X Tutup
Skip to content

gh-136053: Memory Safety Issue in marshal.c TYPE_SLICE Case#136054

Merged
serhiy-storchaka merged 18 commits intopython:mainfrom
akshat62:gh-136053/memory-saferty-TYPE_SLICE
Jun 29, 2025
Merged

gh-136053: Memory Safety Issue in marshal.c TYPE_SLICE Case#136054
serhiy-storchaka merged 18 commits intopython:mainfrom
akshat62:gh-136053/memory-saferty-TYPE_SLICE

Conversation

@akshat62
Copy link
Contributor

@akshat62 akshat62 commented Jun 27, 2025
edited by bedevere-app bot
Loading

@bedevere-app bedevere-app bot mentioned this pull request Jun 27, 2025
Closed
picnixz
picnixz reviewed Jun 27, 2025
View reviewed changes
Copy link
Member

@picnixz picnixz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc @serhiy-storchaka

Would it be possible to add a test with a maliciously crafted data so that we ensure that the vulnerability can be exploited?

picnixz
picnixz reviewed Jun 27, 2025
View reviewed changes
picnixz
picnixz reviewed Jun 27, 2025
View reviewed changes
sobolevn
sobolevn reviewed Jun 28, 2025
View reviewed changes
@picnixz
Copy link
Member

picnixz commented Jun 28, 2025

Thanks for the fix but please add a regression test. Even if it's not easily reproducible, I'd like to see a PoC.

@serhiy-storchaka serhiy-storchaka self-requested a review June 28, 2025 09:26
serhiy-storchaka
serhiy-storchaka reviewed Jun 28, 2025
View reviewed changes
Copy link
Member

@serhiy-storchaka serhiy-storchaka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test does not work.

For testing, you need to create at least 2147483646 (0x7ffffffe) references. This is impossible on 32-bit platform, and on 64-bit platforms it will consume at least 16 GiB (and maybe 32 GiB or 64 GiB due to overallocation) only for the list, not counting the referred objects. This is a bigmem test. This will also take a significant amount of time to run. I do not think it is worth to add an expensive test for trivial fix.

serhiy-storchaka
serhiy-storchaka approved these changes Jun 28, 2025
View reviewed changes
Copy link
Member

@serhiy-storchaka serhiy-storchaka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@akshat62 akshat62 requested a review from picnixz June 28, 2025 14:14
@akshat62
Copy link
Contributor Author

akshat62 commented Jun 28, 2025

@picnixz This can be merged.

@serhiy-storchaka serhiy-storchaka merged commit 30ba03e into python:main Jun 29, 2025
40 checks passed
@serhiy-storchaka serhiy-storchaka added 3.14 bugs and security fixes needs backport to 3.14 bugs and security fixes and removed 3.14 bugs and security fixes labels Jun 29, 2025
@miss-islington-app
Copy link

miss-islington-app bot commented Jun 29, 2025

Thanks @akshat62 for the PR, and @serhiy-storchaka for merging it 🌮🎉.. I'm working now to backport this PR to: 3.14.
🐍🍒⛏🤖

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Jun 29, 2025
@akshat62 @miss-islington
pythongh-136053: Check error for TYPE_SLICE in marshal.c (pythonGH-13…
60d39db 
…6054)

Fix a possible crash when deserializing a large marshal data
(at least several GiBs) containing a slice.
(cherry picked from commit 30ba03e)

Co-authored-by: Akshat Gupta <akshat.gupta24@gmail.com>
@bedevere-app
Copy link

bedevere-app bot commented Jun 29, 2025

GH-136092 is a backport of this pull request to the 3.14 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.14 bugs and security fixes label Jun 29, 2025
serhiy-storchaka pushed a commit that referenced this pull request Jun 29, 2025
@miss-islington @akshat62
[3.14] gh-136053: Check error for TYPE_SLICE in marshal.c (GH-136054) (
ce65956 
…GH-136092)

Fix a possible crash when deserializing a large marshal data
(at least several GiBs) containing a slice.
(cherry picked from commit 30ba03e)

Co-authored-by: Akshat Gupta <akshat.gupta24@gmail.com>
@picnixz
Copy link
Member

picnixz commented Jun 29, 2025

No 3.13 bp?

@serhiy-storchaka
Copy link
Member

serhiy-storchaka commented Jun 29, 2025

New in 3.14.

AndPuQing pushed a commit to AndPuQing/cpython that referenced this pull request Jul 11, 2025
@akshat62 @AndPuQing
pythongh-136053: Check error for TYPE_SLICE in marshal.c (pythonGH-13…
3e3caf2 
…6054)

Fix a possible crash when deserializing a large marshal data
(at least several GiBs) containing a slice.
Pranjal095 pushed a commit to Pranjal095/cpython that referenced this pull request Jul 12, 2025
@akshat62 @Pranjal095
pythongh-136053: Check error for TYPE_SLICE in marshal.c (pythonGH-13…
9f969b9 
…6054)

Fix a possible crash when deserializing a large marshal data
(at least several GiBs) containing a slice.
taegyunkim pushed a commit to taegyunkim/cpython that referenced this pull request Aug 4, 2025
@akshat62 @taegyunkim
pythongh-136053: Check error for TYPE_SLICE in marshal.c (pythonGH-13…
15af2f1 
…6054)

Fix a possible crash when deserializing a large marshal data
(at least several GiBs) containing a slice.
Agent-Hellboy pushed a commit to Agent-Hellboy/cpython that referenced this pull request Aug 19, 2025
@akshat62 @Agent-Hellboy
pythongh-136053: Check error for TYPE_SLICE in marshal.c (pythonGH-13…
a22f06c 
…6054)

Fix a possible crash when deserializing a large marshal data
(at least several GiBs) containing a slice.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sobolevn sobolevn sobolevn left review comments

@serhiy-storchaka serhiy-storchaka serhiy-storchaka approved these changes

@picnixz picnixz picnixz approved these changes

+1 more reviewer

@auvipy auvipy auvipy approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@akshat62 @picnixz @serhiy-storchaka @sobolevn @auvipy
X Tutup