Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

gh-126033: fix a crash inxml.etree.ElementTree.Element.remove when concurrent mutations happen#126124

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
picnixz merged 31 commits intopython:mainfrompicnixz:fix/xml-evil-remove-126033
Mar 31, 2025

Conversation

@picnixz
Copy link
Member

@picnixzpicnixz commentedOct 29, 2024
edited
Loading

No need for versioning. Holding a strong reference on the child being compared is enough if we additionally check that the number of children is not changed after the comparison.

The test coverage could be refined but I don't think I need to overcomplicate it even more. I still think we can have a UAF because when one clears the list in__eq__ but I couldn't find a way to trigger it so I just increfed the item before calling__eq__. If anyone thinks it's not needed, please tell me why.

The patch forfind* may be more complicated, which is why I splitted the task into three (one for introducing the versioning so that we can work on those failures in parallel).

@picnixzpicnixzforce-pushed thefix/xml-evil-remove-126033 branch frombb4f6d2 to59ade8fCompareOctober 29, 2024 12:33
Copy link
Member

@serhiy-storchakaserhiy-storchaka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Is adding version necessary? Would not keeping a strong reference to a child be enough? Look at thelist.remove() code.

@picnixz
Copy link
MemberAuthor

Would not keeping a strong reference to a child be enough? Look at the list.remove() code.

Oh yes. I'll try using this one as a basis.

@picnixz
Copy link
MemberAuthor

picnixz commentedDec 6, 2024
edited
Loading

Would not keeping a strong reference to a child be enough? Look at the list.remove() code.

Ah I know why I couldn't make it work! it's because the children is not a list itself, but just a huge memory area that was dynamically allocated usingPyMem_Malloc. What do you suggest I do?

@serhiy-storchaka
Copy link
Member

The list storage is also just a huge memory area that was dynamically allocated usingPyMem_Malloc. I do not see difference.

At worst, you can get different exceptions (or no exception) in C and Python implementations, but this is fine.

@picnixz
Copy link
MemberAuthor

The list storage is also just a huge memory area that was dynamically allocated using PyMem_Malloc. I do not see difference.

The difference is that the list object usesPy_SIZE but it's not possible to use this on the current implementation of element trees (or is there?)

@serhiy-storchaka
Copy link
Member

Py_SIZE orself->extra->length -- there is not much difference between them. Both just read a word from memory. You may need to check thatself->extra was not set to NULL during iteration, this is the only difference.

@picnixz
Copy link
MemberAuthor

Py_SIZE or self->extra->length -- there is not much difference between them

I'm pretty sure I first tried using INCREF/DECREF as usual and encountered an issue with that but I can't remember how. I'll try reproducing this tomorrow.

@picnixzpicnixz marked this pull request as draftDecember 6, 2024 18:03
@picnixzpicnixz marked this pull request as ready for reviewDecember 8, 2024 13:08
@picnixz
Copy link
MemberAuthor

@vstinner@serhiy-storchaka friendly ping in case you forgot about this one

@vstinner
Copy link
Member

As I wrote, I don't think that 200 lines of tests are needed. I would prefer way less tests.

@picnixz
Copy link
MemberAuthor

I can remove the special test case which makes the test explode as it's only the Python implementation if you want. It would reduce the test by half at least (most of the line length is taken by comments that are needed to explain the discrepency between the Python and the C implementation).

@picnixz
Copy link
MemberAuthor

@vstinner I've removed the pedantic check. However, we still need to have that much of tests becausedel root[:] androot.clear() behave differently although they should do the same. The reproducer I had did not make crashdel root[:], but it made crashroot.clear().

Copy link
Member

@vstinnervstinner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

LGTM. The C code change LGTM, I didn't review the tests.

@picnixzpicnixz merged commitbab1398 intopython:mainMar 31, 2025
42 checks passed
@miss-islington-app
Copy link

Thanks@picnixz for the PR 🌮🎉.. I'm working now to backport this PR to: 3.12, 3.13.
🐍🍒⛏🤖

@picnixzpicnixz deleted the fix/xml-evil-remove-126033 branchMarch 31, 2025 10:31
miss-islington pushed a commit to miss-islington/cpython that referenced this pull requestMar 31, 2025
…en concurrent mutations happen (pythonGH-126124)(cherry picked from commitbab1398)Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
@bedevere-app
Copy link

GH-131929 is a backport of this pull request to the3.13 branch.

@bedevere-appbedevere-appbot removed the needs backport to 3.13bugs and security fixes labelMar 31, 2025
miss-islington pushed a commit to miss-islington/cpython that referenced this pull requestMar 31, 2025
…en concurrent mutations happen (pythonGH-126124)(cherry picked from commitbab1398)Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
@bedevere-app
Copy link

GH-131930 is a backport of this pull request to the3.12 branch.

@bedevere-appbedevere-appbot removed the needs backport to 3.12only security fixes labelMar 31, 2025
picnixz added a commit that referenced this pull requestMar 31, 2025
…hen concurrent mutations happen (GH-126124) (#131929)gh-126033: fix UAF in `xml.etree.ElementTree.Element.remove` when concurrent mutations happen (GH-126124)(cherry picked from commitbab1398)Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
picnixz added a commit that referenced this pull requestMar 31, 2025
…hen concurrent mutations happen (GH-126124) (#131930)gh-126033: fix UAF in `xml.etree.ElementTree.Element.remove` when concurrent mutations happen (GH-126124)(cherry picked from commitbab1398)Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

@vstinnervstinnervstinner approved these changes

@sobolevnsobolevnAwaiting requested review from sobolevn

@serhiy-storchakaserhiy-storchakaAwaiting requested review from serhiy-storchaka

Assignees

No one assigned

Labels

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@picnixz@serhiy-storchaka@vstinner@sobolevn
[8]ページ先頭
©2009-2025 Movatter.jp