Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork32k
Closed
Description
Bug report
Bug description:
If you try to import something with a level >= 1 and it somehow fails to put it into sys.modules after importing, you'll get a nice error message letting you know.
Lines 3857 to 3863 ind94b1e9
| Py_DECREF(to_return); | |
| if (final_mod==NULL) { | |
| if (!_PyErr_Occurred(tstate)) { | |
| _PyErr_Format(tstate,PyExc_KeyError, | |
| "%R not in sys.modules as expected", | |
| to_return); | |
| } |
However, this error message usesto_return which was freed a couple of lines before. Because it's used just after being freed, you can't do anything too malicious with it, but you can crash python by allocating a large enough string and having it be unmapped after being freed so that it's invalid memory when it's accessed.
(No crash but triggers ASAN with use-after-free)
importsyssys.modules= {f"a.b.c": {}}__import__(f"b.c", {"__package__":"a"},level=1)
(Crash)
importsysloooong="".ljust(0x100000,"b")sys.modules= {f"a.{loooong}.c": {}}__import__(f"{loooong}.c", {"__package__":"a"},level=1)
Fix is to have the decref after it makes the error message.
CPython versions tested on:
3.12, 3.13, 3.14
Operating systems tested on:
Windows, Linux