Crash report
What happened?
A UAF in Element.remove was fixed in #68279 but one can mutate the child's list during .remove and cause an OOB crash:
import xml.etree.ElementTree as ET
class EvilElement(ET.Element):
def __eq__(self, other):
base.clear()
return False
base = ET.Element('a')
base.append(EvilElement('a'))
base.append(EvilElement('a'))
base.remove(ET.Element('b'))Attacked code:
|
for (i = 0; i < self->extra->length; i++) { |
|
if (self->extra->children[i] == subelement) |
|
break; |
|
rc = PyObject_RichCompareBool(self->extra->children[i], subelement, Py_EQ); |
|
if (rc > 0) |
|
break; |
|
if (rc < 0) |
|
return NULL; |
|
} |
I think we need to introduce some state integer to check that there is no evil mutation (similar to what's being done for OrderedDict).
CPython versions tested on:
CPython main branch
Operating systems tested on:
No response
Output from running 'python -VV' on the command line:
No response
Linked PRs
Crash report
What happened?
A UAF in
Element.removewas fixed in #68279 but one can mutate the child's list during.removeand cause an OOB crash:Attacked code:
cpython/Modules/_elementtree.c
Lines 1648 to 1656 in dc76a4a
I think we need to introduce some state integer to check that there is no evil mutation (similar to what's being done for
OrderedDict).CPython versions tested on:
CPython main branch
Operating systems tested on:
No response
Output from running 'python -VV' on the command line:
No response
Linked PRs
xml.etree.ElementTree.Element.removewhen concurrent mutations happen #126124xml.etree.ElementTree.Element.removewhen concurrent mutations happen (GH-126124) #131929xml.etree.ElementTree.Element.removewhen concurrent mutations happen (GH-126124) #131930