gh-150157: fix: critical section for PyDict_Next in _pickle.c#150158
Conversation
KowalskiThomas
changed the title
PyDict_Next in _pickle.cPyDict_Next in _pickle.c
| @@ -0,0 +1,2 @@ | |||
| Fix a heap use-after-free in :mod:`pickle`\'s ``whichmodule`` on | |||
There was a problem hiding this comment.
whichmodule is an internal detail not visible to users. Describe the cause in general words, like it looks from user's point.
There was a problem hiding this comment.
How does the following sound? (I pushed it for now.)
Fix a potential crash occurring when pickling objects
concurrently in free-threaded builds.
Tried to make it clear from and end-user perspective while not sounding too scary (since it's a rare race condition), hence the potential.
There was a problem hiding this comment.
It's not just a matter of luck. There have to be several conditions for this to happen. First, we must pickle by name an object without the __module__ attribute. Second, sys.modules should be concurrently modified (in a specific way, but we will leave this).
There was a problem hiding this comment.
Okay, I feared this might be a little bit too detail-y. I'll rephrase it again 😅
There was a problem hiding this comment.
Updated to this.
Fix a crash in free-threaded builds that occurs when pickling
an object without a ``__module__`` attribute while :data:`sys.modules`
is concurrently being modified.
eb71e46 to
88e8cb8
Compare
KowalskiThomas
force-pushed
the
kowalski/fix-pickle-whichmodule-has-a-uaf-on-free-threading
branch
from
88e8cb8 to
3981cfc
Compare
serhiy-storchaka
left a comment
serhiy-storchaka
left a comment
There was a problem hiding this comment.
Technically, this is not correct, most objects do not have such issue even without having __module__, only objects pickled by name (some singletons, named constants or enum-like objects). But if you think that the current wording is enough, we can leave it.
|
@serhiy-storchaka Right... Thanks for bearing with me; I've updated it again and I think it should be clear and accurate now 😅 Latest version is: |
There was a problem hiding this comment.
LGTM.
@serhiy-storchaka: I will leave it to you to do the final review :-)
serhiy-storchaka
added
needs backport to 3.13
|
Thanks @KowalskiThomas for the PR, and @serhiy-storchaka for merging it 🌮🎉.. I'm working now to backport this PR to: 3.14. |
|
Thanks @KowalskiThomas for the PR, and @serhiy-storchaka for merging it 🌮🎉.. I'm working now to backport this PR to: 3.15. |
|
Thanks @KowalskiThomas for the PR, and @serhiy-storchaka for merging it 🌮🎉.. I'm working now to backport this PR to: 3.13. |
|
GH-150710 is a backport of this pull request to the 3.14 branch. |
|
Sorry, @KowalskiThomas and @serhiy-storchaka, I could not cleanly backport this to |
|
GH-150711 is a backport of this pull request to the 3.15 branch. |
bedevere-app
Bot
removed
the
needs backport to 3.15
…GH-150158) (GH-150710) (cherry picked from commit c5516e7) Co-authored-by: Thomas Kowalski <thom.kowa@gmail.com>
…GH-150158) (#150711) (cherry picked from commit c5516e7) Co-authored-by: Thomas Kowalski <thom.kowa@gmail.com>
3 participants
Fixes #150157.
PyDict_Nextin_pickle.c#150157