Skip to content

[3.11] gh-120384: gh-120298: Fix array-out-of-bounds & use after free list #121345

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: 3.11
Choose a base branch
from
Draft

[3.11] gh-120384: gh-120298: Fix array-out-of-bounds & use after free list #121345

wants to merge 2 commits into from
+79 −13

Conversation

gpshead
Copy link
Member

@gpshead gpshead commented Jul 3, 2024
edited
Loading

gh-120384: Fix array-out-of-bounds crash in list_ass_subscript (GH-120442) (cherry picked from commit 8334a1b in the 3.12 branch)

gh-120298: Fix use after free in list_richcompare.

@miss-islington @sobolevn @gpshead
pythongh-120384: Fix array-out-of-bounds crash in list_ass_subscript (
6d1ab20 
pythonGH-120442) (python#120825)

pythongh-120384: Fix array-out-of-bounds crash in `list_ass_subscript` (pythonGH-120442)
(cherry picked from commit 8334a1b)

Co-authored-by: Nikita Sobolev <mail@sobolevn.me>
@bedevere-app bedevere-app bot mentioned this pull request Jul 3, 2024
Closed
@gpshead gpshead changed the title [3.11] gh-120384: Fix array-out-of-bounds crash in list_ass_subscript [3.11] gh-120384: gh-120298: Fix array-out-of-bounds & use after free list Jul 3, 2024
@gpshead
Copy link
Member Author

gpshead commented Jul 3, 2024

For consideration as a security related backport. To trigger these, people already need the ability to run arbitrary Python code. So we don't consider this a vulnerability given the existing capabilities. But it could make the life of some projects built on top of Python a little better.

Such projects are already on undefined behavior grounds if they consider anything executing Python bytecode to not be able to escape that to begin with. Because CPython does not guarantee any such thing.

@gpshead gpshead mentioned this pull request Jul 3, 2024
Merged
pablogsal
pablogsal reviewed Jul 8, 2024
View reviewed changes
Copy link
Member

@pablogsal pablogsal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just commenting that I am happy to get this fix backported once it's reviewed and tested

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pablogsal pablogsal pablogsal left review comments

Assignees

@pablogsal pablogsal

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gpshead @pablogsal @miss-islington