René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Use-after-free in `_io.BytesIO.writelines` via re-entrant `__buffer__` close","articleBody":"### What happened?\n\n`_io.BytesIO.writelines` pulls buffers from each iterable element inside `write_bytes_lock_held`, but a crafted object can close the target in `__buffer__`, freeing `self-\u003ebuf` while the write path still runs, which makes `write_bytes_lock_held` dereference freed memory.\n\n**Proof of Concept:**\n\n```python\nfrom _io import BytesIO\n\n\nclass Evil:\n    def __init__(self, target):\n        self.target = target\n\n    def __buffer__(self, flags):\n        self.target.close()\n        return memoryview(b\"A\")\n\n\nbio = BytesIO()\nbio.writelines([Evil(bio)])\n```\n\n**Vulnerable Code Snippet:**\n\n\u003cdetails\u003e\n\u003csummary\u003eClick to expand\u003c/summary\u003e\n\n```c\nstatic PyObject *\n_io_BytesIO_writelines_impl(bytesio *self, PyObject *lines)\n/*[clinic end generated code: output=03a43a75773bc397 input=5d6a616ae39dc9ca]*/\n{\n    PyObject *it, *item;\n\n    CHECK_CLOSED(self);\n\n    it = PyObject_GetIter(lines);\n    if (it == NULL)\n        return NULL;\n\n    while ((item = PyIter_Next(it)) != NULL) {\n        Py_ssize_t ret = write_bytes_lock_held(self, item);\n        Py_DECREF(item);\n        if (ret \u003c 0) {\n            Py_DECREF(it);\n            return NULL;\n        }\n    }\n    Py_DECREF(it);\n\n    /* See if PyIter_Next failed */\n    if (PyErr_Occurred())\n        return NULL;\n\n    Py_RETURN_NONE;\n}\n\n/* Buggy Re-entrant Path */\nPy_NO_INLINE static Py_ssize_t\nwrite_bytes_lock_held(bytesio *self, PyObject *b)\n{\n    _Py_CRITICAL_SECTION_ASSERT_OBJECT_LOCKED(self);\n\n    Py_buffer buf;\n    if (PyObject_GetBuffer(b, \u0026buf, PyBUF_CONTIG_RO) \u003c 0) {  /* Reentrant call site */\n        return -1;\n    }\n    Py_ssize_t len = buf.len;\n    /* ... */\n\n    memcpy(PyBytes_AS_STRING(self-\u003ebuf) + self-\u003epos,  /* crashing pointer derived */ /* Crash site */\n           buf.buf, len);\n    /* ... */\n    return len;\n}\n\n/* Clobbering Path */\nstatic PyObject *\n_io_BytesIO_close_impl(bytesio *self)\n{\n    CHECK_EXPORTS(self);\n    Py_CLEAR(self-\u003ebuf);  /* state mutate site */\n    Py_RETURN_NONE;\n}\n```\n\u003c/details\u003e\n\n**Sanitizer Output:**\n\n\u003cdetails\u003e\n\u003csummary\u003eClick to expand\u003c/summary\u003e\n\n```\nAddressSanitizer:DEADLYSIGNAL\n=================================================================\n==2192404==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x5d4bc5d1b62d bp 0x7fff6c6ec680 sp 0x7fff6c6ec560 T0)\n==2192404==The signal is caused by a READ memory access.\n==2192404==Hint: address points to the zero page.\n    #0 0x5d4bc5d1b62d in write_bytes_lock_held Modules/_io/bytesio.c:215\n    #1 0x5d4bc5d1c0cf in _io_BytesIO_writelines_impl Modules/_io/bytesio.c:802\n    #2 0x5d4bc5d1c0cf in _io_BytesIO_writelines Modules/_io/clinic/bytesio.c.h:547\n    #3 0x5d4bc57213e7 in _PyObject_VectorcallTstate Include/internal/pycore_call.h:169\n    #4 0x5d4bc57213e7 in PyObject_Vectorcall Objects/call.c:327\n    #5 0x5d4bc55d55a2 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:1620\n    #6 0x5d4bc5a9fad6 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:121\n    #7 0x5d4bc5a9fad6 in _PyEval_Vector Python/ceval.c:2001\n    #8 0x5d4bc5a9fad6 in PyEval_EvalCode Python/ceval.c:884\n    #9 0x5d4bc5be516e in run_eval_code_obj Python/pythonrun.c:1365\n    #10 0x5d4bc5be516e in run_mod Python/pythonrun.c:1459\n    #11 0x5d4bc5be9e17 in pyrun_file Python/pythonrun.c:1293\n    #12 0x5d4bc5be9e17 in _PyRun_SimpleFileObject Python/pythonrun.c:521\n    #13 0x5d4bc5bea93c in _PyRun_AnyFileObject Python/pythonrun.c:81\n    #14 0x5d4bc5c5de3c in pymain_run_file_obj Modules/main.c:410\n    #15 0x5d4bc5c5de3c in pymain_run_file Modules/main.c:429\n    #16 0x5d4bc5c5de3c in pymain_run_python Modules/main.c:691\n    #17 0x5d4bc5c5f71e in Py_RunMain Modules/main.c:772\n    #18 0x5d4bc5c5f71e in pymain_main Modules/main.c:802\n    #19 0x5d4bc5c5f71e in Py_BytesMain Modules/main.c:826\n    #20 0x7d5d7d22a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58\n    #21 0x7d5d7d22a28a in __libc_start_main_impl ../csu/libc-start.c:360\n    #22 0x5d4bc55f9634 in _start (/home/jackfromeast/Desktop/entropy/targets/grammar-afl++-latest/targets/cpython/python+0x206634) (BuildId: 4d105290d0ad566a4d6f4f7b2f05fbc9e317b533)\n\nAddressSanitizer can not provide additional info.\nSUMMARY: AddressSanitizer: SEGV Modules/_io/bytesio.c:215 in write_bytes_lock_held\n==2192404==ABORTING\n```\n\u003c/details\u003e\n\n### CPython versions tested on:\n\n3.12, 3.13, 3.14, 3.15\n\n### Output from running 'python -VV' on the command line:\n\nPython 3.15.0a1+ (heads/main:f5394c257ce, Oct 28 2025, 19:29:54) [GCC 13.3.0]\n\n\n\n\u003c!-- gh-linked-prs --\u003e\n### Linked PRs\n* gh-143408\n* gh-143599\n* gh-143600\n\u003c!-- /gh-linked-prs --\u003e\n","author":{"url":"https://github.com/jackfromeast","@type":"Person","name":"jackfromeast"},"datePublished":"2026-01-03T04:10:07.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":1},"url":"https://github.com/143378/cpython/issues/143378"}