Skip to content

gh-144475: Fix a heap buffer overflow in partial_repr#145362

Merged
encukou merged 5 commits intopython:mainfrom
bkap123:partial-repr
Mar 3, 2026
Merged

gh-144475: Fix a heap buffer overflow in partial_repr#145362
encukou merged 5 commits intopython:mainfrom
bkap123:partial-repr

Conversation

@bkap123
Copy link
Contributor

@bkap123 bkap123 commented Feb 28, 2026
edited
Loading

This is a cleaner version of PR #144571. I am not exactly sure what happened in #144571 so I would appreciate if anyone could tell me so I don't make the same mistake again.

Here are the changes I made:

  • I added an args and kw local pointer so that both live long enough during the call to repr to prevent a segfault
  • I added an fn local pointer so that repr uses its original state when generating its final representation.
  • I got rid of the error goto and merged it with the done goto as I needed to decrement the reference count of fn, args, and kw, and I found that decrementing them in the done goto was the easiest.
  • I added a test based on @Qanux's original code. I extended it to also check for changes in the fn and kw arguments.

@bkap123 bkap123 requested a review from rhettinger as a code owner February 28, 2026 16:02
aisk
aisk approved these changes Feb 28, 2026
View reviewed changes
aisk
aisk reviewed Feb 28, 2026
View reviewed changes
Copy link
Member

@aisk aisk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, the approval is by accidant. I don't mean to approve this, just have comments this.

@bedevere-app bedevere-app bot mentioned this pull request Feb 28, 2026
Open
@aisk aisk self-requested a review February 28, 2026 17:23
@StanFromIreland StanFromIreland changed the title gh-144475: Fix a heap buffer overflow in partial_repr (v2) gh-144475: Fix a heap buffer overflow in partial_repr Feb 28, 2026
encukou
encukou reviewed Mar 2, 2026
View reviewed changes
Copy link
Member

@encukou encukou left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not exactly sure what happened in #144571 so I would appreciate if anyone could tell me so I don't make the same mistake again.

Looks like a bad git rebase.
You don't need rebase in CPython, since the PRs are squashed.

Modules/_functoolsmodule.c
for (i = 0; PyDict_Next(pto->kw, &i, &key, &value);) {
for (i = 0; PyDict_Next(kw, &i, &key, &value);) {
/* Prevent key.__str__ from deleting the value. */
Py_INCREF(value);
Copy link
Member

@encukou encukou Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we're covering all the bases:

Here, key can be an arbitrary object as well.

Also, the iteration should have a critical section around it -- see PyDict_Next docs.

But perhaps the best way to solve that would be switching to always use frozendict with string keys, so let's leave this to a future PR?

Copy link
Contributor Author

@bkap123 bkap123 Mar 2, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, the iteration should have a critical section around it -- see PyDict_Next docs.

I think that adding a critical section here is best for a future PR. This PR is more about fixing a mutation during repr. In contrast, adding a critical section is intended for the free-threaded build. Additionally, I realized that there are quite a few other times in this file where PyDict_Next is called without a critical section, so a new PR is needed anyway. I can create an issue for this change, although, should we wait on a PR until this one is merged to avoid any conflicts? I'm fine adding a critical section now, though, if you think that is better.

But perhaps the best way to solve that would be switching to always use frozendict with string keys, so let's leave this to a future PR?

I agree, enforcing that kw has only string keys seems like the best solution. Just to make sure I understand correctly, when you mean switch to using a frozendict, are you saying that the kw entry in the partialobject struct should be a frozendict instead of a dict, or are you referring to something only in this function (partial_repr)? If the former, I would like to work on making that change in a new PR. I’m fairly new to CPython, so I’d appreciate any suggestions you have for that change.

Copy link
Member

@encukou encukou Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that adding a critical section here is best for a future PR.

OK!

are you saying that the kw entry in the partialobject struct should be a frozendict instead of a dict, or are you referring to something only in this function (partial_repr)?

The former seems worth looking into. As you said, there's a lot of PyDict_Next without critical sections (and other possibilities for possible mutation than threads); frozendict could solve these neatly.

I can create an issue for this change, although, should we wait on a PR until this one is merged to avoid any conflicts?

Yes.

@aisk aisk mentioned this pull request Mar 2, 2026
Closed
@bkap123 bkap123 mentioned this pull request Mar 3, 2026
Open
@encukou encukou enabled auto-merge (squash) March 3, 2026 13:20
@encukou encukou added needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes labels Mar 3, 2026
@encukou encukou merged commit 671a953 into python:main Mar 3, 2026
55 checks passed
@miss-islington-app
Copy link

miss-islington-app bot commented Mar 3, 2026

Thanks @bkap123 for the PR, and @encukou for merging it 🌮🎉.. I'm working now to backport this PR to: 3.13, 3.14.
🐍🍒⛏🤖

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Mar 3, 2026
@bkap123 @miss-islington
pythongh-144475: Fix reference management in partial_repr (pythonGH-1…
cac1a91 
…45362)

(cherry picked from commit 671a953)

Co-authored-by: bkap123 <97006829+bkap123@users.noreply.github.com>
@miss-islington-app
Copy link

miss-islington-app bot commented Mar 3, 2026

Sorry, @bkap123 and @encukou, I could not cleanly backport this to 3.13 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 671a953dd65292a5b69ba7393666ddcac93dbc44 3.13

@bedevere-app
Copy link

bedevere-app bot commented Mar 3, 2026

GH-145470 is a backport of this pull request to the 3.14 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.14 bugs and security fixes label Mar 3, 2026
@bkap123 bkap123 deleted the partial-repr branch March 3, 2026 13:56
@bkap123 bkap123 mentioned this pull request Mar 3, 2026
Open
encukou pushed a commit that referenced this pull request Mar 3, 2026
@miss-islington @bkap123
[3.14] gh-144475: Fix reference management in partial_repr (GH-145362) (
3c99c16 
GH-145470)

(cherry picked from commit 671a953)

Co-authored-by: bkap123 <97006829+bkap123@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@encukou encukou encukou approved these changes

@rhettinger rhettinger Awaiting requested review from rhettinger rhettinger is a code owner

@aisk aisk Awaiting requested review from aisk

Assignees

@encukou encukou

Labels

needs backport to 3.13 bugs and security fixes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bkap123 @encukou @aisk