Skip to content

gh-142884: Fix UAF in array.array.tofile with concurrent mutations #142920

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
fatelei wants to merge 106 commits into from
Closed

gh-142884: Fix UAF in array.array.tofile with concurrent mutations #142920

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
106 commits
Select commit Hold shift + click to select a range
561e706
gh-142884: Use-After-Free Vulnerability Fixed in CPython array.array.…
fatelei Dec 18, 2025
cbc0851
gh-138122: Improve bytecode panel (#142910)
ivonastojanovic Dec 18, 2025
fc80096
gh-137063: Document that ast node types replaced by Constant are no l…
SnoopJ Dec 18, 2025
71a7cb8
gh-134584: Remove redundant refcount from _BINARY_OP_ADD_UNICODE (gh-…
corona10 Dec 18, 2025
1c544ac
gh-124098: Fix incorrect inclusion of handler methods without protoco…
MonadChains Dec 18, 2025
ddfc155
gh-142784: make the asyncio REPL call `loop.close()` at exit (#142785)
johnslavik Dec 18, 2025
0f01530
Fix typo in `format_string` docstring (GH-136742)
mxr Dec 18, 2025
d2abd57
gh-76007: Deprecate `VERSION` in `xml.etree.ElementTree` & `version` …
hugovk Dec 18, 2025
14f0b51
gh-142419: Add mmap.set_name method for user custom annotation (gh-14…
corona10 Dec 18, 2025
e4058d7
GH-142513: Reimplement executor management (GH-142931)
markshannon Dec 18, 2025
4a8ecba
gh-142681: Move NormalizationTest-3.2.0.txt to more safe place. (GH-1…
serhiy-storchaka Dec 18, 2025
e22c495
gh-142890: remove unnecessary interp parameter from dict functions an…
kumaraditya303 Dec 18, 2025
f54d44d
gh-129068: Make range iterators thread-safe (gh-142886)
colesbury Dec 18, 2025
33d94ab
gh-134584: Eliminate redundant refcounting from _BINARY_OP_SUBSCR_LIS…
cocolato Dec 18, 2025
e79c391
gh-118342: [Enum] update docs (GH-137290)
ethanfurman Dec 18, 2025
1391ee6
GH-134584: Remove redundant refcount for `BINARY_OP_SUBSCR_STR_INT` (…
savannahostrowski Dec 18, 2025
220f0b1
gh-142560: prevent use-after-free in search-like methods by exporting…
fatelei Dec 19, 2025
610aabf
gh-142527: Docs: Clarify that random.seed() discards the sign of an i…
karpathy Dec 19, 2025
4aef138
gh-136282: Configparser: create unnamed sections via mapping protocol…
Rogdham Dec 19, 2025
685272e
JIT: Rename trampoline.c to shim.c (#142974)
diegorusso Dec 19, 2025
049c252
gh-134160: Start "Extending and embedding" with a Diataxis-style tuto…
encukou Dec 19, 2025
786f464
gh-142961: Fix constant folding len(tuple) in JIT (GH-142963)
Fidget-Spinner Dec 19, 2025
6a4f103
gh-142776: Ensure fp file descriptor is closed on all code paths in i…
stratakis Dec 19, 2025
6b4bc6e
gh-134584: JIT: Borrow references for immortal promoted globals (GH-1…
Fidget-Spinner Dec 19, 2025
e2a7db7
gh-142476: fix memory leak when creating JIT executors (GH-142492)
ashm-dev Dec 19, 2025
08bc03f
gh-120321: Make gi_frame_state transitions atomic in FT build (gh-142…
colesbury Dec 19, 2025
4ea3c1a
gh-120321: Fix TSan reported race in gen_clear_frame (gh-142995)
colesbury Dec 19, 2025
e46f28c
gh-129069: Fix listobject.c data races due to memmove (gh-142957)
colesbury Dec 19, 2025
5b52636
gh-142927: Tachyon: Start with user's default light/dark theme (#142987)
hugovk Dec 20, 2025
5989095
gh-143012: use `Py_ssize_t` cast for `PyBytes_FromStringAndSize` (#14…
AZero13 Dec 20, 2025
3cc5750
gh-142834: pdb commands command should use last available breakpoint…
cocolato Dec 20, 2025
7607712
gh-120321: Avoid `-Wunreachable-code` warning on Clang (gh-143022)
colesbury Dec 20, 2025
2b4feee
gh-122581: Use parser mutex in default build for subinterpreters (gh-…
colesbury Dec 20, 2025
