Skip to content

ExtensionFileLoader.load_module aborts when initialized with a path containing null-bytes #127208

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
devdanzin opened this issue Nov 24, 2024 · 3 comments
Closed

ExtensionFileLoader.load_module aborts when initialized with a path containing null-bytes #127208

devdanzin opened this issue Nov 24, 2024 · 3 comments
Labels
3.12 only security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes interpreter-core (Objects, Python, Grammar, and Parser dirs) topic-importlib type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@devdanzin
Copy link
Contributor

devdanzin commented Nov 24, 2024
edited by bedevere-app bot
Loading

Crash report

What happened?

It's possible to abort a debug build by initializing a _frozen_importlib_external.ExtensionFileLoader with a path containing null-bytes, then calling load_module():

import _frozen_importlib_external

_frozen_importlib_external.ExtensionFileLoader("a", "\x00").load_module(None)

Abort message:

python: Python/import.c:939: hashtable_key_from_2_strings: Assertion `strlen(key) == size - 1' failed.
Aborted

Found using fusil by @vstinner.

CPython versions tested on:

3.12, 3.13, 3.14, CPython main branch

Operating systems tested on:

Linux

Output from running 'python -VV' on the command line:

Python 3.14.0a2+ (heads/main:0af4ec3, Nov 20 2024, 21:45:19) [GCC 13.2.0]

Linked PRs
@devdanzin devdanzin added the type-crash A hard crash of the interpreter, possibly with a core dump label Nov 24, 2024
@devdanzin
Copy link
Contributor Author

Another way to trigger:

>>> import _imp
>>> class n:
...   name = "A"
...   origin = "\x00"
...
>>> _imp.create_dynamic(n, 1)
python: Python/import.c:939: hashtable_key_from_2_strings: Assertion `strlen(key) == size - 1' failed.
Aborted

@picnixz picnixz added interpreter-core (Objects, Python, Grammar, and Parser dirs) topic-importlib labels Nov 26, 2024
vstinner added a commit to vstinner/cpython that referenced this issue Nov 29, 2024
@vstinner
pythongh-127208: Reject null character in _imp.create_dynamic()
a0672e0 
_imp.create_dynamic() now rejects embedded null characters in the
path and in the module name.
@bedevere-app bedevere-app bot mentioned this issue Nov 29, 2024
Merged
@vstinner
Copy link
Member

I wrote #127400 to fix the issue.

vstinner added a commit that referenced this issue Nov 29, 2024
@vstinner
gh-127208: Reject null character in _imp.create_dynamic() (#127400)
b14fdad 
_imp.create_dynamic() now rejects embedded null characters in the
path and in the module name.
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Nov 29, 2024
@vstinner @miss-islington
pythongh-127208: Reject null character in _imp.create_dynamic() (pyth…
89b4cce 
…onGH-127400)

_imp.create_dynamic() now rejects embedded null characters in the
path and in the module name.
(cherry picked from commit b14fdad)

Co-authored-by: Victor Stinner <[email protected]>
This was referenced Nov 29, 2024
Merged
Merged
vstinner added a commit that referenced this issue Nov 29, 2024
@miss-islington @vstinner
[3.13] gh-127208: Reject null character in _imp.create_dynamic() (GH-…
c4a359d 
…127400) (#127418)

gh-127208: Reject null character in _imp.create_dynamic() (GH-127400)

_imp.create_dynamic() now rejects embedded null characters in the
path and in the module name.
(cherry picked from commit b14fdad)

Co-authored-by: Victor Stinner <[email protected]>
vstinner added a commit that referenced this issue Nov 29, 2024
@vstinner
[3.12] gh-127208: Reject null character in _imp.create_dynamic() (#12…
e7ab978 
…7400) (#127419)

gh-127208: Reject null character in _imp.create_dynamic() (#127400)

_imp.create_dynamic() now rejects embedded null characters in the
path and in the module name.

Backport also the _PyUnicode_AsUTF8NoNUL() function.

(cherry picked from commit b14fdad)
@picnixz
Copy link
Member

picnixz commented Nov 29, 2024

Closing since completed and backported.

@picnixz picnixz closed this as completed Nov 29, 2024
@picnixz picnixz added 3.12 only security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes labels Nov 29, 2024
@github-actions github-actions bot mentioned this issue Dec 1, 2024
Closed
picnixz pushed a commit to picnixz/cpython that referenced this issue Dec 2, 2024
@vstinner @picnixz
pythongh-127208: Reject null character in _imp.create_dynamic() (pyth…
2979fa1 
…on#127400)

_imp.create_dynamic() now rejects embedded null characters in the
path and in the module name.
srinivasreddy pushed a commit to srinivasreddy/cpython that referenced this issue Jan 8, 2025
@vstinner @srinivasreddy
pythongh-127208: Reject null character in _imp.create_dynamic() (pyth…
1908728 
…on#127400)

_imp.create_dynamic() now rejects embedded null characters in the
path and in the module name.
ebonnal pushed a commit to ebonnal/cpython that referenced this issue Jan 12, 2025
@vstinner @ebonnal
pythongh-127208: Reject null character in _imp.create_dynamic() (pyth…
9db2d4e 
…on#127400)

_imp.create_dynamic() now rejects embedded null characters in the
path and in the module name.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3.12 only security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes interpreter-core (Objects, Python, Grammar, and Parser dirs) topic-importlib type-crash A hard crash of the interpreter, possibly with a core dump
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vstinner @picnixz @devdanzin