[3.14] gh-142664: fix UAF in `memoryview.__hash__` via re-entrant data's `__hash__...

author Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>

Sat, 27 Dec 2025 13:37:32 +0000 (14:37 +0100)

committer GitHub <noreply@github.com>

Sat, 27 Dec 2025 13:37:32 +0000 (13:37 +0000)
author Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Sat, 27 Dec 2025 13:37:32 +0000 (14:37 +0100)
committer GitHub <noreply@github.com>
Sat, 27 Dec 2025 13:37:32 +0000 (13:37 +0000)
diff --git a/Lib/test/test_memoryview.py b/Lib/test/test_memoryview.py

index 1bd58eb6408833a28ad947b732a7ce98cedb0fe5..a88413e4bb1d9e35619932dcb4adad47ab69d8a7 100644 (file)
--- a/Lib/test/test_memoryview.py
+++ b/Lib/test/test_memoryview.py
@@ -387,6 +387,20 @@ class AbstractMemoryTests:
          m = self._view(b)
          self.assertRaises(ValueError, hash, m)
  
+    def test_hash_use_after_free(self):
+        # Prevent crash in memoryview(v).__hash__ with re-entrant v.__hash__.
+        # Regression test for https://github.com/python/cpython/issues/142664.
+        class E(array.array):
+            def __hash__(self):
+                mv.release()
+                self.clear()
+                return 123
+
+        v = E('B', b'A' * 4096)
+        mv = memoryview(v).toreadonly()   # must be read-only for hash()
+        self.assertRaises(BufferError, hash, mv)
+        self.assertRaises(BufferError, mv.__hash__)
+
      def test_weakref(self):
          # Check memoryviews are weakrefable
          for tp in self._types:
diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2025-12-27-13-18-12.gh-issue-142664.peeEDV.rst b/Misc/NEWS.d/next/Core_and_Builtins/2025-12-27-13-18-12.gh-issue-142664.peeEDV.rst

new file mode 100644 (file)

index 0000000..39c2183
--- /dev/null
+++ b/Misc/NEWS.d/next/Core_and_Builtins/2025-12-27-13-18-12.gh-issue-142664.peeEDV.rst
@@ -0,0 +1,3 @@
+Fix a use-after-free crash in :meth:`memoryview.__hash__ <object.__hash__>`
+when the ``__hash__`` method of the referenced object mutates that object or
+the view. Patch by Bénédikt Tran.
diff --git a/Objects/memoryobject.c b/Objects/memoryobject.c

index cf673fb379edcd9f3e20c1ae664c5af594334beb..cf570d091102f322926e79149fc685cd7a32a5e1 100644 (file)
--- a/Objects/memoryobject.c
+++ b/Objects/memoryobject.c
@@ -3222,9 +3222,16 @@ memory_hash(PyObject *_self)
                  "memoryview: hashing is restricted to formats 'B', 'b' or 'c'");
              return -1;
          }
-        if (view->obj != NULL && PyObject_Hash(view->obj) == -1) {
-            /* Keep the original error message */
-            return -1;
+        if (view->obj != NULL) {
+            // Prevent 'self' from being freed when computing the item's hash.
+            // See https://github.com/python/cpython/issues/142664.
+            self->exports++;
+            int rc = PyObject_Hash(view->obj);
+            self->exports--;
+            if (rc == -1) {
+                /* Keep the original error message */
+                return -1;
+            }
          }
  
          if (!MV_C_CONTIGUOUS(self->flags)) {
author	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
	Sat, 27 Dec 2025 13:37:32 +0000 (14:37 +0100)
committer	GitHub <noreply@github.com>
	Sat, 27 Dec 2025 13:37:32 +0000 (13:37 +0000)
Lib/test/test_memoryview.py		patch \| blob \| blame \| history
Misc/NEWS.d/next/Core_and_Builtins/2025-12-27-13-18-12.gh-issue-142664.peeEDV.rst	[new file with mode: 0644]	patch \| blob
Objects/memoryobject.c		patch \| blob \| blame \| history