Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork33.7k
Closed
Assignees
Description
Crash report
What happened?
A UAF inElement.remove was fixed in#68279 but one can mutate the child's list during.remove and cause an OOB crash:
importxml.etree.ElementTreeasETclassEvilElement(ET.Element):def__eq__(self,other):base.clear()returnFalsebase=ET.Element('a')base.append(EvilElement('a'))base.append(EvilElement('a'))base.remove(ET.Element('b'))
Attacked code:
cpython/Modules/_elementtree.c
Lines 1648 to 1656 indc76a4a
| for (i=0;i<self->extra->length;i++) { | |
| if (self->extra->children[i]==subelement) | |
| break; | |
| rc=PyObject_RichCompareBool(self->extra->children[i],subelement,Py_EQ); | |
| if (rc>0) | |
| break; | |
| if (rc<0) | |
| returnNULL; | |
| } |
I think we need to introduce some state integer to check that there is no evil mutation (similar to what's being done forOrderedDict).
CPython versions tested on:
CPython main branch
Operating systems tested on:
No response
Output from running 'python -VV' on the command line:
No response
Linked PRs
- gh-126033: Fix crash in _elementtree.c where evil tags/elements occurs #126079
- gh-126033: fix a crash in
xml.etree.ElementTree.Element.removewhen concurrent mutations happen #126124 - [3.13] gh-126033: fix UAF in
xml.etree.ElementTree.Element.removewhen concurrent mutations happen (GH-126124) #131929 - [3.12] gh-126033: fix UAF in
xml.etree.ElementTree.Element.removewhen concurrent mutations happen (GH-126124) #131930