Skip to content

Reference leaks in _hashlib.hmac_new and _hashlib.hmac_digest #130151

New issue
New issue
Closed
Closed
Reference leaks in _hashlib.hmac_new and _hashlib.hmac_digest#130151
Assignees
picnixz
Labels
extension-modulesC modules in the Modules dirtype-bugAn unexpected behavior, bug, or error
@picnixz

Description

@picnixz
picnixz
opened on Feb 15, 2025

Bug report

Bug description:

The following leaks:

def test_leak1(self):
    import _hashlib
    self.assertRaises(TypeError, _hashlib.hmac_new, b"key", 1, "sha256")

The issue is in _hashlib_hmac_new_impl:

    self = PyObject_New(HMACobject, type);
    ...
    if ((msg_obj != NULL) && (msg_obj != Py_None)) {
        if (!_hmac_update(self, msg_obj))
            goto error;
    }
    return (PyObject*)self;

error:
    if (ctx) HMAC_CTX_free(ctx);
    if (self) PyObject_Free(self);
    return NULL;

More precisely, the issue is that we are only calling PyObject_Free(self) and we are not decrefing the type. So we need to call Py_XDECREF(self); instead and free ctx separately if self has not already been allocated. Note that the HMAC context is still cleared so we should not leak anything sensitive.

There is also a missing HMAC_CTX_free call in _hmac_digest, if the copy of the HMAC context fails. Again, there shouldn't be a security issue as the temporary context should still not be initialized on failure (and the secret key is not stored within, hopefully).

CPython versions tested on:

CPython main branch

Operating systems tested on:

No response

Linked PRs

Metadata

Metadata

Assignees

Labels

extension-modulesC modules in the Modules dirtype-bugAn unexpected behavior, bug, or error

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions