Skip to content

gh-151403: Fix use-after-free when an argv item's __fspath__ mutates args#151404

Open
tonghuaroot wants to merge 1 commit into
python:mainfrom
tonghuaroot:gh-151403-posixsubprocess-fspath-uaf
Open

gh-151403: Fix use-after-free when an argv item's __fspath__ mutates args#151404
tonghuaroot wants to merge 1 commit into
python:mainfrom
tonghuaroot:gh-151403-posixsubprocess-fspath-uaf

Conversation

@tonghuaroot

@tonghuaroot tonghuaroot commented Jun 12, 2026
edited by bedevere-app Bot
Loading

Copy link
Copy Markdown
Contributor

_posixsubprocess.fork_exec() converts each args item with
PyUnicode_FSConverter(), which runs the item's __fspath__(). The item is only
borrowed from the (incref'd) args sequence. If __fspath__() drops the
sequence's last reference to the item and then returns a non-str/bytes
object, the error path in PyOS_FSPath() reads Py_TYPE() of the now-freed item
— a use-after-free.

It is reachable from subprocess.Popen when a later argv item is a PathLike
whose __fspath__() mutates the args list, e.g.
subprocess.Popen(["/bin/true", Evil()]).

The between-iteration length recheck only catches a shrink between iterations;
the free here happens inside the current iteration's PyUnicode_FSConverter()
call. The fix keeps the borrowed item alive with an Py_INCREF across the
conversion.

Same family as gh-151295 (bytes.join, GH-151296) and gh-151370
(marshal.dumps, GH-151371). Triggering requires a custom __fspath__, so this
is a robustness / crash-hardening fix with no security impact; the NEWS entry is
under Library/.

@tonghuaroot tonghuaroot requested a review from gpshead as a code owner June 12, 2026 14:47
@bedevere-app bedevere-app Bot mentioned this pull request Jun 12, 2026
Open
gpshead
gpshead reviewed Jun 12, 2026
View reviewed changes
Comment thread Lib/test/test_subprocess.py
gc.disable()

@support.cpython_only
def test_fork_exec_args_concurrent_mutation(self):

@gpshead gpshead Jun 12, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lets not add this test. it is perhaps useful for illustration purposes, but this is not specific to subprocess. it's C API misuse. FWIW, thanks! overall the rest of the PR looks good.

I've pointed claude fable at the antipattern to find and fixup others and improve the docs as a future prevention matter: #151416

@gpshead gpshead self-assigned this Jun 12, 2026
@gpshead gpshead added needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes needs backport to 3.15 pre-release feature fixes, bugs and security fixes labels Jun 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gpshead gpshead gpshead left review comments

Assignees

@gpshead gpshead

Labels

awaiting review needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes needs backport to 3.15 pre-release feature fixes, bugs and security fixes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tonghuaroot @gpshead