Skip to content

gh-142831: Fix UAF in _json module #142851

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ashm-dev wants to merge 11 commits into
base: main
Choose a base branch
from
Open

gh-142831: Fix UAF in _json module #142851

ashm-dev wants to merge 11 commits into from
+46 −25

Conversation

@ashm-dev
Copy link
Contributor

@ashm-dev ashm-dev commented Dec 17, 2025
edited by bedevere-app bot
Loading

@bedevere-app bedevere-app bot mentioned this pull request Dec 17, 2025
Open
serhiy-storchaka
serhiy-storchaka reviewed Dec 17, 2025
View reviewed changes
Copy link
Member

@serhiy-storchaka serhiy-storchaka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add tests?

kumaraditya303
kumaraditya303 reviewed Dec 17, 2025
View reviewed changes
@kumaraditya303 kumaraditya303 added needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes labels Dec 17, 2025
@ashm-dev
Copy link
Contributor Author

ashm-dev commented Dec 18, 2025

Added tests

kumaraditya303
kumaraditya303 reviewed Dec 18, 2025
View reviewed changes
@kumaraditya303
Copy link
Contributor

kumaraditya303 commented Dec 19, 2025

I pushed a minor test change to make the test run on both pure python and C encoder.

@ashm-dev
Copy link
Contributor Author

ashm-dev commented Dec 19, 2025

@kumaraditya303 But the new tests don't reproduce the issue!
P.S. Here is how I verify the tests: I build Python from main with ASan, and if the tests trigger the leak (the one reported in the issue), then they are good; otherwise, they are not.

@kumaraditya303
Revert "clean up test"
adfeee2 
This reverts commit 66c3af1.
@kumaraditya303
Copy link
Contributor

kumaraditya303 commented Dec 19, 2025

But the new tests don't reproduce the issue!

I was able to reproduce it but now I can't, not sure if it was a build cache issue or something. Sorry reverted it back.

serhiy-storchaka
serhiy-storchaka reviewed Dec 19, 2025
View reviewed changes
Lib/test/test_json/test_dump.py
Comment on lines +76 to +77
def __init__(self):
super().__init__(real=1)
Copy link
Member

@serhiy-storchaka serhiy-storchaka Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is not needed, you can just pass arguments to the BadDict constructor at line 97.

Lib/test/test_json/test_dump.py
Comment on lines +70 to +71
if c_make_encoder is None:
self.skipTest("c_make_encoder not available")
Copy link
Member

@serhiy-storchaka serhiy-storchaka Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would not be better to move the test to test_speedups.py?

serhiy-storchaka
serhiy-storchaka requested changes Jan 9, 2026
View reviewed changes
Modules/_json.c
#ifdef Py_GIL_DISABLED
// gh-119438: in the free-threading build the critical section on items can get suspended

// GH-142831: The item must be strong-referenced to avoid
Copy link
Member

@serhiy-storchaka serhiy-storchaka Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it is better to do without such comments. They are trivial and only distract from other code. Each Py_INCREF() has reasons, but we do not write it ot for them.

@bedevere-app
Copy link

bedevere-app bot commented Jan 9, 2026

A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.

@superboy-zjc
Copy link
Contributor

superboy-zjc commented Jan 12, 2026
edited
Loading

Hi @ashm-dev do you have spare time working on this PR? I saw there has been 3 weeks since your last update. If not, I'd love to take over the PR and finish rest of the work. Active exploitation of this bug has already been seen in the popular OSS applications such as coze-studio. Let me know what you think.Thanks!

@ashm-dev
Copy link
Contributor Author

ashm-dev commented Jan 12, 2026

@superboy-zjc The PR is not abandoned and remains with me. Updates will follow when ready.

@superboy-zjc
Copy link
Contributor

superboy-zjc commented Jan 12, 2026

@superboy-zjc The PR is not abandoned and remains with me. Updates will follow when ready.

This issue requires urgent reaction. Please do finish it soon, or I can help PR shortly thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@serhiy-storchaka serhiy-storchaka serhiy-storchaka requested changes

@kumaraditya303 kumaraditya303 Awaiting requested review from kumaraditya303

Assignees

No one assigned

Labels

awaiting changes needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ashm-dev @kumaraditya303 @superboy-zjc @serhiy-storchaka