Use-After-Free in PyImport_ImportModuleLevelObject
#134100
Labels
interpreter-core
(Objects, Python, Grammar, and Parser dirs)
topic-importlib
type-crash
A hard crash of the interpreter, possibly with a core dump
Comments
picnixz
added
interpreter-core
This comment has been minimized.
This comment has been minimized.
kumaraditya303
pushed a commit
that referenced
this issue
May 18, 2025
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this issue
May 18, 2025
…ect` (pythonGH-134117) (cherry picked from commit 4e9005d) Co-authored-by: Nico-Posada <[email protected]>
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this issue
May 18, 2025
…ect` (pythonGH-134117) (cherry picked from commit 4e9005d) Co-authored-by: Nico-Posada <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Bug report
Bug description:
If you try to import something with a level >= 1 and it somehow fails to put it into sys.modules after importing, you'll get a nice error message letting you know.
cpython/Python/import.c
Lines 3857 to 3863 in d94b1e9
However, this error message uses
to_returnwhich was freed a couple of lines before. Because it's used just after being freed, you can't do anything too malicious with it, but you can crash python by allocating a large enough string and having it be unmapped after being freed so that it's invalid memory when it's accessed.(No crash but triggers ASAN with use-after-free)
(Crash)
Fix is to have the decref after it makes the error message.
CPython versions tested on:
3.12, 3.13, 3.14
Operating systems tested on:
Windows, Linux
Linked PRs
PyImport_ImportModuleLevelObject(GH-134117) #134171PyImport_ImportModuleLevelObject(GH-134117) #134172The text was updated successfully, but these errors were encountered: