Skip to content

fix: use-after-free in get_data_from_buffer#677

Open
KowalskiThomas wants to merge 2 commits into
msgpack:mainfrom
KowalskiThomas:kowalski/fix-uaf-step-1
Open

fix: use-after-free in get_data_from_buffer#677
KowalskiThomas wants to merge 2 commits into
msgpack:mainfrom
KowalskiThomas:kowalski/fix-uaf-step-1

Conversation

@KowalskiThomas
Copy link
Copy Markdown
Contributor

@KowalskiThomas KowalskiThomas commented May 26, 2026

What is this PR?

There currently is a crash happening when unpacking data from a non-contiguous input.

The current PR adds a test to confirm the problem is not happening anymore as well as the fix itself.
Running the reproducer with the fix applied makes the crash go away.

This is a reproducer:

packed = packb(2**32)
padded = bytearray()
for byte in packed:
    padded.append(byte)
    padded.append(0)

noncont = memoryview(bytes(padded))[::2]
assert not noncont.c_contiguous
assert unpackb(noncont) == 2**32

Running it results in the following:

ASAN_OPTIONS=detect_leaks=0 python -m pytest test/test_memoryview.py -k test_unpack_noncontiguous_memoryview
================================================================= test session starts =================================================================
platform darwin -- Python 3.16.0a0, pytest-9.0.3, pluggy-1.6.0
rootdir: /Users/thomas.kowalski/Documents/msgpack-python
configfile: pyproject.toml
collected 14 items / 13 deselected / 1 selected                                                                                                       

test/test_memoryview.py Fatal Python error: Aborted

Current thread 0x00000001ee7898c0 (most recent call first):
  File "/Users/thomas.kowalski/Documents/msgpack-python/test/test_memoryview.py", line 116 in test_unpack_noncontiguous_memoryview
  File "/Users/thomas.kowalski/Documents/msgpack-python/venv-asan/lib/python3.16/site-packages/_pytest/python.py", line 166 in pytest_pyfunc_call
  File "/Users/thomas.kowalski/Documents/msgpack-python/venv-asan/lib/python3.16/site-packages/pluggy/_callers.py", line 121 in _multicall
  File "/Users/thomas.kowalski/Documents/msgpack-python/venv-asan/lib/python3.16/site-packages/pluggy/_manager.py", line 120 in _hookexec
  File "/Users/thomas.kowalski/Documents/msgpack-python/venv-asan/lib/python3.16/site-packages/pluggy/_hooks.py", line 512 in __call__
  File "/Users/thomas.kowalski/Documents/msgpack-python/venv-asan/lib/python3.16/site-packages/_pytest/python.py", line 1720 in runtest
  File "/Users/thomas.kowalski/Documents/msgpack-python/venv-asan/lib/python3.16/site-packages/_pytest/runner.py", line 179 in pytest_runtest_call
  File "/Users/thomas.kowalski/Documents/msgpack-python/venv-asan/lib/python3.16/site-packages/pluggy/_callers.py", line 121 in _multicall
  File "/Users/thomas.kowalski/Documents/msgpack-python/venv-asan/lib/python3.16/site-packages/pluggy/_manager.py", line 120 in _hookexec
  File "/Users/thomas.kowalski/Documents/msgpack-python/venv-asan/lib/python3.16/site-packages/pluggy/_hooks.py", line 512 in __call__
