gh-92888: Fix memoryview bad __index__ use after free
#92946
Conversation
Co-Authored-By: chilaxan <35645806+chilaxan@users.noreply.github.com>
Fidget-Spinner
added
type-crash
…r/cpython into fix_memoryview_auf
|
I have other approach, but your approach is more compatible, so it is safer to use it backports. I'll experiment with other approach in the developing branch only. You can use the following test as a base: def test_use_released_memory(self):
size = 128
def release():
m.release()
nonlocal ba
ba = bytearray(size)
class MyIndex:
def __index__(self):
release()
return 4
class MyFloat:
def __float__(self):
release()
return 4.25
class MyBool:
def __bool__(self):
release()
return True
ba = None
m = memoryview(bytearray(b'\xff'*size))
with self.assertRaises(ValueError):
m[MyIndex()]
ba = None
m = memoryview(bytearray(b'\xff'*size))
self.assertEqual(list(m[:MyIndex()]), [255] * 4)
ba = None
m = memoryview(bytearray(b'\xff'*size))
self.assertEqual(list(m[MyIndex():8]), [255] * 4)
ba = None
m = memoryview(bytearray(b'\xff'*size))
m[MyIndex()] = 42
self.assertEqual(ba[:8], b'\0'*8)
ba = None
m = memoryview(bytearray(b'\xff'*size))
m[:MyIndex()] = b'spam'
self.assertEqual(ba[:8], b'\0'*8)
ba = None
m = memoryview(bytearray(b'\xff'*size))
m[MyIndex():8] = b'spam'
self.assertEqual(ba[:8], b'\0'*8)
ba = None
m = memoryview(bytearray(b'\xff'*size))
m[0] = MyIndex()
self.assertEqual(ba[:8], b'\0'*8)
for fmt in 'bhilqnBHILQN':
ba = None
m = memoryview(bytearray(b'\xff'*size)).cast(fmt)
m[0] = MyIndex()
self.assertEqual(ba[:8], b'\0'*8)
for fmt in 'fd':
ba = None
m = memoryview(bytearray(b'\xff'*size)).cast(fmt)
m[0] = MyFloat()
self.assertEqual(ba[:8], b'\0'*8)
ba = None
m = memoryview(bytearray(b'\xff'*size)).cast('?')
m[0] = MyBool()
self.assertEqual(ba[:8], b'\0'*8) |
Misc/NEWS.d/next/Security/2022-05-19-08-53-07.gh-issue-92888.TLtR9W.rst
Outdated
Show resolved
Hide resolved
|
@serhiy-storchaka thanks taking the time to review and writing those really comprehensive tests. One part of your test fails on my branch: specifically |
|
Yes, it is expected that some lines raise exceptions with your changes. Just add |
Co-Authored-By: Serhiy Storchaka <3659035+serhiy-storchaka@users.noreply.github.com>
|
Great, thanks to your tests I found that my fix didn't cover slices. It now does. |
Co-Authored-By: Serhiy Storchaka <3659035+serhiy-storchaka@users.noreply.github.com>
|
I am sorry for being so pedantic. |
I didn't feel that you were. Those are errors I ought to have caught anyways. Thanks for the detailed review as always. |
I like your approach to fix memory_ass_sub(). Here is a first review.
Objects/memoryobject.c
Outdated
| { | ||
| CHECK_RELEASED_INT(self); /* See gh-92888 for why we need this here */ |
There was a problem hiding this comment.
Can you move the check after the equiv_structure() test?
There was a problem hiding this comment.
Would not access to Py_buffer of the released object cause reading after free?
| @@ -0,0 +1,2 @@ | |||
| Fix ``memoryview`` use after free when accessing the backing buffer in certain cases. | |||
There was a problem hiding this comment.
I propose to mention more explicitly that the protection is about released views:
If a memoryview is released while getting or setting an item, raise an exception.
For example, converting an object to an index can execute arbitrary Python
code which can indirectly release the memoryview.
There was a problem hiding this comment.
Not always an exception is raised.
The bug was in reading or wring the freed memory. Now it is prevented -- you either get an exception or free the memory after reading. @Fidget-Spinner's description is more correct.
I am going to address such inconsistency in a separate issue.
| def release(): | ||
| m.release() | ||
| nonlocal ba | ||
| ba = bytearray(size) |
There was a problem hiding this comment.
No, we need it for tests below that tests indexing into ba[].
There was a problem hiding this comment.
We allocate a bytearray of the same size as the bytearray just released in memoryview in hope that it will be allocated at the same memory. It helps to check that we do nor read/write a freed memory.
| return True | ||
|
|
||
| ba = None | ||
| m = memoryview(bytearray(b'\xff'*size)) |
There was a problem hiding this comment.
In my PR, I tried to make the code more generic to test more cases: https://github.com/python/cpython/pull/93127/files#diff-d41c6bb40a1e03fea5a20d15c4077413e0ddde65651147922b625b03a66a2f16R399:
tp = self.rw_type
b = self.rw_type(self._source)
view = self._view(b)
| ba = None | ||
| m = memoryview(bytearray(b'\xff'*size)) | ||
| with self.assertRaises(ValueError): | ||
| m[MyIndex()] |
There was a problem hiding this comment.
This test is very long. Can you try to factorize similar code and use loop with subTest(), and put pack operations in one test method and unpack in another test method?
There was a problem hiding this comment.
Then we will need to duplicate the definitions of internal classes.
The tested code is so different, that it is difficult to use a loop. And I think that the result will be more complicated.
Lib/test/test_memoryview.py
Outdated
| m = memoryview(bytearray(b'\xff'*size)) | ||
| with self.assertRaises(ValueError): | ||
| m[MyIndex()] | ||
|
|
||
| ba = None |
There was a problem hiding this comment.
It is necessary. The old bytearray should be deallocated before creating a new bytearray, so all bytearrays will be allocated at the same place.
Co-Authored-By: chilaxan 35645806+chilaxan@users.noreply.github.com
Fixes #92888