From: tonghuaroot (童话) Date: Sat, 13 Jun 2026 17:23:44 +0000 (+0800) Subject: gh-151403: Fix use-after-free when an argv item's __fspath__ mutates args (GH-151404) X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6679ac07d881f6e0ce30b7cc28b5671eafa20d9d;p=thirdparty%2FPython%2Fcpython.git gh-151403: Fix use-after-free when an argv item's __fspath__ mutates args (GH-151404) --------- Co-authored-by: tonghuaroot <23011166+tonghuaroot@users.noreply.github.com> --- diff --git a/Misc/NEWS.d/next/Library/2026-06-12-22-46-31.gh-issue-151403.DalZWh.rst b/Misc/NEWS.d/next/Library/2026-06-12-22-46-31.gh-issue-151403.DalZWh.rst new file mode 100644 index 000000000000..ca779ed684e7 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2026-06-12-22-46-31.gh-issue-151403.DalZWh.rst @@ -0,0 +1,3 @@ +Fixed a crash in :class:`subprocess.Popen` (and ``_posixsubprocess.fork_exec``) +when an ``argv`` item's :meth:`~os.PathLike.__fspath__` concurrently mutates the +``args`` sequence being converted. diff --git a/Modules/_posixsubprocess.c b/Modules/_posixsubprocess.c index ddc27c4a5b73..2aa3923f68e6 100644 --- a/Modules/_posixsubprocess.c +++ b/Modules/_posixsubprocess.c @@ -1090,8 +1090,14 @@ subprocess_fork_exec_impl(PyObject *module, PyObject *process_args, goto cleanup; } borrowed_arg = PySequence_Fast_GET_ITEM(fast_args, arg_num); - if (PyUnicode_FSConverter(borrowed_arg, &converted_arg) == 0) + /* borrowed_arg is only borrowed; its __fspath__() may run Python + that drops fast_args' last reference to it. */ + Py_INCREF(borrowed_arg); + if (PyUnicode_FSConverter(borrowed_arg, &converted_arg) == 0) { + Py_DECREF(borrowed_arg); goto cleanup; + } + Py_DECREF(borrowed_arg); PyTuple_SET_ITEM(converted_args, arg_num, converted_arg); }