Skip to content

gh-136053: Memory Safety Issue in marshal.c TYPE_SLICE Case #136054

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Open
wants to merge 18 commits into
base: main
Choose a base branch
from
Open

gh-136053: Memory Safety Issue in marshal.c TYPE_SLICE Case #136054

wants to merge 18 commits into from
+4 −0

Conversation

akshat62
Copy link
Contributor

@akshat62 akshat62 commented Jun 27, 2025
edited by bedevere-app bot
Loading

@bedevere-app bedevere-app bot mentioned this pull request Jun 27, 2025
Open
picnixz
picnixz reviewed Jun 27, 2025
View reviewed changes
Copy link
Member

@picnixz picnixz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc @serhiy-storchaka

Would it be possible to add a test with a maliciously crafted data so that we ensure that the vulnerability can be exploited?

picnixz
picnixz reviewed Jun 27, 2025
View reviewed changes
picnixz
picnixz reviewed Jun 27, 2025
View reviewed changes
sobolevn
sobolevn reviewed Jun 28, 2025
View reviewed changes
@picnixz
Copy link
Member

picnixz commented Jun 28, 2025

Thanks for the fix but please add a regression test. Even if it's not easily reproducible, I'd like to see a PoC.

@serhiy-storchaka serhiy-storchaka self-requested a review June 28, 2025 09:26
serhiy-storchaka
serhiy-storchaka reviewed Jun 28, 2025
View reviewed changes
Copy link
Member

@serhiy-storchaka serhiy-storchaka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test does not work.

For testing, you need to create at least 2147483646 (0x7ffffffe) references. This is impossible on 32-bit platform, and on 64-bit platforms it will consume at least 16 GiB (and maybe 32 GiB or 64 GiB due to overallocation) only for the list, not counting the referred objects. This is a bigmem test. This will also take a significant amount of time to run. I do not think it is worth to add an expensive test for trivial fix.

serhiy-storchaka
serhiy-storchaka approved these changes Jun 28, 2025
View reviewed changes
Copy link
Member

@serhiy-storchaka serhiy-storchaka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@akshat62 akshat62 requested a review from picnixz June 28, 2025 14:14
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@sobolevn sobolevn sobolevn left review comments

@serhiy-storchaka serhiy-storchaka serhiy-storchaka approved these changes

@picnixz picnixz picnixz approved these changes

Assignees
No one assigned
Labels
awaiting merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@akshat62 @picnixz @serhiy-storchaka @sobolevn