Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crash: xml.etree.ElementTree.Element.remove with an evil Element.__eq__ #126033

Open
picnixz opened this issue Oct 27, 2024 · 6 comments
Open

Crash: xml.etree.ElementTree.Element.remove with an evil Element.__eq__ #126033

picnixz opened this issue Oct 27, 2024 · 6 comments
Assignees
@picnixz
Labels
3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes extension-modules C modules in the Modules dir topic-XML type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@picnixz
Copy link
Contributor

picnixz commented Oct 27, 2024
edited by bedevere-app bot
Loading

Crash report

What happened?

A UAF in Element.remove was fixed in #68279 but one can mutate the child's list during .remove and cause an OOB crash:

import xml.etree.ElementTree as ET

class EvilElement(ET.Element):
    def __eq__(self, other):
        base.clear()
        return False

base = ET.Element('a')
base.append(EvilElement('a'))
base.append(EvilElement('a'))
base.remove(ET.Element('b'))

Attacked code:

cpython/Modules/_elementtree.c

Lines 1648 to 1656 in dc76a4a

for (i = 0; i < self->extra->length; i++) {
if (self->extra->children[i] == subelement)
break;
rc = PyObject_RichCompareBool(self->extra->children[i], subelement, Py_EQ);
if (rc > 0)
break;
if (rc < 0)
return NULL;
}

I think we need to introduce some state integer to check that there is no evil mutation (similar to what's being done for OrderedDict).

CPython versions tested on:

CPython main branch

Operating systems tested on:

No response

Output from running 'python -VV' on the command line:

No response

Linked PRs
@picnixz picnixz added extension-modules C modules in the Modules dir topic-XML type-crash A hard crash of the interpreter, possibly with a core dump labels Oct 27, 2024
@ZeroIntensity
Copy link
Member

Hmm, there seem to be a lot of issues with PyObject_RichCompareBool and custom __eq__'s, right? It might be worth trying to fix things more globally there rather than on a case-by-case basis like this.

@picnixz
Copy link
Contributor Author

picnixz commented Oct 27, 2024

I've roughly skimmed through the other occurrences and couldn't find UAFs or bad OOB. And I'd prefer fixing them one by one because the patch is not always the same.

@picnixz picnixz self-assigned this Oct 27, 2024
@picnixz

This comment was marked as resolved.

Sign in to view
@picnixz picnixz mentioned this issue Oct 27, 2024
Open
@picnixz picnixz added 3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes labels Oct 27, 2024
@ZeroIntensity
Copy link
Member

My main concern here is that while we can fix this as much as we want for the core, this looks like it's common enough that downstream is having this problem too.

@picnixz picnixz mentioned this issue Oct 27, 2024
Open
nathanli97 added a commit to nathanli97/cpython that referenced this issue Oct 28, 2024
@nathanli97
pythongh-126033: fix crash in ElementTree
ecaad38
nathanli97 added a commit to nathanli97/cpython that referenced this issue Oct 28, 2024
@nathanli97
pythongh-126033: Fix crash in _elementtree.c where evil tags/elements…
d4ef296 
… occurs
@nathanli97 nathanli97 mentioned this issue Oct 28, 2024
Closed
@sobolevn
Copy link
Member

sobolevn commented Oct 28, 2024
edited
Loading

Basically, we need to protect base from mutation during the iteration over it. An extra field maybe?

@picnixz
Copy link
Contributor Author

picnixz commented Oct 28, 2024

See #126041 for that (the issue and PR may have passed under your radar :))

@bedevere-app bedevere-app bot mentioned this issue Oct 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@picnixz picnixz

Labels
3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes extension-modules C modules in the Modules dir topic-XML type-crash A hard crash of the interpreter, possibly with a core dump
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sobolevn @picnixz @ZeroIntensity