Skip to content

gh-130151: Fix reference leaks in _hashlib.hmac_{new,digest} #130152

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Feb 24, 2025
Merged

gh-130151: Fix reference leaks in _hashlib.hmac_{new,digest} #130152

merged 9 commits into from
Feb 24, 2025

Conversation

picnixz
Copy link
Member

@picnixz picnixz commented Feb 15, 2025
edited by bedevere-app bot
Loading

@bedevere-app bedevere-app bot mentioned this pull request Feb 15, 2025
Closed
@picnixz picnixz force-pushed the fix/hmac/leak-130151 branch from 6d84554 to c9d0c0d Compare February 15, 2025 11:43
@picnixz picnixz requested review from gpshead and encukou February 15, 2025 11:45
@encukou
Copy link
Member

encukou commented Feb 18, 2025

Thanks, good catch!

Why reorganize the code, though?
I see no reason to remove the arg name comment /*impl*/, or rename r.

AFAICS, declaring pointers at the top and setting them to NULL, and an error: block at the end, was deliberate; the style this function was going for is keeping ctx and self non-NULL when they need to be freed. IMO, that's a good way to make complex functions maintainable: repeating a list of currently owned “resources” before each return works for smaller functions, but I think hmac_new is past that size.
I'd expect a Py_XDECREF(self) in the error block, and a line like ctx = NULL; // context is now owned by self.

Not sure about the change from _setException to PyErr_NoMemory -- the OpenSSL docs on HMAC_CTX_new and HMAC_Init_ex aren't explicit on whether it sets an ERR_ error. Are they inconsistent?

@picnixz
Copy link
Member Author

picnixz commented Feb 21, 2025

Not sure about the change from _setException to PyErr_NoMemory -- the OpenSSL docs on HMAC_CTX_new and

I think it's to align with other instances of similar code. In other cases I think we raise a MemoryError. But I need to check it.

Why reorganize the code, though?
I see no reason to remove the arg name comment /impl/, or rename r.

I think the impl comment would be implicit but it's my IDE, I'll restore it. As for r I think I wanted to reduce the kjne length :') I'll just revert this line.

AFAICS, declaring pointers at the top and setting them to NULL, and an error: block at the end, was deliberate

For me it was more an ANSI C approach where all variables are declared at the top of the function. However since I felt it was cleaner like this. But I can revert it and make it ANSI C.

@picnixz
Copy link
Member Author

picnixz commented Feb 22, 2025
edited
Loading

Concerning PyErr_NoMemory, that's what we do in hmac.digest(). NULL is returned by HMAC_CTX_new when allocation fails: https://github.com/openssl/openssl/blob/0bdd10e4078beccaa49ea015b6660f3facfab02b/crypto/hmac/hmac.c#L162.

Note that we also return NULL if the context cannot be reset correctly, but this only means that one the underlying EVP contexts couldn't be allocated either: https://github.com/openssl/openssl/blob/0bdd10e4078beccaa49ea015b6660f3facfab02b/crypto/hmac/hmac.c#L198 and https://github.com/openssl/openssl/blob/0bdd10e4078beccaa49ea015b6660f3facfab02b/crypto/evp/digest.c#L129.

So the NULL should only be returned by HMAC_CTX_new if either it couldn't be allocated or one of the underlying EVP contexts couldn't be allocated.

EDIT: This is assuming we are using openssl implementation for libssl. Any other implementation may not necessarily do the same, but I'm not sure we're actually building against something that is not openssl-compliant.

@picnixz picnixz requested a review from tiran as a code owner February 22, 2025 10:30
picnixz
picnixz commented Feb 23, 2025
View reviewed changes
@gpshead gpshead enabled auto-merge (squash) February 23, 2025 23:21
@gpshead gpshead added needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes labels Feb 23, 2025
@gpshead gpshead merged commit 0718201 into python:main Feb 24, 2025
46 checks passed
@miss-islington-app
Copy link

Thanks @picnixz for the PR, and @gpshead for merging it 🌮🎉.. I'm working now to backport this PR to: 3.12, 3.13.
🐍🍒⛏🤖

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Feb 24, 2025
@picnixz @miss-islington
pythongh-130151: Fix reference leaks in _hashlib.hmac_{new,digest} (p…
1d76644 
…ythonGH-130152)

* fix leak in `_hashlib.hmac_new`
* fix leak in `hmac_digest`
* fix exception type in `_hashlib.HMAC.copy`
(cherry picked from commit 0718201)

Co-authored-by: Bénédikt Tran <[email protected]>
@bedevere-app
Copy link

bedevere-app bot commented Feb 24, 2025

GH-130491 is a backport of this pull request to the 3.13 branch.

@miss-islington-app
Copy link

Sorry, @picnixz and @gpshead, I could not cleanly backport this to 3.12 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 071820113f11b8f6a21f98652d0840e10268114c 3.12

@bedevere-app bedevere-app bot removed the needs backport to 3.13 bugs and security fixes label Feb 24, 2025
@picnixz
Copy link
Member Author

picnixz commented Feb 24, 2025

I'll take care of the bp tomorrow (it's 1 AM here) if no one is doing it

@picnixz picnixz deleted the fix/hmac/leak-130151 branch February 24, 2025 00:12
gpshead pushed a commit that referenced this pull request Feb 24, 2025
@miss-islington @picnixz
[3.13] gh-130151: Fix reference leaks in _hashlib.hmac_{new,digest} (
86dab0e 
…GH-130152) (#130491)

gh-130151: Fix reference leaks in `_hashlib.hmac_{new,digest}` (GH-130152)

* fix leak in `_hashlib.hmac_new`
* fix leak in `hmac_digest`
* fix exception type in `_hashlib.HMAC.copy`
(cherry picked from commit 0718201)

Co-authored-by: Bénédikt Tran <[email protected]>
@picnixz
Copy link
Member Author

picnixz commented Feb 24, 2025

Huh, I forgot. I didn't have time this morning. I'll do it... well, either this night or tomorrow. Sorry :(

@picnixz picnixz self-assigned this Feb 24, 2025
@bedevere-app
Copy link

bedevere-app bot commented Feb 25, 2025

GH-130539 is a backport of this pull request to the 3.12 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.12 only security fixes label Feb 25, 2025
picnixz added a commit that referenced this pull request Feb 25, 2025
@picnixz
[3.12] gh-130151: Fix reference leaks in _hashlib.hmac_{new,digest} (
b1a188a 
…GH-130152) (#130539)

gh-130151: Fix reference leaks in `_hashlib.hmac_{new,digest}` (GH-130152)

* fix leak in `_hashlib.hmac_new`
* fix leak in `hmac_digest`
* fix exception type in `_hashlib.HMAC.copy`
(cherry picked from commit 0718201)
seehwan pushed a commit to seehwan/cpython that referenced this pull request Apr 16, 2025
@picnixz @seehwan80
pythongh-130151: Fix reference leaks in _hashlib.hmac_{new,digest} (p…
2f966cf 
…ythonGH-130152)

* fix leak in `_hashlib.hmac_new`
* fix leak in `hmac_digest`
* fix exception type in `_hashlib.HMAC.copy`
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gpshead gpshead Awaiting requested review from gpshead gpshead is a code owner

@encukou encukou Awaiting requested review from encukou

@tiran tiran Awaiting requested review from tiran

Assignees

@gpshead gpshead

@picnixz picnixz

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@picnixz @encukou @gpshead