8d2d7bb
gh-142145: relax the no-longer-quadratic test timing (#143030)
gpshead Dec 20, 2025
b8d3fdd
gh-70647: Better promote how to safely parse yearless dates in dateti…
gpshead Dec 21, 2025
09044dd
gh-80744: do not read .pdbrc twice when cwd == $home (#136816)
saucoide Dec 21, 2025
6213a51
gh-143046: Make asyncio REPL respect the `-q` flag (quiet mode) (#143…
johnslavik Dec 22, 2025
3960878
Remove unreachable code in mmapmodule error path on Windows (GH-143063)
hyongtao-code Dec 22, 2025
ff7f62e
gh-142927: Tachyon: Comma separate thousands and fix singular/plurals…
hugovk Dec 22, 2025
9ded3dd
gh-142476: Fix Windows crashing with JIT (GH-143021)
Fidget-Spinner Dec 22, 2025
e728b00
gh-143057: avoid locking in `tracemalloc` C-APIs when it is not enabl…
kumaraditya303 Dec 22, 2025
487e91c
gh-129069: fix more thread safety issues in `list` (#143019)
kumaraditya303 Dec 22, 2025
700e9fa
GH-142513: fix missing return in executor_clear (GH-143073)
chris-eibl Dec 22, 2025
a88d1b8
gh-143010: Prevent a TOCTOU issue by only calling open once (#143011)
AZero13 Dec 22, 2025
3c0888b
gh-89152: Note truth testing exception in `stdtypes.rst` (#137640)
StanFromIreland Dec 22, 2025
665d280
gh-139109: Add terminator to JIT code when halting due to invalid de…
Fidget-Spinner Dec 22, 2025
be3c131
GH-139922: Tail calling for MSVC (VS 2026) (GH-143068)
chris-eibl Dec 22, 2025
714037b
gh-139922: Add tail call for MSVC for whats new in 3.15 (GH-143087)
Fidget-Spinner Dec 22, 2025
9e51301
gh-138122: Allow tachyon to write and read binary output (#142730)
pablogsal Dec 22, 2025
5b5ee3c
gh-134584: Eliminate redundant refcounting from `_LOAD_ATTR_WITH_HINT…
cocolato Dec 23, 2025
a273bc9
gh-122431: Correct the non-negative error message in `readline.append…
cla7aye15I4nd Dec 23, 2025
f9704f1
gh-84232: Fix `pydoc` docs.python.org link generation (#139995)
StanFromIreland Dec 23, 2025
81c8eb8
gh-138122: Add blocking mode for accurate stack traces in Tachyon (#1…
pablogsal Dec 23, 2025
28da1fb
gh-142368: Fix transient error handling in inspection tests (#143093)
pablogsal Dec 23, 2025
c4ab024
gh-142448: Disable JIT tracing when monitoring is enabled (GH-142842)
Fidget-Spinner Dec 23, 2025
6536fab
gh-130796: Undeprecate locale.getdefaultlocale() (#143069)
vstinner Dec 23, 2025
f783cc3
Update pre-commit with zizmor and Ruff fixes (#143095)
hugovk Dec 23, 2025
c8b80f5
gh-134584: Add another contributor to whats new 3.15 (GH-143107)
Fidget-Spinner Dec 23, 2025
25c294b
gh-134584: Eliminate redundant refcounting from `_CALL_TYPE_1` (GH-13…
tomasr8 Dec 23, 2025
20aeb3a
GH-143026: Fix assertion error in executor management. (GH-143104)
markshannon Dec 23, 2025
450e836
JIT: don't leak shim memory when shutting down the interpreter (#142984)
diegorusso Dec 23, 2025
c2202a7
gh-109263: Start process from spawn context in multiprocessing no lon…
aisk Dec 23, 2025
cbe0cb7
gh-143100: Add temporary suppression for set_swap_bodies (gh-143114)
colesbury Dec 23, 2025
cc48bf0
gh-134584: Eliminate redundant refcounting from `_BINARY_OP_SUBSCR_TU…
cocolato Dec 23, 2025
50ecd6b
gh-143108: Don't instrument faulthandler.c for TSan (#143109)
colesbury Dec 24, 2025
fc2f0fe
JIT: Move executor to a register (#143072)
diegorusso Dec 24, 2025
9af7a20
gh-136186: Fix flaky tests in test_external_inspection (#143110)
pablogsal Dec 24, 2025
57937a8
gh-142145: Avoid timing measurements in quadratic behavior test (gh-1…
colesbury Dec 24, 2025
4ee6929
gh-143121: Skip test that leak threads under TSan (gh-143125)
colesbury Dec 24, 2025
e8e044e
gh-143100: Fix memcpy data race in setobject.c (gh-143127)
colesbury Dec 24, 2025
