Bug report
Bug description:
os.spawnv() and os.spawnve() on Windows convert each argv item with
fsconvert_strdup(), passing a reference borrowed from the argv list via
PyList_GetItem(). The conversion runs the item's .__fspath__() method. If
that method drops the list's last reference to the item, the converter
operates on a freed object -- a use-after-free.
A second crash mode: if .__fspath__() shrinks the list, PyList_GetItem()
returns NULL for a later index, and fsconvert_strdup(NULL, out) makes
PyUnicode_FS{Converter,Decoder}() release the uninitialized output
variable.
Same family as gh-151403 (_posixsubprocess.fork_exec) and gh-143309
(parse_envlist). Triggering requires a custom __fspath__, so this is
crash hardening with no security impact.
The fix is to hold a strong reference to each item across the conversion,
matching parse_arglist() and parse_envlist().
(PR ready, i'll attach that shortly)
CPython versions tested on:
CPython main branch
Operating systems tested on:
No response
Linked PRs
Bug report
Bug description:
os.spawnv() and os.spawnve() on Windows convert each argv item with
fsconvert_strdup(), passing a reference borrowed from the argv list via
PyList_GetItem(). The conversion runs the item's
.__fspath__()method. Ifthat method drops the list's last reference to the item, the converter
operates on a freed object -- a use-after-free.
A second crash mode: if
.__fspath__()shrinks the list, PyList_GetItem()returns NULL for a later index, and fsconvert_strdup(NULL, out) makes
PyUnicode_FS{Converter,Decoder}() release the uninitialized output
variable.
Same family as gh-151403 (
_posixsubprocess.fork_exec) and gh-143309(parse_envlist). Triggering requires a custom
__fspath__, so this iscrash hardening with no security impact.
The fix is to hold a strong reference to each item across the conversion,
matching parse_arglist() and parse_envlist().
(PR ready, i'll attach that shortly)
CPython versions tested on:
CPython main branch
Operating systems tested on:
No response
Linked PRs