gh-145678: Fix use-after-free in itertools.groupby _grouper_next()#145679
Open
sampsonc wants to merge 9 commits intopython:mainfrom
Open
gh-145678: Fix use-after-free in itertools.groupby _grouper_next()#145679sampsonc wants to merge 9 commits intopython:mainfrom
sampsonc wants to merge 9 commits intopython:mainfrom
Conversation
|
All commit authors signed the Contributor License Agreement. |
_grouper_next() passed igo->tgtkey and gbo->currkey directly to PyObject_RichCompareBool() without first holding strong references. A re-entrant __eq__ that advanced the parent groupby iterator would call groupby_step(), which executes Py_XSETREF(gbo->currkey, newkey), freeing currkey while it was still under comparison. Fix by taking INCREF'd local snapshots before the comparison, mirroring the protection added to groupby_next() in pythongh-143543. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
sampsonc
force-pushed
the
gh-145678-grouper-uaf
branch
from
eb0bb61 to
79bcea0
Compare
Author
|
The two CI failures (Windows free-threading arm64 and Docs) are pre-existing issues in main unrelated to this PR. The docs check-warnings.py script confirmed zero new warnings from our changes, and the Windows failure is ENV_CHANGED from test_multiprocessing_spawn.test_threads. |
encukou
reviewed
Mar 9, 2026
Misc/NEWS.d/next/Library/2026-03-09-00-00-00.gh-issue-145678.grouper-uaf.rst
Outdated
Show resolved
Hide resolved
Author
|
I've been away for a couple of days. Is there anything else that I can do on this one? Thanks! |
Member
Please address the feedback first. I would also suggest that you are aware of https://devguide.python.org/getting-started/generative-ai/ in order to avoid back-and-forth. |
Use a single variable `g` instead of `outer_grouper`/`g`, matching the style of the sibling test test_groupby_reentrant_eq_does_not_crash. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The iterator is never exhausted at this point, so StopIteration cannot be raised. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
…rouper-uaf.rst Co-authored-by: Petr Viktorin <encukou@gmail.com>
Author
|
All feedback has been addressed. |
picnixz
reviewed
Mar 12, 2026
Misc/NEWS.d/next/Library/2026-03-09-00-00-00.gh-issue-145678.grouper-uaf.rst
Outdated
Show resolved
Hide resolved
picnixz
reviewed
Mar 12, 2026
Misc/NEWS.d/next/Library/2026-03-09-00-00-00.gh-issue-145678.grouper-uaf.rst
Outdated
Show resolved
Hide resolved
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Member
|
I couldn't get the test to crash with current |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes a use-after-free (UAF) in
_grouper_next()inModules/itertoolsmodule.c.Root Cause
_grouper_next()passedigo->tgtkeyandgbo->currkeydirectly toPyObject_RichCompareBool()without first holding strong references.A user-defined
__eq__can re-enter the parentgroupbyiterator duringthe comparison. That re-entry calls
groupby_step(), which executes:This frees
gbo->currkeywhile it is still under comparison — a use-after-free.Fix
Take INCREF'd local snapshots before calling
PyObject_RichCompareBool(),mirroring the protection added to
groupby_next()in gh-143543:Test plan
./python -m test test_itertools -k test_grouper_next_reentrant_eq_does_not_crash./configure --with-pydebug && makewith ASAN enabled) to confirm no UAFCloses gh-145678.
🤖 Generated with Claude Code