Skip to content

[3.11] gh-120384: gh-120298: Fix array-out-of-bounds & use after free list #121345

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 31, 2025
Merged

[3.11] gh-120384: gh-120298: Fix array-out-of-bounds & use after free list #121345

merged 4 commits into from
Oct 31, 2025

Conversation

@gpshead
Copy link
Member

@gpshead gpshead commented Jul 3, 2024
edited
Loading

gh-120384: Fix array-out-of-bounds crash in list_ass_subscript (GH-120442) (cherry picked from commit 8334a1b in the 3.12 branch)

gh-120298: Fix use after free in list_richcompare.

@miss-islington @sobolevn @gpshead
pythongh-120384: Fix array-out-of-bounds crash in list_ass_subscript (
6d1ab20 
pythonGH-120442) (python#120825)

pythongh-120384: Fix array-out-of-bounds crash in `list_ass_subscript` (pythonGH-120442)
(cherry picked from commit 8334a1b)

Co-authored-by: Nikita Sobolev <mail@sobolevn.me>
@bedevere-app bedevere-app bot mentioned this pull request Jul 3, 2024
Closed
@gpshead gpshead changed the title [3.11] gh-120384: Fix array-out-of-bounds crash in list_ass_subscript [3.11] gh-120384: gh-120298: Fix array-out-of-bounds & use after free list Jul 3, 2024
@gpshead
Copy link
Member Author

gpshead commented Jul 3, 2024

For consideration as a security related backport. To trigger these, people already need the ability to run arbitrary Python code. So we don't consider this a vulnerability given the existing capabilities. But it could make the life of some projects built on top of Python a little better.

Such projects are already on undefined behavior grounds if they consider anything executing Python bytecode to not be able to escape that to begin with. Because CPython does not guarantee any such thing.

@gpshead gpshead mentioned this pull request Jul 3, 2024
Merged
pablogsal
pablogsal reviewed Jul 8, 2024
View reviewed changes
Copy link
Member

@pablogsal pablogsal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just commenting that I am happy to get this fix backported once it's reviewed and tested

@gpshead gpshead marked this pull request as ready for review August 17, 2025 18:28
@gpshead gpshead added needs backport to 3.9 needs backport to 3.10 only security fixes 🔨 test-with-buildbots Test PR w/ buildbots; report in status section labels Aug 17, 2025
@bedevere-bot
Copy link

bedevere-bot commented Aug 17, 2025

🤖 New build scheduled with the buildbot fleet by @gpshead for commit de70708 🤖

Results will be shown at:

https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F121345%2Fmerge

If you want to schedule another build, you need to add the 🔨 test-with-buildbots label again.

@bedevere-bot bedevere-bot removed the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Aug 17, 2025
@ambv ambv merged commit 0cd888b into python:3.11 Oct 31, 2025
22 checks passed
@miss-islington-app
Copy link

miss-islington-app bot commented Oct 31, 2025

Thanks @gpshead for the PR, and @ambv for merging it 🌮🎉.. I'm working now to backport this PR to: 3.9, 3.10.
🐍🍒⛏🤖 I'm not a witch! I'm not a witch!

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Oct 31, 2025
@gpshead @sobolevn
@ambv @miss-islington
[3.11] pythongh-120384: pythongh-120298: Fix array-out-of-bounds & us…
77672ef 
…e after free `list` (pythonGH-121345)

(cherry picked from commit 8334a1b)
(cherry picked from commit 0cd888b)

Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
Co-authored-by: Nikita Sobolev <mail@sobolevn.me>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Oct 31, 2025
@gpshead @sobolevn
@ambv @miss-islington
[3.11] pythongh-120384: pythongh-120298: Fix array-out-of-bounds & us…
6de7a52 
…e after free `list` (pythonGH-121345)

(cherry picked from commit 8334a1b)
(cherry picked from commit 0cd888b)

Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
Co-authored-by: Nikita Sobolev <mail@sobolevn.me>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
@bedevere-app
Copy link

bedevere-app bot commented Oct 31, 2025

GH-140833 is a backport of this pull request to the 3.10 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.10 only security fixes label Oct 31, 2025
@bedevere-app
Copy link

bedevere-app bot commented Oct 31, 2025

GH-140834 is a backport of this pull request to the 3.9 branch.

ambv added a commit that referenced this pull request Oct 31, 2025
@miss-islington @gpshead
@sobolevn @ambv
[3.10] gh-120384: gh-120298: Fix array-out-of-bounds & use after free…
3eea546 
… `list` (GH-121345) (GH-140833)

(cherry picked from commit 8334a1b)
(cherry picked from commit 0cd888b)

Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
Co-authored-by: Nikita Sobolev <mail@sobolevn.me>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
ambv added a commit that referenced this pull request Oct 31, 2025
@miss-islington @gpshead
@sobolevn @ambv
[3.9] gh-120384: gh-120298: Fix array-out-of-bounds & use after free …
42762bb 
…`list` (GH-121345) (GH-140834)

(cherry picked from commit 8334a1b)
(cherry picked from commit 0cd888b)

Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
Co-authored-by: Nikita Sobolev <mail@sobolevn.me>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pablogsal pablogsal pablogsal left review comments

Assignees

@pablogsal pablogsal

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@gpshead @bedevere-bot @pablogsal @ambv @miss-islington