gh-142664: fix UAF in memoryview.__hash__ via re-entrant data's __hash__

picnixz · picnixz · commit a912fc5f3b2a · 2025-12-27T13:18:17.000+01:00
diff --git a/Lib/test/test_memoryview.py b/Lib/test/test_memoryview.py
@@ -4,6 +4,7 @@
    are in test_buffer.
 """
 
+import array
 import unittest
 import test.support
 import sys
@@ -387,6 +388,20 @@ def test_hash_writable(self):
         m = self._view(b)
         self.assertRaises(ValueError, hash, m)
 
+    def test_hash_use_after_free(self):
+        # Prevent crash in memoryview(v).__hash__ with re-entrant v.__hash__.
+        # Regression test for https://github.com/python/cpython/issues/142664.
+        class E(array.array):
+            def __hash__(self):
+                mv.release()
+                self.clear()
+                return 123
+
+        v = E('B', b'A' * 4096)
+        mv = memoryview(v).toreadonly()   # must be read-only for hash()
+        self.assertRaises(BufferError, hash, mv)
+        self.assertRaises(BufferError, mv.__hash__)
+
     def test_weakref(self):
         # Check memoryviews are weakrefable
         for tp in self._types:
diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2025-12-27-13-18-12.gh-issue-142664.peeEDV.rst b/Misc/NEWS.d/next/Core_and_Builtins/2025-12-27-13-18-12.gh-issue-142664.peeEDV.rst
@@ -0,0 +1,3 @@
+Fix a use-after-free crash in :meth:`memoryview.__hash__ <object.__hash__>`
+when the ``__hash__`` method of the referenced object mutates that object or
+the view. Patch by Bénédikt Tran.
diff --git a/Objects/memoryobject.c b/Objects/memoryobject.c
@@ -3225,9 +3225,16 @@ memory_hash(PyObject *_self)
                 "memoryview: hashing is restricted to formats 'B', 'b' or 'c'");
             return -1;
         }
-        if (view->obj != NULL && PyObject_Hash(view->obj) == -1) {
-            /* Keep the original error message */
-            return -1;
+        if (view->obj != NULL) {
+            // Prevent 'self' from being freed when computing the item's hash.
+            // See https://github.com/python/cpython/issues/142664.
+            self->exports++;
+            int rc = PyObject_Hash(view->obj);
+            self->exports--;
+            if (rc == -1) {
+                /* Keep the original error message */
+                return -1;
+            }
         }
 
         if (!MV_C_CONTIGUOUS(self->flags)) {

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+Fix a use-after-free crash in :meth:`memoryview.__hash__ <object.__hash__>`
	`2`	+when the ``__hash__`` method of the referenced object mutates that object or
	`3`	`+the view. Patch by Bénédikt Tran.`