  File "/Users/thomas.kowalski/Documents/msgpack-python/venv-asan/lib/python3.16/site-packages/_pytest/runner.py", line 245 in <lambda>
  File "/Users/thomas.kowalski/Documents/msgpack-python/venv-asan/lib/python3.16/site-packages/_pytest/runner.py", line 353 in from_call
  File "/Users/thomas.kowalski/Documents/msgpack-python/venv-asan/lib/python3.16/site-packages/_pytest/runner.py", line 244 in call_and_report
  File "/Users/thomas.kowalski/Documents/msgpack-python/venv-asan/lib/python3.16/site-packages/_pytest/runner.py", line 137 in runtestprotocol
  File "/Users/thomas.kowalski/Documents/msgpack-python/venv-asan/lib/python3.16/site-packages/_pytest/runner.py", line 118 in pytest_runtest_protocol
  File "/Users/thomas.kowalski/Documents/msgpack-python/venv-asan/lib/python3.16/site-packages/pluggy/_callers.py", line 121 in _multicall
  File "/Users/thomas.kowalski/Documents/msgpack-python/venv-asan/lib/python3.16/site-packages/pluggy/_manager.py", line 120 in _hookexec
  File "/Users/thomas.kowalski/Documents/msgpack-python/venv-asan/lib/python3.16/site-packages/pluggy/_hooks.py", line 512 in __call__
  File "/Users/thomas.kowalski/Documents/msgpack-python/venv-asan/lib/python3.16/site-packages/_pytest/main.py", line 396 in pytest_runtestloop
  File "/Users/thomas.kowalski/Documents/msgpack-python/venv-asan/lib/python3.16/site-packages/pluggy/_callers.py", line 121 in _multicall
  File "/Users/thomas.kowalski/Documents/msgpack-python/venv-asan/lib/python3.16/site-packages/pluggy/_manager.py", line 120 in _hookexec
  File "/Users/thomas.kowalski/Documents/msgpack-python/venv-asan/lib/python3.16/site-packages/pluggy/_hooks.py", line 512 in __call__
  File "/Users/thomas.kowalski/Documents/msgpack-python/venv-asan/lib/python3.16/site-packages/_pytest/main.py", line 372 in _main
  File "/Users/thomas.kowalski/Documents/msgpack-python/venv-asan/lib/python3.16/site-packages/_pytest/main.py", line 318 in wrap_session
  File "/Users/thomas.kowalski/Documents/msgpack-python/venv-asan/lib/python3.16/site-packages/_pytest/main.py", line 365 in pytest_cmdline_main
  File "/Users/thomas.kowalski/Documents/msgpack-python/venv-asan/lib/python3.16/site-packages/pluggy/_callers.py", line 121 in _multicall
  File "/Users/thomas.kowalski/Documents/msgpack-python/venv-asan/lib/python3.16/site-packages/pluggy/_manager.py", line 120 in _hookexec
  File "/Users/thomas.kowalski/Documents/msgpack-python/venv-asan/lib/python3.16/site-packages/pluggy/_hooks.py", line 512 in __call__
  File "/Users/thomas.kowalski/Documents/msgpack-python/venv-asan/lib/python3.16/site-packages/_pytest/config/__init__.py", line 199 in main
  File "/Users/thomas.kowalski/Documents/msgpack-python/venv-asan/lib/python3.16/site-packages/_pytest/config/__init__.py", line 223 in console_main
  File "/Users/thomas.kowalski/Documents/msgpack-python/venv-asan/lib/python3.16/site-packages/pytest/__main__.py", line 9 in <module>
  File "<frozen runpy>", line 87 in _run_code
  File "<frozen runpy>", line 201 in _run_module_as_main

