Skip to content

gh-143544: Fix possible use-after-free in the JSON decoder when JSONDecodeError disappears during raising it #143561

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
vstinner merged 25 commits into from
Jan 12, 2026
Merged

gh-143544: Fix possible use-after-free in the JSON decoder when JSONDecodeError disappears during raising it #143561

Show file tree
Hide file tree
Changes from 18 commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
9477824
gh-143544: Fix use-after-free in _json.raise_errmsg
VanshAgarwal24036 Jan 8, 2026
946aee3
gh-143544: Fix use-after-free in _json.raise_errmsg
VanshAgarwal24036 Jan 8, 2026
55b4850
gh-143544: Add regression test for re-entrant JSONDecodeError
VanshAgarwal24036 Jan 8, 2026
1940b1e
gh-143544: Add NEWS entry
VanshAgarwal24036 Jan 8, 2026
ed2c55c
gh-143544: Fix trailing whitespace in test
VanshAgarwal24036 Jan 8, 2026
099fc4f
gh-143544: Adjust regression test to allow SystemError
VanshAgarwal24036 Jan 8, 2026
b238345
gh-143544: Fix use-after-free in _json.raise_errmsg
VanshAgarwal24036 Jan 9, 2026
fa69d1e
gh-143544: Move json import to module level in regression test
VanshAgarwal24036 Jan 9, 2026
39767c6
gh-143544: Remove unnecessary comment
VanshAgarwal24036 Jan 9, 2026
b500563
gh-143544: Fix reference lifetime in raise_errmsg
VanshAgarwal24036 Jan 9, 2026
5841c2c
Update Lib/test/test_json/test_fail.py
VanshAgarwal24036 Jan 9, 2026
c397e8e
gh-143544: Remove unnecessary json import from regression test
VanshAgarwal24036 Jan 9, 2026
10c61c4
gh-143544: Use support.swap_attr in re-entrant JSONDecodeError test
VanshAgarwal24036 Jan 9, 2026
4a7f323
gh-143544: Fix use-after-free in _json.raise_errmsg
VanshAgarwal24036 Jan 9, 2026
0b38b8e
Update Lib/test/test_json/test_fail.py
VanshAgarwal24036 Jan 9, 2026
0593e2f
Update Lib/test/test_json/test_fail.py
VanshAgarwal24036 Jan 9, 2026
b485677
gh-143544: Tighten regression test exception assertion
VanshAgarwal24036 Jan 9, 2026
bbc357d
gh-143544: Fix re-entrant JSONDecodeError regression test
VanshAgarwal24036 Jan 9, 2026
765ffb2
test_json: add regression test for re-entrant JSONDecodeError crash
VanshAgarwal24036 Jan 9, 2026
b745fed
test_json: added Comment
VanshAgarwal24036 Jan 9, 2026
0a03442
test_json: assert TypeError for invalid JSONDecodeError replacement
VanshAgarwal24036 Jan 10, 2026
4257cdc
test_json: document and assert refcount for reentrant JSONDecodeError…
VanshAgarwal24036 Jan 10, 2026
74cfaed
test_json: fix reentrant JSONDecodeError test
VanshAgarwal24036 Jan 10, 2026
211cb30
test_json: fix re-entrant JSONDecodeError test
VanshAgarwal24036 Jan 10, 2026
a2e23bc
gh-143544: Revert test_json regression test changes
VanshAgarwal24036 Jan 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions Lib/test/test_json/test_fail.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
from test.test_json import PyTest, CTest
from test import support
import json
Copy link
Copy Markdown
Member

@picnixz picnixz Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we really need this? I'm asking because TestFail is a mixin class with a self attribute for JSONDecoderError. So should we patch this module directly or not?

Copy link
Copy Markdown
Contributor Author

@VanshAgarwal24036 VanshAgarwal24036 Jan 9, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test mutates json.JSONDecodeError and json.decoder.JSONDecodeError directly to trigger the re-entrancy case, so it needs access to the json module object. Using self.JSONDecodeError wouldn’t be sufficient here.

