Skip to content

[3.11] gh-120384: gh-120298: Fix array-out-of-bounds & use after free list#121345

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ambv merged 4 commits into from
Oct 31, 2025
Merged

[3.11] gh-120384: gh-120298: Fix array-out-of-bounds & use after free list#121345

ambv merged 4 commits into from
Oct 31, 2025

Conversation

@gpshead
Copy link
Member

@gpsheadgpshead commented Jul 3, 2024
edited
Loading

gh-120384: Fix array-out-of-bounds crash in list_ass_subscript (GH-120442) (cherry picked from commit 8334a1b in the 3.12 branch)

gh-120298: Fix use after free in list_richcompare.

@miss-islington@sobolevn@gpshead
pythongh-120384: Fix array-out-of-bounds crash inlist_ass_subscript(
6d1ab20
pythonGH-120442) (python#120825) pythongh-120384: Fix array-out-of-bounds crash in `list_ass_subscript` (pythonGH-120442) (cherry picked from commit 8334a1b) Co-authored-by: Nikita Sobolev <mail@sobolevn.me>
@bedevere-appbedevere-appbot mentioned this pull request Jul 3, 2024
Closed
@gpsheadgpshead changed the title [3.11] gh-120384: Fix array-out-of-bounds crash in list_ass_subscript[3.11] gh-120384: gh-120298: Fix array-out-of-bounds & use after free listJul 3, 2024
@gpshead
Copy link
MemberAuthor

gpshead commented Jul 3, 2024

For consideration as a security related backport. To trigger these, people already need the ability to run arbitrary Python code. So we don't consider this a vulnerability given the existing capabilities. But it could make the life of some projects built on top of Python a little better.

Such projects are already on undefined behavior grounds if they consider anything executing Python bytecode to not be able to escape that to begin with. Because CPython does not guarantee any such thing.

@gpsheadgpshead mentioned this pull request Jul 3, 2024
Merged
pablogsal
pablogsal reviewed Jul 8, 2024
View reviewed changes
Copy link
Member

@pablogsalpablogsal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just commenting that I am happy to get this fix backported once it's reviewed and tested

@gpsheadgpshead marked this pull request as ready for review August 17, 2025 18:28
@gpsheadgpshead added needs backport to 3.9 needs backport to 3.10 only security fixes 🔨 test-with-buildbots Test PR w/ buildbots; report in status section labels Aug 17, 2025
@bedevere-bot
Copy link

bedevere-bot commented Aug 17, 2025

🤖 New build scheduled with the buildbot fleet by @gpshead for commit de70708 🤖

Results will be shown at:

https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F121345%2Fmerge

If you want to schedule another build, you need to add the 🔨 test-with-buildbots label again.

@bedevere-botbedevere-bot removed the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Aug 17, 2025
@ambvambv merged commit 0cd888b into python:3.11Oct 31, 2025
22 checks passed
@miss-islington-app
Copy link

miss-islington-appbot commented Oct 31, 2025

Thanks @gpshead for the PR, and @ambv for merging it 🌮🎉.. I'm working now to backport this PR to: 3.9, 3.10.
🐍🍒⛏🤖 I'm not a witch! I'm not a witch!

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Oct 31, 2025
@gpshead@sobolevn
@ambv@miss-islington
[3.11]pythongh-120384:pythongh-120298: Fix array-out-of-bounds & us…
77672ef
…e after free `list` (pythonGH-121345) (cherry picked from commit 8334a1b) (cherry picked from commit 0cd888b) Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com> Co-authored-by: Nikita Sobolev <mail@sobolevn.me> Co-authored-by: Łukasz Langa <lukasz@langa.pl>
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Oct 31, 2025
@gpshead@sobolevn
@ambv@miss-islington
[3.11]pythongh-120384:pythongh-120298: Fix array-out-of-bounds & us…
6de7a52
…e after free `list` (pythonGH-121345) (cherry picked from commit 8334a1b) (cherry picked from commit 0cd888b) Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com> Co-authored-by: Nikita Sobolev <mail@sobolevn.me> Co-authored-by: Łukasz Langa <lukasz@langa.pl>
@bedevere-app
Copy link

bedevere-appbot commented Oct 31, 2025

GH-140833 is a backport of this pull request to the 3.10 branch.

@bedevere-appbedevere-appbot removed the needs backport to 3.10 only security fixes label Oct 31, 2025
@bedevere-app
Copy link

bedevere-appbot commented Oct 31, 2025

GH-140834 is a backport of this pull request to the 3.9 branch.

ambv added a commit that referenced this pull request Oct 31, 2025
@miss-islington@gpshead
@sobolevn@ambv
[3.10]gh-120384:gh-120298: Fix array-out-of-bounds & use after free…
3eea546
… `list` (GH-121345) (GH-140833) (cherry picked from commit 8334a1b) (cherry picked from commit 0cd888b) Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com> Co-authored-by: Nikita Sobolev <mail@sobolevn.me> Co-authored-by: Łukasz Langa <lukasz@langa.pl>
ambv added a commit that referenced this pull request Oct 31, 2025
@miss-islington@gpshead
@sobolevn@ambv
[3.9]gh-120384:gh-120298: Fix array-out-of-bounds & use after free …
42762bb
…`list` (GH-121345) (GH-140834) (cherry picked from commit 8334a1b) (cherry picked from commit 0cd888b) Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com> Co-authored-by: Nikita Sobolev <mail@sobolevn.me> Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pablogsalpablogsalpablogsal left review comments

Assignees

@pablogsalpablogsal

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@gpshead@bedevere-bot@pablogsal@ambv@miss-islington