d4dc3dd
gh-138122: Replace --interval with --sampling-rate (#143085)
lkollar Dec 24, 2025
1e17ccd
Correctly fold unknown-8bit originating from encoded words. (#142517)
bitdancer Dec 24, 2025
7c44f37
gh-138122: Extend binary profiling format with full source location a…
pablogsal Dec 24, 2025
84b7e69
gh-140717: Add `exc_text` to LogRecord attributes table (GH-140718)
tjkuson Dec 24, 2025
3509fa5
gh-143135: Fix sys.flags.inspect when PYTHONINSPECT=0 (GH-143136)
StanFromIreland Dec 24, 2025
7342890
gh-142517: Fix typo in news item. (#143150)
bitdancer Dec 24, 2025
305aff0
Move News for gh-142560 to Core and Builtins (GH-143154)
cmaloney Dec 24, 2025
594a463
gh-120321: Fix TSan reported races on gi_frame_state (gh-143128)
colesbury Dec 24, 2025
cf6758f
gh-143092: Make CALL_LIST_APPEND and BINARY_OP_INPLACE_ADD_UNICODE no…
Fidget-Spinner Dec 24, 2025
86d9045
gh-143004: Fix possible use-after-free in collections.Counter.update(…
Kaushalt2004 Dec 25, 2025
8d46f96
gh-143103: Added pad parameter to base64.z85encode() (GH-143106)
haukex Dec 25, 2025
579c5b4
gh-143145: Fix possible reference leak in ctypes _build_result() (GH-…
hyongtao-code Dec 25, 2025
8611f74
gh-142975: During GC, mark frozen objects with a merged zero refcount…
ZeroIntensity Dec 25, 2025
b9a4806
gh-143164: Fix incorrect error message for ctypes bitfield overflow (…
hyongtao-code Dec 25, 2025
59ede34
gh-138122: Convert GIL/GC/exception stats from tiles to progress bars…
ivonastojanovic Dec 25, 2025
ea3fd78
gh-142927: Tachyon: Fix contrast ratio in top panel (#142936)
hugovk Dec 25, 2025
888d101
gh-138122: Remove default duration for statistical profiling (#143174)
lkollar Dec 25, 2025
de22e71
Remove redundant pycore_optimizer.h includes (#143184)
hyongtao-code Dec 26, 2025
d3d4cf9
gh-140739: Fix crashes from corrupted remote memory (#143190)
pablogsal Dec 26, 2025
b3f2d80
gh-134584: Eliminate redundant refcounting from `_COMPARE_OP_X` (GH-1…
cocolato Dec 26, 2025
a1c6308
gh-134584: Eliminate redundant refcounting from `IS_OP` (GH-143171)
cocolato Dec 26, 2025
9d92ac1
gh-143040: Exit taychon live mode gracefully and display profiled scr…
mgmacias95 Dec 27, 2025
5436289
gh-140739: Fix missing exception on allocation failure in BinaryWrite…
pablogsal Dec 27, 2025
5d1e78f
gh-143181: Fix 'overriden' -> 'overridden' in c-api/module.rst (#143182)
duane9 Dec 27, 2025
57d5699
Fix typos in docs (#143193)
syan212 Dec 27, 2025
1af21ea
gh-63016: Add flags parameter on mmap.flush (#139553)
aisk Dec 27, 2025
f5e11fa
no-issue: Fix override value in os.rst (gh-123522)
rffontenelle Dec 27, 2025
9976c2b
gh-143195: fix UAF in `{bytearray,memoryview}.hex(sep)` via re-entran…
picnixz Dec 27, 2025
7726119
gh-138122: fix AC warnings in `Modules/_remote_debugging/module.c` (#…
picnixz Dec 27, 2025
00e24b8
gh-142664: fix UAF in `memoryview.__hash__` via re-entrant data's `__…
picnixz Dec 27, 2025
3a728e5
gh-131591: Do not free page caches that weren't allocated (#143205)
pablogsal Dec 27, 2025
84fcdbd
gh-142664: fix `PyObject_Hash` invokation post GH-143217 (#143223)
picnixz Dec 27, 2025
61ee048
gh-142557: fix UAF in `bytearray.__mod__` when object is mutated whil…
picnixz Dec 27, 2025
dc4af2a
gh-142884: Use-After-Free Vulnerability Fixed in CPython array.array.…
fatelei Dec 18, 2025
806146f
chore: resolve review comment
fatelei Dec 28, 2025
be60e99
fix: fix conflict
fatelei Dec 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions Lib/test/test_array.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1367,6 +1367,21 @@ def test_frombytearray(self):
b = array.array(self.typecode, a)
self.assertEqual(a, b)

