René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Heap out-of-bound read in `socket.sendmsg` ancillary parser after re-entrant `__index__` clears the control list","articleBody":"### What happened?\n\n`_socket_socket_sendmsg_impl` fast-paths ancillary data with `PySequence_Fast`, assuming the original list stays stable. Parsing each `(level, type, data)` tuple calls `PyLong_AsLongAndOverflow`, which runs `__index__`; a malicious `__index__` can clear the shared list mid-loop, leaving `ncmsgs` and cached element pointers stale. The next `PySequence_Fast_GET_ITEM` then indexes past the shortened list and dereferences freed slots, crashing with a heap OOB read at Modules/socketmodule.c:5005.\n\n**Proof of Concept:**\n\n```python\nimport socket\n\nseq = []\n\nclass Mut:\n    def __init__(self):\n        self.tripped = False\n    def __index__(self):\n        if not self.tripped:\n            self.tripped = True\n            seq.clear()\n        return 0\n\nseq[:] = [\n    (socket.SOL_SOCKET, Mut(), b'x'),\n    (socket.SOL_SOCKET, 0, b'x'),\n]\nleft, right = socket.socketpair()\nleft.sendmsg([b'x'], seq)\n```\n\n**Vulnerable Code Snippet:**\n\n\u003cdetails\u003e\n\u003csummary\u003eClick to expand\u003c/summary\u003e\n\n```c\n/* Buggy Re-entrant Path */\nlong\nPyLong_AsLongAndOverflow(PyObject *vv, int *overflow)\n{\n    /* ... */\n    if (PyLong_Check(vv)) {\n        v = (PyLongObject *)vv;\n    }\n    else {\n        v = (PyLongObject *)_PyNumber_Index(vv);  /* Reentrant call site */\n        if (v == NULL)\n            return -1;\n        do_decref = 1;\n    }\n    /* ... */\n}\n\nif ((cmsg_fast = PySequence_Fast(cmsg_arg,\n                                 \"sendmsg() argument 2 must be an \"\n                                 \"iterable\")) == NULL)\n    goto finally;\nncmsgs = PySequence_Fast_GET_SIZE(cmsg_fast);\n/* ... */\nwhile (ncmsgbufs \u003c ncmsgs) {\n    if (!PyArg_Parse(PySequence_Fast_GET_ITEM(cmsg_fast, ncmsgbufs),  /* crashing pointer derived */\n                     \"(iiy*):[sendmsg() ancillary data items]\",\n                     \u0026cmsgs[ncmsgbufs].level,\n                     \u0026cmsgs[ncmsgbufs].type,\n                     \u0026cmsgs[ncmsgbufs].data))  /* Crash site */\n        goto finally;\n    /* ... */\n}\n\n/* Clobbering Path */\nstatic void\nlist_clear_impl(PyListObject *a, bool is_resize)\n{\n    PyObject **items = a-\u003eob_item;\n    /* ... */\n\n    Py_ssize_t i = Py_SIZE(a);\n    Py_SET_SIZE(a, 0);\n    FT_ATOMIC_STORE_PTR_RELEASE(a-\u003eob_item, NULL);\n    a-\u003eallocated = 0;\n    while (--i \u003e= 0) {\n        Py_XDECREF(items[i]);  /* state mutate site */\n    }\n    free_list_items(items, use_qsbr);\n}\n```\n\u003c/details\u003e\n\n**Sanitizer Output:**\n\n\u003cdetails\u003e\n\u003csummary\u003eClick to expand\u003c/summary\u003e\n\n```\nAddressSanitizer:DEADLYSIGNAL\n=================================================================\n==423360==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x73089bf5b108 bp 0x7ffe70547070 sp 0x7ffe70546db0 T0)\n==423360==The signal is caused by a READ memory access.\n==423360==Hint: address points to the zero page.