Skip to content

gh-142734: fix UAF in OrderedDict.copy with concurrent mutations by __getitem__ #143059

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
fatelei wants to merge 7 commits into
base: main
Choose a base branch
from
Open

gh-142734: fix UAF in OrderedDict.copy with concurrent mutations by __getitem__ #143059

fatelei wants to merge 7 commits into from
+96 −7

Conversation

@fatelei
Copy link
Contributor

@fatelei fatelei commented Dec 22, 2025
edited by bedevere-app bot
Loading

fix OrderedDict copy heap-use-after-free security issue

@bedevere-app bedevere-app bot mentioned this pull request Dec 22, 2025
Open
@picnixz picnixz changed the title gh-142734: fix OrderedDict copy heap-use-after-free security issue gh-142734: fix UAF in OrderedDict.copy with concurrent mutations by __getitem__ Dec 27, 2025
picnixz
picnixz requested changes Dec 27, 2025
View reviewed changes
Copy link
Member

@picnixz picnixz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This implementation is not efficient. I think it's better that we just bail during the copy (that is, raise) if we detect a state change (if possible). We had a similar patch in __eq__.

@bedevere-app
Copy link

bedevere-app bot commented Dec 27, 2025

A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.

@fatelei
Copy link
Contributor Author

fatelei commented Dec 28, 2025

This implementation is not efficient. I think it's better that we just bail during the copy (that is, raise) if we detect a state change (if possible). We had a similar patch in __eq__.

update

        PyODictObject *self = _PyODictObject_CAST(od);
        size_t state = self->od_state;
        _ODictNode *cur = _odict_FIRST(od);

        while (cur != NULL) {
            if (self->od_state != state) {
                PyErr_SetString(PyExc_RuntimeError,
                                "OrderedDict mutated during iteration");
                goto fail;
            }
            PyObject *key = Py_NewRef(_odictnode_KEY(cur));
            PyObject *value = PyObject_GetItem((PyObject *)od, key);
            if (value == NULL) {
                Py_DECREF(key);
                goto fail;
            }
            if (self->od_state != state) {
                Py_DECREF(key);
                Py_DECREF(value);
                PyErr_SetString(PyExc_RuntimeError,
                                "OrderedDict mutated during iteration");
                goto fail;
            }
            if (PyObject_SetItem((PyObject *)od_copy, key, value) != 0) {
                Py_DECREF(key);
                Py_DECREF(value);
                goto fail;
            }
            Py_DECREF(key);
            Py_DECREF(value);

            cur = _odictnode_NEXT(cur);
        }

picnixz
picnixz reviewed Dec 28, 2025
View reviewed changes
Copy link
Member

@picnixz picnixz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add tests when the dictionary is shrinked or grows during the iteration (not just cleared)

@fatelei
Copy link
Contributor Author

fatelei commented Dec 28, 2025

Please add tests when the dictionary is shrinked or grows during the iteration (not just cleared)

test update

picnixz
picnixz reviewed Dec 28, 2025
View reviewed changes
picnixz
picnixz reviewed Dec 29, 2025
View reviewed changes
picnixz
picnixz reviewed Dec 29, 2025
View reviewed changes
Objects/odictobject.c
Comment on lines +1275 to +1281
if (value == NULL) {
Py_DECREF(key);
if (self->od_state != state) {
goto invalid_state;
}
goto fail;
res = PyObject_SetItem((PyObject *)od_copy,
_odictnode_KEY(node), value);
}
Copy link
Member

@picnixz picnixz Dec 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't do that. If value is NULL it's because PyObject_GetItem failed. I would prefer propagating that specific exception instead. Only if value was correctly retrieved but the state changed should you raise the RuntimeError.

However, as I don't remember exactly, check whether this is consistent with __eq__ as well. What I expect is:

value = call getitem(...)
if (value == NULL) { ... }
if (self->od_state != state) { ...}
rc = call setitem(...)
if (rc < 0) { ... }
if (self->od_state != state) { ...}

picnixz
picnixz reviewed Dec 29, 2025
View reviewed changes
Lib/test/test_ordered_dict.py
def test_copy_concurrent_mutation_in__setitem__(self):
od = None
class MyOD(self.OrderedDict):
_instance_count = 0
Copy link
Member

@picnixz picnixz Dec 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no need to have a private attribute, it's a test.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@picnixz picnixz picnixz requested changes

Assignees

No one assigned

Labels

awaiting changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fatelei @picnixz