Current thread's C stack trace (most recent call first):
  Binary file "/Users/thomas.kowalski/Documents/cpython-asan/install/bin/python3.16", at _Py_DumpStack+0xf4 [0x102fc4bc0]
  Binary file "/Users/thomas.kowalski/Documents/cpython-asan/install/bin/python3.16", at faulthandler_fatal_error+0x470 [0x10300492c]
  Binary file "/usr/lib/system/libsystem_platform.dylib", at _sigtramp+0x38 [0x1829897a4]
  Binary file "/usr/lib/system/libsystem_pthread.dylib", at pthread_kill+0x128 [0x18297f8d8]
  Binary file "/usr/lib/system/libsystem_c.dylib", at abort+0x94 [0x182886790]
  Binary file "/opt/homebrew/Cellar/llvm/22.1.5/lib/clang/22/lib/darwin/libclang_rt.asan_osx_dynamic.dylib", at _ZN11__sanitizer6AtexitEPFvvE+0x0 [0x103efc4cc]
  Binary file "/opt/homebrew/Cellar/llvm/22.1.5/lib/clang/22/lib/darwin/libclang_rt.asan_osx_dynamic.dylib", at _ZN11__sanitizer3DieEv+0x68 [0x103efb9fc]
  Binary file "/opt/homebrew/Cellar/llvm/22.1.5/lib/clang/22/lib/darwin/libclang_rt.asan_osx_dynamic.dylib", at _ZN6__asan19ScopedInErrorReportD2Ev+0x4a8 [0x103eddebc]
  Binary file "/opt/homebrew/Cellar/llvm/22.1.5/lib/clang/22/lib/darwin/libclang_rt.asan_osx_dynamic.dylib", at _ZN6__asan18ReportGenericErrorEmmmmbmjb+0x78c [0x103edd130]
  Binary file "/opt/homebrew/Cellar/llvm/22.1.5/lib/clang/22/lib/darwin/libclang_rt.asan_osx_dynamic.dylib", at __asan_report_load1+0x3c [0x103ede3cc]
  Binary file "/Users/thomas.kowalski/Documents/msgpack-python/msgpack/_cmsgpack.cpython-316-darwin.so", at unpack_execute+0x3b0 [0x10ec58328]
  Binary file "/Users/thomas.kowalski/Documents/msgpack-python/msgpack/_cmsgpack.cpython-316-darwin.so", at unpack_construct+0x38 [0x10ec57f6c]
  Binary file "/Users/thomas.kowalski/Documents/msgpack-python/msgpack/_cmsgpack.cpython-316-darwin.so", at __pyx_pf_7msgpack_9_cmsgpack_2unpackb+0x7c0 [0x10ec70a48]
  Binary file "/Users/thomas.kowalski/Documents/msgpack-python/msgpack/_cmsgpack.cpython-316-darwin.so", at __pyx_pw_7msgpack_9_cmsgpack_3unpackb+0xd7c [0x10ec7010c]
  Binary file "/Users/thomas.kowalski/Documents/msgpack-python/msgpack/_cmsgpack.cpython-316-darwin.so", at __Pyx_CyFunction_Vectorcall_FASTCALL_KEYWORDS+0x198 [0x10ec6e430]
  Binary file "/Users/thomas.kowalski/Documents/cpython-asan/install/bin/python3.16", at PyObject_Vectorcall+0xdc [0x102ada240]
  Binary file "/Users/thomas.kowalski/Documents/cpython-asan/install/bin/python3.16", at _Py_VectorCallInstrumentation_StackRefSteal+0x2b8 [0x102e30e10]
  Binary file "/Users/thomas.kowalski/Documents/cpython-asan/install/bin/python3.16", at _PyEval_EvalFrameDefault+0x1d998 [0x102e50dc4]
  Binary file "/Users/thomas.kowalski/Documents/cpython-asan/install/bin/python3.16", at _PyEval_Vector+0x420 [0x102e30068]
  Binary file "/Users/thomas.kowalski/Documents/cpython-asan/install/bin/python3.16", at _PyObject_VectorcallDictTstate+0x1a4 [0x102ad88a0]
  Binary file "/Users/thomas.kowalski/Documents/cpython-asan/install/bin/python3.16", at _PyObject_Call_Prepend+0x134 [0x102adb134]
  Binary file "/Users/thomas.kowalski/Documents/cpython-asan/install/bin/python3.16", at slot_tp_call+0x124 [0x102c5d2f0]
  Binary file "/Users/thomas.kowalski/Documents/cpython-asan/install/bin/python3.16", at _PyObject_MakeTpCall+0x1ac [0x102ad8d94]
  Binary file "/Users/thomas.kowalski/Documents/cpython-asan/install/bin/python3.16", at _Py_VectorCallInstrumentation_StackRefSteal+0x2b8 [0x102e30e10]
  Binary file "/Users/thomas.kowalski/Documents/cpython-asan/install/bin/python3.16", at _PyEval_EvalFrameDefault+0x13f44 [0x102e47370]
  Binary file "/Users/thomas.kowalski/Documents/cpython-asan/install/bin/python3.16", at _PyEval_Vector+0x420 [0x102e30068]
  Binary file "/Users/thomas.kowalski/Documents/cpython-asan/install/bin/python3.16", at _PyObject_VectorcallDictTstate+0x1a4 [0x102ad88a0]
  Binary file "/Users/thomas.kowalski/Documents/cpython-asan/install/bin/python3.16", at _PyObject_Call_Prepend+0x134 [0x102adb134]
  Binary file "/Users/thomas.kowalski/Documents/cpython-asan/install/bin/python3.16", at slot_tp_call+0x124 [0x102c5d2f0]
  Binary file "/Users/thomas.kowalski/Documents/cpython-asan/install/bin/python3.16", at _PyObject_Call+0x13c [0x102ada544]
  Binary file "/Users/thomas.kowalski/Documents/cpython-asan/install/bin/python3.16", at _PyEval_EvalFrameDefault+0x2b40 [0x102e35f6c]
  Binary file "/Users/thomas.kowalski/Documents/cpython-asan/install/bin/python3.16", at _PyEval_Vector+0x420 [0x102e30068]
  <truncated rest of calls>

Extension modules: msgpack._cmsgpack (total: 1)
zsh: abort      ASAN_OPTIONS=detect_leaks=0 python -m pytest test/test_memoryview.py -k

@KowalskiThomas KowalskiThomas force-pushed the kowalski/fix-uaf-step-1 branch from 882aa38 to 9845e8e Compare May 26, 2026 15:27
@KowalskiThomas KowalskiThomas force-pushed the kowalski/fix-uaf-step-1 branch from 2af2d1f to eae29a9 Compare May 26, 2026 15:48
@KowalskiThomas KowalskiThomas marked this pull request as ready for review May 26, 2026 19:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@KowalskiThomas