutation_with_fspath(self):
+        # Prevent crash when mutating environment during parsing.
+        # Regression test for https://github.com/python/cpython/issues/143309.
+
+        code = """
+        import os, sys
+
+        class MyPath:
+            def __fspath__(self):
+                mutated.clear()
+                return b"pwn"
+
+        mutated = KEYS = VALUES = [MyPath()]
+
+        class MyEnv:
+            def __len__(self): return 1
+            def __getitem__(self): return 1
+            def keys(self): return KEYS
+            def values(self): return VALUES
+
+        args = [sys.executable, '-c', 'print("hello from execve")']
+        os.execve(args[0], args, MyEnv())
+        """
+
+        rc, out, _ = assert_python_ok('-c', code)
+        self.assertEqual(rc, 0)
+        self.assertIn(b"hello from execve", out)
+
     @unittest.skipUnless(sys.platform == "win32", "Win32-specific test")
     def test_execve_with_empty_path(self):
         # bpo-32890: Check GetLastError() misuse
diff --git a/Misc/NEWS.d/next/Library/2025-12-31-20-43-02.gh-issue-143309.cdFxdH.rst b/Misc/NEWS.d/next/Library/2025-12-31-20-43-02.gh-issue-143309.cdFxdH.rst
@@ -0,0 +1,2 @@
+Fix a crash in :func:`os.execve` when given a custom environment mapping
+which is then mutated during parsing. Patch by Bénédikt Tran.
diff --git a/Modules/posixmodule.c b/Modules/posixmodule.c
@@ -7291,8 +7291,8 @@ static EXECV_CHAR**
 parse_envlist(PyObject* env, Py_ssize_t *envc_ptr)
 {
     Py_ssize_t i, pos, envc;
-    PyObject *keys=NULL, *vals=NULL;
-    PyObject *key2, *val2, *keyval;
+    PyObject *keys = NULL, *vals = NULL;
+    PyObject *key, *val, *key2, *val2, *keyval;
     EXECV_CHAR **envlist;
 
     i = PyMapping_Size(env);
@@ -7317,19 +7317,28 @@ parse_envlist(PyObject* env, Py_ssize_t *envc_ptr)
     }
 
     for (pos = 0; pos < i; pos++) {
-        PyObject *key = PyList_GetItem(keys, pos);  // Borrowed ref.
+        // The 'key' and 'val' must be strong references because
+        // of possible side-effects by PyUnicode_FSConverter().
+        key = PyList_GetItemRef(keys, pos);
         if (key == NULL) {
             goto error;
         }
-        PyObject *val = PyList_GetItem(vals, pos);  // Borrowed ref.
+        val = PyList_GetItemRef(vals, pos);
         if (val == NULL) {
+            Py_DECREF(key);
             goto error;
         }
 
+
 #if defined(HAVE_WEXECV) || defined(HAVE_WSPAWNV)
-        if (!PyUnicode_FSDecoder(key, &key2))
+        if (!PyUnicode_FSDecoder(key, &key2)) {
+            Py_DECREF(key);
+            Py_DECREF(val);
             goto error;
+        }
         if (!PyUnicode_FSDecoder(val, &val2)) {
+            Py_DECREF(key);
+            Py_DECREF(val);
             Py_DECREF(key2);
             goto error;
         }
@@ -7339,29 +7348,40 @@ parse_envlist(PyObject* env, Py_ssize_t *envc_ptr)
             PyUnicode_FindChar(key2, '=', 1, PyUnicode_GET_LENGTH(key2), 1) != -1)
         {
             PyErr_SetString(PyExc_ValueError, "illegal environment variable name");
+            Py_DECREF(key);
+            Py_DECREF(val);
             Py_DECREF(key2);
             Py_DECREF(val2);
             goto error;
         }
         keyval = PyUnicode_FromFormat("%U=%U", key2, val2);
 #else
-        if (!PyUnicode_FSConverter(key, &key2))
+        if (!PyUnicode_FSConverter(key, &key2)) {
+            Py_DECREF(key);
+            Py_DECREF(val);
             goto error;
+        }
         if (!PyUnicode_FSConverter(val, &val2)) {
+            Py_DECREF(key);
+            Py_DECREF(val);
             Py_DECREF(key2);
             goto error;
         }
         if (PyBytes_GET_SIZE(key2) == 0 ||
             strchr(PyBytes_AS_STRING(key2) + 1, '=') != NULL)
         {
             PyErr_SetString(PyExc_ValueError, "illegal environment variable name");
+            Py_DECREF(key);
+            Py_DECREF(val);
             Py_DECREF(key2);
             Py_DECREF(val2);
             goto error;
         }
         keyval = PyBytes_FromFormat("%s=%s", PyBytes_AS_STRING(key2),
                                              PyBytes_AS_STRING(val2));
 #endif
+        Py_DECREF(key);
+        Py_DECREF(val);
         Py_DECREF(key2);
         Py_DECREF(val2);
         if (!keyval)

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	+Fix a crash in :func:`os.execve` when given a custom environment mapping
	`2`	`+which is then mutated during parsing. Patch by Bénédikt Tran.`