gh-143544: Fix use-after-free in _json.raise_errmsg #143561
Conversation
|
skip news |
|
No, this affects user-facing APIs; please add a news entry. |
ZeroIntensity
left a comment
ZeroIntensity
left a comment
There was a problem hiding this comment.
- Please avoid making unnecessary code changes. They make it significantly more difficult to review.
- This is doing too much. The much simpler and more correct fix would be to simply move the
Py_DECREFcall on line 426 to after theif (exc)block. - Please add a test case and news entry.
|
A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated. Once you have made the requested changes, please leave a comment on this pull request containing the phrase |
|
Thanks for the review. I’ve updated the patch to keep the fix minimal, added a regression test |
Misc/NEWS.d/next/Library/2026-01-08-19-38-02.gh-issue-143544.4jRCBJ.rst
Outdated
Show resolved
Hide resolved
Modules/_json.c
Outdated
|
|
||
| PyObject *JSONDecodeError = | ||
| PyImport_ImportModuleAttr(&_Py_STR(json_decoder), &_Py_ID(JSONDecodeError)); | ||
| PyImport_ImportModuleAttr(&_Py_STR(json_decoder), &_Py_ID(JSONDecodeError)); |
There was a problem hiding this comment.
Again please don't make unrelated formatting changes.
Modules/_json.c
Outdated
| if (exc) { | ||
| PyObject *exc = PyObject_CallFunction(JSONDecodeError, "zOn", msg, s, end); | ||
| if (exc != NULL) { |
There was a problem hiding this comment.
Same here. The only change we need is the movement of the Py_DECREF call.
There was a problem hiding this comment.
Please revert this change, only move Py_DECREF(JSONDecodeError);.
|
Thanks for the clarification. I’ve updated the test to only assert that the |
|
The NEWS entry was removed per discussion above. Could someone please add the “skip news” label? |
|
I have made the requested changes; please review again. |
|
Thanks for making the requested changes! @ZeroIntensity: please review the changes made to this pull request. |
Modules/_json.c
Outdated
|
|
||
| PyObject *JSONDecodeError = | ||
| PyImport_ImportModuleAttr(&_Py_STR(json_decoder), &_Py_ID(JSONDecodeError)); | ||
| PyImport_ImportModuleAttr(&_Py_STR(json_decoder), &_Py_ID(JSONDecodeError)); |
Modules/_json.c
Outdated
| if (exc) { | ||
| PyObject *exc = PyObject_CallFunction(JSONDecodeError, "zOn", msg, s, end); | ||
| if (exc != NULL) { |
There was a problem hiding this comment.
Please revert this change, only move Py_DECREF(JSONDecodeError);.
Lib/test/test_json/test_fail.py
Outdated
|
|
||
| def test_reentrant_jsondecodeerror_does_not_crash(self): | ||
| # gh-143544 | ||
| import json |
There was a problem hiding this comment.
Please move this import at the module top level.
There was a problem hiding this comment.
Moved import json to the module top level as requested. Thanks.
Modules/_json.c
Outdated
| Py_DECREF(exc); | ||
| } | ||
|
|
||
| /* Move DECREF after PyErr_SetObject */ |
There was a problem hiding this comment.
I don't think that this comment is useful.
There was a problem hiding this comment.
Removed the comment as suggested.
Lib/test/test_json/test_fail.py
Outdated
| ): | ||
| # The exact exception type is not important here; | ||
| # this test only ensures we don't crash. | ||
| with self.assertRaises(Exception): |
There was a problem hiding this comment.
Good point — agreed. I’ll update the test to assert the exact expected exception (JSONDecodeError) instead of a generic Exception, so the regression is checked more precisely.
Co-authored-by: Bénédikt Tran <[email protected]>
Co-authored-by: Bénédikt Tran <[email protected]>
Lib/test/test_json/test_fail.py
Outdated
| hook = Trigger() | ||
| with ( | ||
| support.swap_attr(json, "JSONDecodeError", hook), | ||
| support.swap_attr(json.decoder, "JSONDecodeError", hook) |
There was a problem hiding this comment.
Using swap_attr() context manager keeps hook alive which prevents triggering the crash. Please move back to regular assignment using try/finally.
Also, you need to clear hook (ex: del hook) after the assignment to trigger the crash.
Currently, the test doesn't crash if I revert the _json.c fix.
There was a problem hiding this comment.