\n    #0 0x73089bf5b108 in _socket_socket_sendmsg_impl Modules/socketmodule.c:5005\n    #1 0x73089bf5b108 in _socket_socket_sendmsg Modules/clinic/socketmodule.c.h:188\n    #2 0x605448f333e7 in _PyObject_VectorcallTstate Include/internal/pycore_call.h:169\n    #3 0x605448f333e7 in PyObject_Vectorcall Objects/call.c:327\n    #4 0x605448de75a2 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:1620\n    #5 0x6054492b1ad6 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:121\n    #6 0x6054492b1ad6 in _PyEval_Vector Python/ceval.c:2001\n    #7 0x6054492b1ad6 in PyEval_EvalCode Python/ceval.c:884\n    #8 0x6054493f716e in run_eval_code_obj Python/pythonrun.c:1365\n    #9 0x6054493f716e in run_mod Python/pythonrun.c:1459\n    #10 0x6054493fbe17 in pyrun_file Python/pythonrun.c:1293\n    #11 0x6054493fbe17 in _PyRun_SimpleFileObject Python/pythonrun.c:521\n    #12 0x6054493fc93c in _PyRun_AnyFileObject Python/pythonrun.c:81\n    #13 0x60544946fe3c in pymain_run_file_obj Modules/main.c:410\n    #14 0x60544946fe3c in pymain_run_file Modules/main.c:429\n    #15 0x60544946fe3c in pymain_run_python Modules/main.c:691\n    #16 0x60544947171e in Py_RunMain Modules/main.c:772\n    #17 0x60544947171e in pymain_main Modules/main.c:802\n    #18 0x60544947171e in Py_BytesMain Modules/main.c:826\n    #19 0x73089c42a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58\n    #20 0x73089c42a28a in __libc_start_main_impl ../csu/libc-start.c:360\n    #21 0x605448e0b634 in _start (/home/jackfromeast/Desktop/entropy/targets/grammar-afl++-latest/targets/cpython/python+0x206634) (BuildId: 4d105290d0ad566a4d6f4f7b2f05fbc9e317b533)\n\nAddressSanitizer can not provide additional info.\nSUMMARY: AddressSanitizer: SEGV Modules/socketmodule.c:5005 in _socket_socket_sendmsg_impl\n==423360==ABORTING\n```\n\u003c/details\u003e\n\n### CPython versions tested on:\n\n\u003cdetails\u003e\n\n| Python Version | Status | Exit Code |\n|---|---|---|\n| `Python 3.9.24+ (heads/3.9:111bbc15b26, Oct 28 2025, 16:51:20) ` | ASAN | 1 |\n| `Python 3.10.19+ (heads/3.10:014261980b1, Oct 28 2025, 16:52:08) [Clang 18.1.3 (1ubuntu1)]` | ASAN | 1 |\n| `Python 3.11.14+ (heads/3.11:88f3f5b5f11, Oct 28 2025, 16:53:08) [Clang 18.1.3 (1ubuntu1)]` | ASAN | 1 |\n| `Python 3.12.12+ (heads/3.12:8cb2092bd8c, Oct 28 2025, 16:54:14) [Clang 18.1.3 (1ubuntu1)]` | ASAN | 1 |\n| `Python 3.13.9+ (heads/3.13:9c8eade20c6, Oct 28 2025, 16:55:18) [Clang 18.1.3 (1ubuntu1)]` | ASAN | 1 |\n| `Python 3.14.0+ (heads/3.14:2e216728038, Oct 28 2025, 16:56:16) [Clang 18.1.3 (1ubuntu1)]` | ASAN | 1 |\n| `Python 3.15.0a1+ (heads/main:f5394c257ce, Oct 28 2025, 19:29:54) [GCC 13.3.0]` | ASAN | 1 |\n\n\u003c/details\u003e\n\n### Output from running 'python -VV' on the command line:\n\nPython 3.15.0a1+ (heads/main:f5394c257ce, Oct 28 2025, 19:29:54) [GCC 13.3.0]\n\n\n\n\u003c!-- gh-linked-prs --\u003e\n### Linked PRs\n* gh-143892\n\u003c!-- /gh-linked-prs --\u003e\n","author":{"url":"https://github.com/jackfromeast","@type":"Person","name":"jackfromeast"},"datePublished":"2026-01-10T05:09:50.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":1},"url":"https://github.com/143637/cpython/issues/143637"}