Commit4e9005d

authored

gh-134100: Fix use-after-free inPyImport_ImportModuleLevelObject (#134117)

1 parentfa4e088 commit4e9005dCopy full SHA for 4e9005d

File tree

+20

-1

lines changed

+20

-1

lines changed

Lines changed: 15 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -223,6 +223,21 @@ def test_relative_import_no_package_exists_absolute(self):`
`223`	`223`	`self.__import__('sys', {'__package__':'','__spec__':None},`
`224`	`224`	`level=1)`
`225`	`225`
	`226`	`+deftest_malicious_relative_import(self):`
	`227`	`+# https://github.com/python/cpython/issues/134100`
	`228`	`+# Test to make sure UAF bug with error msg doesn't come back to life`
	`229`	`+importsys`
	`230`	`+loooong="".ljust(0x23000,"b")`
	`231`	`+name=f"a.{loooong}.c"`
	`232`	`+`
	`233`	`+withutil.uncache(name):`
	`234`	`+sys.modules[name]= {}`
	`235`	`+withself.assertRaisesRegex(`
	`236`	`+KeyError,`
	`237`	`+r"'a\.b+' not in sys\.modules as expected"`
	`238`	`+ ):`
	`239`	`+__import__(f"{loooong}.c", {"__package__":"a"},level=1)`
	`240`	`+`
`226`	`241`
`227`	`242`	`(Frozen_RelativeImports,`
`228`	`243`	`Source_RelativeImports`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+Fix a use-after-free bug that occurs when an imported module isn't`
	`2`	+in:data:`sys.modules` after its initial import. Patch by Nico-Posada.

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -3854,15 +3854,17 @@ PyImport_ImportModuleLevelObject(PyObject name, PyObject globals,`
`3854`	`3854`	`}`
`3855`	`3855`
`3856`	`3856`	`final_mod=import_get_module(tstate,to_return);`
`3857`		`-Py_DECREF(to_return);`
`3858`	`3857`	`if (final_mod==NULL) {`
`3859`	`3858`	`if (!_PyErr_Occurred(tstate)) {`
`3860`	`3859`	`_PyErr_Format(tstate,PyExc_KeyError,`
`3861`	`3860`	`"%R not in sys.modules as expected",`
`3862`	`3861`	`to_return);`
`3863`	`3862`	`}`
	`3863`	`+Py_DECREF(to_return);`
`3864`	`3864`	`gotoerror;`
`3865`	`3865`	`}`
	`3866`	`+`
	`3867`	`+Py_DECREF(to_return);`
`3866`	`3868`	`}`
`3867`	`3869`	`}`
`3868`	`3870`	`else {`

Comments

(0)