Using swap_attr() context manager keeps hook alive which prevents triggering the crash. Please move back to regular assignment using try/finally.
Oh! that's my bad.
There was a problem hiding this comment.
However, a comment may be needed so that others like me don't forget.
There was a problem hiding this comment.
Thanks for the clarification — that makes sense.
I’ll revert swap_attr() usage, restore try/finally, and explicitly del hook after assignment so the test actually reproduces the original crash when _json.c is reverted.
I’ll update the test accordingly.
There was a problem hiding this comment.
However, a comment may be needed so that others like me don't forget.
Maybe the test should check the reference count: self.assertEqual(sys.getrefcount(hook), 3) before del hook.
There was a problem hiding this comment.
Good point — I’ve added a comment explaining why del hook is required and an explicit sys.getrefcount() assertion before deletion to document the reference state.
This should make the intent of the test clearer for future readers.
Lib/test/test_json/test_fail.py
Outdated
| @@ -1,4 +1,5 @@ | |||
| from test.test_json import PyTest, CTest | |||
| import json | |||
There was a problem hiding this comment.
I am not sure this is the right place for such test. This file tests how different decoding errors are handled (and some encoding errors, but I think they are misplaced). But we need to test the bug in the code that raises JSONDecodeError. Maybe test_speedups.py is better place for this.
Lib/test/test_json/test_fail.py
Outdated
| # Remove JSONDecodeError during construction to trigger re-entrancy | ||
| del json.JSONDecodeError | ||
| del json.decoder.JSONDecodeError | ||
| return ValueError("boom") |
There was a problem hiding this comment.
Just for the case, call test.support.gc_collect() .
Lib/test/test_json/test_fail.py
Outdated
| del json.decoder.JSONDecodeError | ||
| return ValueError("boom") | ||
|
|
||
| hook = Trigger() |
There was a problem hiding this comment.
hook must be a subclass of BaseException, otherwise PyErr_SetObject() will raise a SystemError.
class hook(Exception):
def __new__(...):
# ...And now calling gc_collect() is a necessity, because class creates a reference loop.
|
@serhiy-storchaka Thanks for the feedback. I placed the test in test_fail.py because the regression manifests while raising JSONDecodeError during decoding, and this file already exercises failure paths around decoding errors. That said, I’m happy to move the test to test_speedups.py or another more appropriate location if you think that’s a better fit — please let me know your preference. |
|
I have made the requested changes; please review again. |
|
Thanks for making the requested changes! @picnixz, @ZeroIntensity: please review the changes made to this pull request. |
serhiy-storchaka
left a comment
serhiy-storchaka
left a comment
There was a problem hiding this comment.
There is no good place for such test, but I think test_speedups is less wrong than test_fail.
But I suspect that it may be impossible to write a test without raising SystemError for the fixed code, which is only slightly better than a crash. If this is so, we will give up and accept a fix without unit test.
Lib/test/test_json/test_fail.py
Outdated
| raise self | ||
|
|
||
| hook = Trigger() | ||
| hook = Trigger("boom") |
There was a problem hiding this comment.
No, hook should be not an instance of exception, but an exception class itself.
So, you need to define __new__() to trigger execution when it is called, not __call__().
Lib/test/test_json/test_fail.py
Outdated
| self.assertEqual(sys.getrefcount(hook), 3) | ||
| del hook | ||
|
|
||
| support.gc_collect() |
There was a problem hiding this comment.
It does not have effect here, because there are references like json.decoder.JSONDecodeError.
But calling it after del json.decoder.JSONDecodeError in __new__() will also not help, because we still have a reference as a method parameter. So, it is useless.
Maybe we could not create a good test for this issue.
|
Thanks for clarifying. I agree that reliably testing this without triggering a SystemError may not be feasible. |
|
If this is not feasible, drop the tests. Thank you for your PR. |
|
I’ve dropped the test as suggested since it doesn’t seem feasible to reliably reproduce this case without introducing a SystemError. Could you please re-review and let me know if anything else is needed? |
5 participants
Summary
When JSONDecodeError is user-replaced and re-enters during JSON parsing,
_raise_errmsg could reuse a freed exception type, leading to a
use-after-free.
This change holds a strong reference across the call and validates the
exception type before setting it, falling back safely when needed.
Issue
_json.raise_errmsgvia re-entrantJSONDecodeErrorhook #143544