gh-92888: Fix memoryview bad __index__ use after free

[Fidget-Spinner]

Co-Authored-By: chilaxan [email protected]
Fixes #92888

[serhiy-storchaka]

I have other approach, but your approach is more compatible, so it is safer to use it backports. I'll experiment with other approach in the developing branch only.

You can use the following test as a base:

    def test_use_released_memory(self):
        size = 128
        def release():
            m.release()
            nonlocal ba
            ba = bytearray(size)
        class MyIndex:
            def __index__(self):
                release()
                return 4
        class MyFloat:
            def __float__(self):
                release()
                return 4.25
        class MyBool:
            def __bool__(self):
                release()
                return True

        ba = None
        m = memoryview(bytearray(b'\xff'*size))
        with self.assertRaises(ValueError):
            m[MyIndex()]

        ba = None
        m = memoryview(bytearray(b'\xff'*size))
        self.assertEqual(list(m[:MyIndex()]), [255] * 4)

        ba = None
        m = memoryview(bytearray(b'\xff'*size))
        self.assertEqual(list(m[MyIndex():8]), [255] * 4)

        ba = None
        m = memoryview(bytearray(b'\xff'*size))
        m[MyIndex()] = 42
        self.assertEqual(ba[:8], b'\0'*8)

        ba = None
        m = memoryview(bytearray(b'\xff'*size))
        m[:MyIndex()] = b'spam'
        self.assertEqual(ba[:8], b'\0'*8)

        ba = None
        m = memoryview(bytearray(b'\xff'*size))
        m[MyIndex():8] = b'spam'
        self.assertEqual(ba[:8], b'\0'*8)

        ba = None
        m = memoryview(bytearray(b'\xff'*size))
        m[0] = MyIndex()
        self.assertEqual(ba[:8], b'\0'*8)

        for fmt in 'bhilqnBHILQN':
            ba = None
            m = memoryview(bytearray(b'\xff'*size)).cast(fmt)
            m[0] = MyIndex()
            self.assertEqual(ba[:8], b'\0'*8)

        for fmt in 'fd':
            ba = None
            m = memoryview(bytearray(b'\xff'*size)).cast(fmt)
            m[0] = MyFloat()
            self.assertEqual(ba[:8], b'\0'*8)

        ba = None
        m = memoryview(bytearray(b'\xff'*size)).cast('?')
        m[0] = MyBool()
        self.assertEqual(ba[:8], b'\0'*8)

[Fidget-Spinner]

@serhiy-storchaka thanks taking the time to review and writing those really comprehensive tests. One part of your test fails on my branch: specifically m[MyIndex()] = 42 raises ValueError. That's supposed to happen right? (Actually, most of the asserts seem to fail on my branch :()

[serhiy-storchaka]

Yes, it is expected that some lines raise exceptions with your changes. Just add assertRaises() if needed.

[Fidget-Spinner]

Great, thanks to your tests I found that my fix didn't cover slices. It now does.

[serhiy-storchaka]

Yet few tests.

[serhiy-storchaka]

👍

[serhiy-storchaka]

I am sorry for being so pedantic. 🤦‍♂️

[Fidget-Spinner]

I am sorry for being so pedantic. man_facepalming

I didn't feel that you were. Those are errors I ought to have caught anyways. Thanks for the detailed review as always.

[vstinner]

I like your approach to fix memory_ass_sub(). Here is a first review.

[vstinner]

Can you move the check after the equiv_structure() test?

[serhiy-storchaka]

Would not access to Py_buffer of the released object cause reading after free?

[vstinner]

I propose to mention more explicitly that the protection is about released views:

If a memoryview is released while getting or setting an item, raise an exception.
For example, converting an object to an index can execute arbitrary Python
code which can indirectly release the memoryview.

[serhiy-storchaka]

Not always an exception is raised.

The bug was in reading or wring the freed memory. Now it is prevented -- you either get an exception or free the memory after reading. @Fidget-Spinner's description is more correct.

I am going to address such inconsistency in a separate issue.

[vstinner]

That's useless, no?

[Fidget-Spinner]

No, we need it for tests below that tests indexing into ba[].

[serhiy-storchaka]

We allocate a bytearray of the same size as the bytearray just released in memoryview in hope that it will be allocated at the same memory. It helps to check that we do nor read/write a freed memory.

[vstinner]

In my PR, I tried to make the code more generic to test more cases: https://github.com/python/cpython/pull/93127/files#diff-d41c6bb40a1e03fea5a20d15c4077413e0ddde65651147922b625b03a66a2f16R399:

        tp = self.rw_type
        b = self.rw_type(self._source)
        view = self._view(b)

[vstinner]

This test is very long. Can you try to factorize similar code and use loop with subTest(), and put pack operations in one test method and unpack in another test method?

[serhiy-storchaka]

Then we will need to duplicate the definitions of internal classes.

The tested code is so different, that it is difficult to use a loop. And I think that the result will be more complicated.

[serhiy-storchaka]

It is necessary. The old bytearray should be deallocated before creating a new bytearray, so all bytearrays will be allocated at the same place.

[vstinner]

I closed my PR #93127 since this one seems to be more complete.

[Fidget-Spinner]

@vstinner do you have any major objections? Otherwise, I plan to merge.

[vstinner]

My reviews on the tests were just remarks, not objections.

[miss-islington]

Thanks @Fidget-Spinner for the PR 🌮🎉.. I'm working now to backport this PR to: 3.10, 3.11.
🐍🍒⛏🤖

[miss-islington]

Sorry, @Fidget-Spinner, I could not cleanly backport this to 3.10 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker 11190c4ad0d3722b8d263758ac802985131a5462 3.10

[bedevere-bot]

GH-93948 is a backport of this pull request to the 3.11 branch.

[bedevere-bot]

GH-93950 is a backport of this pull request to the 3.10 branch.