def test_tofile_use_after_free(self):
CHUNK = 64 * 1024
victim = array.array('B', b'\0' * (CHUNK * 2))

class Writer:
armed = True
def write(self, data):
if Writer.armed:
Writer.armed = False
victim.clear()
return 0

victim.tofile(Writer())


class IntegerNumberTest(NumberTest):
def test_type_error(self):
a = array.array(self.typecode)
Expand Down
1 change: 1 addition & 0 deletions Misc/NEWS.d/next/Library/2025-12-18-11-41-37.gh-issue-142884.kjgukd.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Use-After-Free Vulnerability Fixed in CPython array.array.tofile().
30 changes: 21 additions & 9 deletions Modules/arraymodule.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1587,35 +1587,47 @@ static PyObject *
array_array_tofile_impl(arrayobject *self, PyTypeObject *cls, PyObject *f)
/*[clinic end generated code: output=4560c628d9c18bc2 input=5a24da7a7b407b52]*/
{
Py_ssize_t nbytes = Py_SIZE(self) * self->ob_descr->itemsize;
/* Write 64K blocks at a time */
/* XXX Make the block size settable */
int BLOCKSIZE = 64*1024;
Py_ssize_t nblocks = (nbytes + BLOCKSIZE - 1) / BLOCKSIZE;
Py_ssize_t i;
Py_ssize_t offset = 0;

if (Py_SIZE(self) == 0)
goto done;


array_state *state = get_array_state_by_class(cls);
assert(state != NULL);

for (i = 0; i < nblocks; i++) {
char* ptr = self->ob_item + i*BLOCKSIZE;
while (1) {
if (self->ob_item == NULL || Py_SIZE(self) == 0) {
break;
}

Py_ssize_t current_nbytes = Py_SIZE(self) * self->ob_descr->itemsize;

if (offset >= current_nbytes) {
break;
}

Py_ssize_t size = BLOCKSIZE;
if (offset + size > current_nbytes) {
size = current_nbytes - offset;
}

char* ptr = self->ob_item + offset;
PyObject *bytes, *res;

if (i*BLOCKSIZE + size > nbytes)
size = nbytes - i*BLOCKSIZE;
bytes = PyBytes_FromStringAndSize(ptr, size);
if (bytes == NULL)
return NULL;

res = PyObject_CallMethodOneArg(f, state->str_write, bytes);
Py_DECREF(bytes);
if (res == NULL)
return NULL;
Py_DECREF(res); /* drop write result */
Py_DECREF(res);

offset += size;
}

done:
Expand Down
Loading