Copy link
Copy Markdown
Member

@serhiy-storchaka serhiy-storchaka Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure this is the right place for such test. This file tests how different decoding errors are handled (and some encoding errors, but I think they are misplaced). But we need to test the bug in the code that raises JSONDecodeError. Maybe test_speedups.py is better place for this.


# 2007-10-05
JSONDOCS = [
Expand Down Expand Up @@ -236,5 +238,27 @@ def test_linecol(self):
'Expecting value: line %s column %d (char %d)' %
(line, col, idx))


def test_reentrant_jsondecodeerror_does_not_crash(self):
# gh-143544

class Trigger:
def __call__(self, *args, **kwargs):
# Remove JSONDecodeError during construction to trigger re-entrancy
del json.JSONDecodeError
del json.decoder.JSONDecodeError
return ValueError("boom")
Copy link
Copy Markdown
Member

@serhiy-storchaka serhiy-storchaka Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just for the case, call test.support.gc_collect() .


hook = Trigger()
Copy link
Copy Markdown
Member

@serhiy-storchaka serhiy-storchaka Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hook must be a subclass of BaseException, otherwise PyErr_SetObject() will raise a SystemError.

class hook(Exception):
    def __new__(...):
        # ...

And now calling gc_collect() is a necessity, because class creates a reference loop.

with (
support.swap_attr(json, "JSONDecodeError", hook),
support.swap_attr(json.decoder, "JSONDecodeError", hook)
Copy link
Copy Markdown
Member

@vstinner vstinner Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using swap_attr() context manager keeps hook alive which prevents triggering the crash. Please move back to regular assignment using try/finally.

Also, you need to clear hook (ex: del hook) after the assignment to trigger the crash.

Currently, the test doesn't crash if I revert the _json.c fix.

Copy link
Copy Markdown
Member

@picnixz picnixz Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using swap_attr() context manager keeps hook alive which prevents triggering the crash. Please move back to regular assignment using try/finally.

Oh! that's my bad.

Copy link
Copy Markdown
Member

@picnixz picnixz Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

However, a comment may be needed so that others like me don't forget.

Copy link
Copy Markdown
Contributor Author

@VanshAgarwal24036 VanshAgarwal24036 Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the clarification — that makes sense.
I’ll revert swap_attr() usage, restore try/finally, and explicitly del hook after assignment so the test actually reproduces the original crash when _json.c is reverted.
I’ll update the test accordingly.

Copy link
Copy Markdown
Member

@vstinner vstinner Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

However, a comment may be needed so that others like me don't forget.

Maybe the test should check the reference count: self.assertEqual(sys.getrefcount(hook), 3) before del hook.

Copy link
Copy Markdown
Contributor Author

@VanshAgarwal24036 VanshAgarwal24036 Jan 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point — I’ve added a comment explaining why del hook is required and an explicit sys.getrefcount() assertion before deletion to document the reference state.
This should make the intent of the test clearer for future readers.

):
# The exact exception type is not important here;
# this test only ensures we don't crash.
with self.assertRaises(json.JSONDecodeError):
json.loads('"\\uZZZZ"')

Comment thread
VanshAgarwal24036 marked this conversation as resolved.
Outdated

class TestPyFail(TestFail, PyTest): pass
class TestCFail(TestFail, CTest): pass
3 changes: 2 additions & 1 deletion Modules/_json.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -423,11 +423,12 @@ raise_errmsg(const char *msg, PyObject *s, Py_ssize_t end)

PyObject *exc;
exc = PyObject_CallFunction(JSONDecodeError, "zOn", msg, s, end);
Py_DECREF(JSONDecodeError);
if (exc) {
PyErr_SetObject(JSONDecodeError, exc);
Py_DECREF(exc);
}

Py_DECREF(JSONDecodeError);
}

static void
Expand Down
Loading