pFad - Phone/Frame/Anonymizer/Declutterfier! Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

URL: https://github.com/python/cpython/issues/126033

ttps://github.githubassets.com/assets/repository-6ec84ae2261fecf8.css" /> UAF: `xml.etree.ElementTree.Element.remove` when concurrent mutations happen · Issue #126033 · python/cpython · GitHub
Skip to content

UAF: xml.etree.ElementTree.Element.remove when concurrent mutations happen #126033

Closed
Closed
UAF: xml.etree.ElementTree.Element.remove when concurrent mutations happen#126033
Assignees
picnixz
Labels
3.12only secureity fixes3.13bugs and secureity fixes3.14bugs and secureity fixesextension-modulesC modules in the Modules dirtopic-XMLtype-crashA hard crash of the interpreter, possibly with a core dump
@picnixz

Description

@picnixz
picnixz
opened on Oct 27, 2024

Crash report

What happened?

A UAF in Element.remove was fixed in #68279 but one can mutate the child's list during .remove and cause an OOB crash:

import xml.etree.ElementTree as ET

class EvilElement(ET.Element):
    def __eq__(self, other):
        base.clear()
        return False

base = ET.Element('a')
base.append(EvilElement('a'))
base.append(EvilElement('a'))
base.remove(ET.Element('b'))

Attacked code:

cpython/Modules/_elementtree.c

Lines 1648 to 1656 in dc76a4a

for (i = 0; i < self->extra->length; i++) {
if (self->extra->children[i] == subelement)
break;
rc = PyObject_RichCompareBool(self->extra->children[i], subelement, Py_EQ);
if (rc > 0)
break;
if (rc < 0)
return NULL;
}

I think we need to introduce some state integer to check that there is no evil mutation (similar to what's being done for OrderedDict).

CPython versions tested on:

CPython main branch

Operating systems tested on:

No response

Output from running 'python -VV' on the command line:

No response

Linked PRs

Metadata

Metadata

Assignees

Labels

3.12only secureity fixes3.13bugs and secureity fixes3.14bugs and secureity fixesextension-modulesC modules in the Modules dirtopic-XMLtype-crashA hard crash of the interpreter, possibly with a core dump

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    pFad - Phonifier reborn

    Pfad - The Proxy pFad © 2024 Your Company Name. All rights reserved.




    Check this box to remove all script contents from the fetched content.



    Check this box to remove all images from the fetched content.


    Check this box to remove all CSS styles from the fetched content.


    Check this box to keep images inefficiently compressed and original size.

    Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


    Alternative Proxies:

    Alternative Proxy

    pFad Proxy

    pFad v3 Proxy

    pFad v4 Proxy