Calling many methods on _ssl._SSLSocket() segfaults

[devdanzin]

Crash report

What happened?

Calling many different methods on a _ssl._SSLSocket() instance causes a segfault, for example:

import _ssl
s = _ssl._SSLSocket()
s.shutdown()
# Segmentation fault

Other methods known to segfault are do_handshake, get_channel_binding, get_verified_chain (but not get_unverified_chain), getpeercert, read, verify_client_post_handshake, write. Backtrace looks like:

#0  0x00007ffff7b89129 in SSL_shutdown () from /lib/x86_64-linux-gnu/libssl.so.3
#1  0x00007ffff7c287bc in _ssl__SSLSocket_shutdown_impl (self=self@entry=0x20000572510) at ./Modules/_ssl.c:2710
#2  0x00007ffff7c28977 in _ssl__SSLSocket_shutdown (self=0x20000572510, _unused_ignored=<optimized out>)
    at ./Modules/clinic/_ssl.c.h:557
#3  0x0000555555694039 in method_vectorcall_NOARGS (func=<method_descriptor at remote 0x20000779380>, args=0x7fffffffd298,
    nargsf=<optimized out>, kwnames=<optimized out>) at Objects/descrobject.c:447
#4  0x000055555567ccec in _PyObject_VectorcallTstate (tstate=0x555555d2c2a0 <_PyRuntime+359904>,
    callable=<method_descriptor at remote 0x20000779380>, args=0x7fffffffd298, nargsf=9223372036854775809, kwnames=0x0)
    at ./Include/internal/pycore_call.h:167
#5  0x000055555567ce0b in PyObject_Vectorcall (callable=callable@entry=<method_descriptor at remote 0x20000779380>,
    args=args@entry=0x7fffffffd298, nargsf=<optimized out>, kwnames=kwnames@entry=0x0) at Objects/call.c:327
#6  0x0000555555841c09 in _PyEval_EvalFrameDefault (tstate=tstate@entry=0x555555d2c2a0 <_PyRuntime+359904>, frame=<optimized out>,
    throwflag=throwflag@entry=0) at Python/generated_cases.c.h:955
#7  0x000055555586fb1f in _PyEval_EvalFrame (throwflag=0, frame=<optimized out>, tstate=0x555555d2c2a0 <_PyRuntime+359904>)
    at ./Include/internal/pycore_ceval.h:116
#8  _PyEval_Vector (tstate=tstate@entry=0x555555d2c2a0 <_PyRuntime+359904>, func=func@entry=0x20000ad32d0,
    locals=locals@entry={'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <type at remote 0x20000276e10>, '__spec__': None, '__builtins__': <module at remote 0x2000025c640>, '_ssl': <module at remote 0x20000778d60>, 's': <_ssl._SSLSocket at remote 0x20000572510>}, args=args@entry=0x0, argcount=argcount@entry=0, kwnames=kwnames@entry=0x0) at Python/ceval.c:1886
#9  0x000055555586fd6c in PyEval_EvalCode (co=co@entry=<code at remote 0x2000033f190>,
    globals=globals@entry={'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <type at remote 0x20000276e10>, '__spec__': None, '__builtins__': <module at remote 0x2000025c640>, '_ssl': <module at remote 0x20000778d60>, 's': <_ssl._SSLSocket at remote 0x20000572510>},
    locals=locals@entry={'__name__': '__main__', '__doc__': None, '__package__': None, '__loader__': <type at remote 0x20000276e10>, '__spec__': None, '__builtins__': <module at remote 0x2000025c640>, '_ssl': <module at remote 0x20000778d60>, 's': <_ssl._SSLSocket at remote 0x20000572510>}) at Python/ceval.c:662

Found using fusil by @vstinner.

CPython versions tested on:

3.10, 3.11, 3.12, 3.13, 3.14, CPython main branch

Operating systems tested on:

Linux, Windows

Output from running 'python -VV' on the command line:

Python 3.14.0a1+ experimental free-threading build (heads/main-dirty:bfc1d2504c, Nov 4 2024, 07:55:58) [GCC 11.4.0]

Linked PRs

• gh-126455: Disallow _ssl.SSLSocket instantiation #126481
• [3.13] gh-126455: Disallow _ssl.SSLSocket instantiation (GH-126481) #126486
• [3.12] gh-126455: Disallow _ssl.SSLSocket instantiation (GH-126481) #126487

[ZeroIntensity]

I can probably deal with this considering my previous work with _ssl, unless someone else really wants to.

[devdanzin]

Seems not to be related to free-threading, given being present in many previous versions.

[rruuaanng]

I can probably deal with this considering my previous work with _ssl, unless someone else really wants to.

If you don't mind, can you give it to me :)

[vstinner]

The problem is that it's possible to create an invalid SSLSocket:

$ ./python -c 'import _ssl; _ssl._SSLSocket().context'
Erreur de segmentation (core dumped)

In the Python implementation, there is:

class SSLSocket(socket):
    def __init__(self, *args, **kwargs):
        raise TypeError(
            f"{self.__class__.__name__} does not have a public "
            f"constructor. Instances are returned by "
            f"SSLContext.wrap_socket()."
        )

Maybe the _ssl extension module needs a similar constructor.

[erlend-aasland]

If you don't mind, can you give it to me :)

@rruuaanng: No, please do not. I suggest you instead focus on the many PRs you already have opened. Only when you're down to a handful of open PR, consider again to open a new PR.

[vstinner]

I wrote #126481 to fix the issue.

[vstinner]

Fixed. Thanks for the bug report.

[ZeroIntensity]

Thanks for working on this!