Skip to content

gh-143195: fix UAF in {bytearray,memoryview}.hex(sep) via re-entrant sep.__len__ #143209

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
picnixz merged 3 commits into from
Dec 27, 2025
Merged

gh-143195: fix UAF in {bytearray,memoryview}.hex(sep) via re-entrant sep.__len__ #143209

picnixz merged 3 commits into from
Dec 27, 2025

Conversation

@picnixz
Copy link
Member

@picnixz picnixz commented Dec 27, 2025
edited by bedevere-app bot
Loading

@bedevere-app bedevere-app bot mentioned this pull request Dec 27, 2025
Closed
@picnixz picnixz force-pushed the fix/bytearray/uaf-in-hex-143195 branch from 64e6922 to 0488d21 Compare December 27, 2025 09:25
@picnixz picnixz requested a review from vstinner December 27, 2025 09:25
vstinner
vstinner approved these changes Dec 27, 2025
View reviewed changes
Copy link
Member

@vstinner vstinner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@picnixz
Copy link
Member Author

picnixz commented Dec 27, 2025
edited
Loading

Mmh. The memoryview is not entirely fixed. Looks like there is still a UAF but this one doesn't crash with the default build (bytearray crashed without ASAN build but memoryview requires ASAN). I'll fix this as well (I'll need to configure my build with ASAN, which I previously didn't)

@picnixz picnixz force-pushed the fix/bytearray/uaf-in-hex-143195 branch from a7f98fb to 0b1553f Compare December 27, 2025 10:31
@picnixz picnixz requested a review from vstinner December 27, 2025 10:32
@picnixz picnixz added needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes labels Dec 27, 2025
@picnixz picnixz merged commit 9976c2b into python:main Dec 27, 2025
50 checks passed
@miss-islington-app
Copy link

miss-islington-app bot commented Dec 27, 2025

Thanks @picnixz for the PR 🌮🎉.. I'm working now to backport this PR to: 3.13, 3.14.
🐍🍒⛏🤖

@picnixz picnixz deleted the fix/bytearray/uaf-in-hex-143195 branch December 27, 2025 12:32
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Dec 27, 2025
@picnixz @miss-islington
pythongh-143195: fix UAF in {bytearray,memoryview}.hex(sep) via re-…
af58a56 
…entrant `sep.__len__` (pythonGH-143209)

(cherry picked from commit 9976c2b6349a079ae39931d960b8c147e21c6c3f)

Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
@miss-islington-app
Copy link

miss-islington-app bot commented Dec 27, 2025

Sorry, @picnixz, I could not cleanly backport this to 3.13 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 9976c2b6349a079ae39931d960b8c147e21c6c3f 3.13

@bedevere-app
Copy link

bedevere-app bot commented Dec 27, 2025

GH-143219 is a backport of this pull request to the 3.14 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.14 bugs and security fixes label Dec 27, 2025
picnixz added a commit to picnixz/cpython that referenced this pull request Dec 27, 2025
@picnixz
[3.13] pythongh-143195: fix UAF in {bytearray,memoryview}.hex(sep)
b38a7be 
…via re-entrant `sep.__len__` (pythonGH-143209)

(cherry picked from commit 9976c2b)

Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
@bedevere-app
Copy link

bedevere-app bot commented Dec 27, 2025

GH-143220 is a backport of this pull request to the 3.13 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.13 bugs and security fixes label Dec 27, 2025
picnixz added a commit that referenced this pull request Dec 27, 2025
@picnixz
[3.13] gh-143195: fix UAF in {bytearray,memoryview}.hex(sep) via re…
8aca2fd 
…-entrant `sep.__len__` (GH-143209) (#143220)

(cherry picked from commit 9976c2b)
picnixz added a commit that referenced this pull request Dec 27, 2025
@miss-islington @picnixz
[3.14] gh-143195: fix UAF in {bytearray,memoryview}.hex(sep) via re…
93029e4 
…-entrant `sep.__len__` (GH-143209) (#143219)

gh-143195: fix UAF in `{bytearray,memoryview}.hex(sep)` via re-entrant `sep.__len__` (GH-143209)
(cherry picked from commit 9976c2b)

Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vstinner vstinner Awaiting requested review from vstinner

Assignees

@picnixz picnixz

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@picnixz @vstinner