Merge branch 'main' into fix/bytearray/uaf-in-mod-142557

picnixz · picnixz · commit 485a83c1ff7a · 2025-12-27T15:29:14.000+01:00
diff --git a/Lib/test/test_memoryview.py b/Lib/test/test_memoryview.py
@@ -387,6 +387,20 @@ def test_hash_writable(self):
         m = self._view(b)
         self.assertRaises(ValueError, hash, m)
 
+    def test_hash_use_after_free(self):
+        # Prevent crash in memoryview(v).__hash__ with re-entrant v.__hash__.
+        # Regression test for https://github.com/python/cpython/issues/142664.
+        class E(array.array):
+            def __hash__(self):
+                mv.release()
+                self.clear()
+                return 123
+
+        v = E('B', b'A' * 4096)
+        mv = memoryview(v).toreadonly()   # must be read-only for hash()
+        self.assertRaises(BufferError, hash, mv)
+        self.assertRaises(BufferError, mv.__hash__)
+
     def test_weakref(self):
         # Check memoryviews are weakrefable
         for tp in self._types:
diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2025-12-27-13-18-12.gh-issue-142664.peeEDV.rst b/Misc/NEWS.d/next/Core_and_Builtins/2025-12-27-13-18-12.gh-issue-142664.peeEDV.rst
@@ -0,0 +1,3 @@
+Fix a use-after-free crash in :meth:`memoryview.__hash__ <object.__hash__>`
+when the ``__hash__`` method of the referenced object mutates that object or
+the view. Patch by Bénédikt Tran.
diff --git a/Modules/_remote_debugging/module.c b/Modules/_remote_debugging/module.c
@@ -947,6 +947,7 @@ _remote_debugging_RemoteUnwinder_get_stats_impl(RemoteUnwinderObject *self)
 }
 
 /*[clinic input]
+@permit_long_docstring_body
 @critical_section
 _remote_debugging.RemoteUnwinder.pause_threads
 
@@ -963,7 +964,7 @@ Returns True if threads were successfully paused, False if they were already pau
 
 static PyObject *
 _remote_debugging_RemoteUnwinder_pause_threads_impl(RemoteUnwinderObject *self)
-/*[clinic end generated code: output=aaf2bdc0a725750c input=78601c60dbc245fe]*/
+/*[clinic end generated code: output=aaf2bdc0a725750c input=d8a266f19a81c67e]*/
 {
 #ifdef Py_REMOTE_DEBUG_SUPPORTS_BLOCKING
     if (self->threads_stopped) {
@@ -985,6 +986,7 @@ _remote_debugging_RemoteUnwinder_pause_threads_impl(RemoteUnwinderObject *self)
 }
 
 /*[clinic input]
+@permit_long_docstring_body
 @critical_section
 _remote_debugging.RemoteUnwinder.resume_threads
 
@@ -997,7 +999,7 @@ Returns True if threads were successfully resumed, False if they were not paused
 
 static PyObject *
 _remote_debugging_RemoteUnwinder_resume_threads_impl(RemoteUnwinderObject *self)
-/*[clinic end generated code: output=8d6781ea37095536 input=67ca813bd804289e]*/
+/*[clinic end generated code: output=8d6781ea37095536 input=16baaaab007f4259]*/
 {
 #ifdef Py_REMOTE_DEBUG_SUPPORTS_BLOCKING
     if (!self->threads_stopped) {
@@ -1261,6 +1263,7 @@ class _remote_debugging.BinaryWriter "BinaryWriterObject *" "&PyBinaryWriter_Typ
 /*[clinic end generated code: output=da39a3ee5e6b4b0d input=e948838b90a2003c]*/
 
 /*[clinic input]
+@permit_long_docstring_body
 _remote_debugging.BinaryWriter.__init__
     filename: str
     sample_interval_us: unsigned_long_long
@@ -1285,7 +1288,7 @@ _remote_debugging_BinaryWriter___init___impl(BinaryWriterObject *self,
                                              unsigned long long sample_interval_us,
                                              unsigned long long start_time_us,
                                              int compression)
-/*[clinic end generated code: output=014c0306f1bacf4b input=57497fe3cb9214a6]*/
+/*[clinic end generated code: output=014c0306f1bacf4b input=3bdf01c1cc2f5a1d]*/
 {
     if (self->writer) {
         binary_writer_destroy(self->writer);
@@ -1300,6 +1303,7 @@ _remote_debugging_BinaryWriter___init___impl(BinaryWriterObject *self,
 }
 
 /*[clinic input]
+@permit_long_docstring_body
 _remote_debugging.BinaryWriter.write_sample
     stack_frames: object
     timestamp_us: unsigned_long_long
@@ -1315,7 +1319,7 @@ static PyObject *
 _remote_debugging_BinaryWriter_write_sample_impl(BinaryWriterObject *self,
                                                  PyObject *stack_frames,
                                                  unsigned long long timestamp_us)
-/*[clinic end generated code: output=24d5b86679b4128f input=dce3148417482624]*/
+/*[clinic end generated code: output=24d5b86679b4128f input=4e6d832d360bea46]*/
 {
     if (!self->writer) {
         PyErr_SetString(PyExc_ValueError, "Writer is closed");
@@ -1422,6 +1426,7 @@ _remote_debugging_BinaryWriter___exit___impl(BinaryWriterObject *self,
 }
 
 /*[clinic input]
+@permit_long_docstring_body
 _remote_debugging.BinaryWriter.get_stats
 
 Get encoding statistics for the writer.
@@ -1432,7 +1437,7 @@ record counts, frames written/saved, and compression ratio.
 
 static PyObject *
 _remote_debugging_BinaryWriter_get_stats_impl(BinaryWriterObject *self)
-/*[clinic end generated code: output=06522cd52544df89 input=82968491b53ad277]*/
+/*[clinic end generated code: output=06522cd52544df89 input=837c874ffdebd24c]*/
 {
     if (!self->writer) {
         PyErr_SetString(PyExc_ValueError, "Writer is closed");
@@ -1754,6 +1759,7 @@ _remote_debugging_zstd_available_impl(PyObject *module)
  * ============================================================================ */
 
 /*[clinic input]
+@permit_long_docstring_body
 _remote_debugging.get_child_pids
 
     pid: int
@@ -1779,7 +1785,7 @@ Child processes may exit or new ones may be created after the list is returned.
 static PyObject *
 _remote_debugging_get_child_pids_impl(PyObject *module, int pid,
                                       int recursive)
-/*[clinic end generated code: output=1ae2289c6b953e4b input=3395cbe7f17066c9]*/
+/*[clinic end generated code: output=1ae2289c6b953e4b input=19d8d5d6e2b59e6e]*/
 {
     return enumerate_child_pids((pid_t)pid, recursive);
 }
diff --git a/Objects/memoryobject.c b/Objects/memoryobject.c
@@ -3231,9 +3231,16 @@ memory_hash(PyObject *_self)
                 "memoryview: hashing is restricted to formats 'B', 'b' or 'c'");
             return -1;
         }
-        if (view->obj != NULL && PyObject_Hash(view->obj) == -1) {
-            /* Keep the original error message */
-            return -1;
+        if (view->obj != NULL) {
+            // Prevent 'self' from being freed when computing the item's hash.
+            // See https://github.com/python/cpython/issues/142664.
+            self->exports++;
+            int rc = PyObject_Hash(view->obj);
+            self->exports--;
+            if (rc == -1) {
+                /* Keep the original error message */
+                return -1;
+            }
         }
 
         if (!MV_C_CONTIGUOUS(self->flags)) {
diff --git a/Python/remote_debug.h b/Python/remote_debug.h
@@ -154,7 +154,9 @@ static void
 _Py_RemoteDebug_FreePageCache(proc_handle_t *handle)
 {
     for (int i = 0; i < MAX_PAGES; i++) {
-        PyMem_RawFree(handle->pages[i].data);
+        if (handle->pages[i].data) {
+            PyMem_RawFree(handle->pages[i].data);
+        }
         handle->pages[i].data = NULL;
         handle->pages[i].valid = 0;
     }

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+Fix a use-after-free crash in :meth:`memoryview.__hash__ <object.__hash__>`
	`2`	+when the ``__hash__`` method of the referenced object mutates that object or
	`3`	`+the view. Patch by Bénédikt Tran.`
Original file line number	Diff line number	Diff line change
`@@ -154,7 +154,9 @@ static void`
`154`	`154`	`_Py_RemoteDebug_FreePageCache(proc_handle_t *handle)`
`155`	`155`	`{`
`156`	`156`	`for (int i = 0; i < MAX_PAGES; i++) {`
`157`		`- PyMem_RawFree(handle->pages[i].data);`
	`157`	`+ if (handle->pages[i].data) {`
	`158`	`+ PyMem_RawFree(handle->pages[i].data);`
	`159`	`+ }`
`158`	`160`	`handle->pages[i].data = NULL;`
`159`	`161`	`handle->pages[i].valid = 0;`
`160`	`162`	`}`