gh-143544: Fix use-after-free in _json.raise_errmsg #143561
Conversation
|
skip news |
|
No, this affects user-facing APIs; please add a news entry. |
ZeroIntensity
left a comment
ZeroIntensity
left a comment
There was a problem hiding this comment.
- Please avoid making unnecessary code changes. They make it significantly more difficult to review.
- This is doing too much. The much simpler and more correct fix would be to simply move the
Py_DECREFcall on line 426 to after theif (exc)block. - Please add a test case and news entry.
|
A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated. Once you have made the requested changes, please leave a comment on this pull request containing the phrase |
|
Thanks for the review. I’ve updated the patch to keep the fix minimal, added a regression test |
Misc/NEWS.d/next/Library/2026-01-08-19-38-02.gh-issue-143544.4jRCBJ.rst
Outdated
Show resolved
Hide resolved
Modules/_json.c
Outdated
|
|
||
| PyObject *JSONDecodeError = | ||
| PyImport_ImportModuleAttr(&_Py_STR(json_decoder), &_Py_ID(JSONDecodeError)); | ||
| PyImport_ImportModuleAttr(&_Py_STR(json_decoder), &_Py_ID(JSONDecodeError)); |
There was a problem hiding this comment.
Again please don't make unrelated formatting changes.
Modules/_json.c
Outdated
| if (exc) { | ||
| PyObject *exc = PyObject_CallFunction(JSONDecodeError, "zOn", msg, s, end); | ||
| if (exc != NULL) { |
There was a problem hiding this comment.
Same here. The only change we need is the movement of the Py_DECREF call.
There was a problem hiding this comment.
Please revert this change, only move Py_DECREF(JSONDecodeError);.
|
Thanks for the clarification. I’ve updated the test to only assert that the |
|
The NEWS entry was removed per discussion above. Could someone please add the “skip news” label? |
|
I have made the requested changes; please review again. |
|
Thanks for making the requested changes! @ZeroIntensity: please review the changes made to this pull request. |
Modules/_json.c
Outdated
|
|
||
| PyObject *JSONDecodeError = | ||
| PyImport_ImportModuleAttr(&_Py_STR(json_decoder), &_Py_ID(JSONDecodeError)); | ||
| PyImport_ImportModuleAttr(&_Py_STR(json_decoder), &_Py_ID(JSONDecodeError)); |
Modules/_json.c
Outdated
| if (exc) { | ||
| PyObject *exc = PyObject_CallFunction(JSONDecodeError, "zOn", msg, s, end); | ||
| if (exc != NULL) { |
There was a problem hiding this comment.
Please revert this change, only move Py_DECREF(JSONDecodeError);.
Lib/test/test_json/test_fail.py
Outdated
|
|
||
| def test_reentrant_jsondecodeerror_does_not_crash(self): | ||
| # gh-143544 | ||
| import json |
There was a problem hiding this comment.
Please move this import at the module top level.
There was a problem hiding this comment.
Moved import json to the module top level as requested. Thanks.
Modules/_json.c
Outdated
| Py_DECREF(exc); | ||
| } | ||
|
|
||
| /* Move DECREF after PyErr_SetObject */ |
There was a problem hiding this comment.
I don't think that this comment is useful.
There was a problem hiding this comment.
Removed the comment as suggested.
Modules/_json.c
Outdated
|
|
||
| PyObject *JSONDecodeError = | ||
| PyImport_ImportModuleAttr(&_Py_STR(json_decoder), &_Py_ID(JSONDecodeError)); | ||
| PyImport_ImportModuleAttr(&_Py_STR(json_decoder), | ||
| &_Py_ID(JSONDecodeError)); |
There was a problem hiding this comment.
I have repeatedly asked you to not make unrelated changes. Sorry if this comes off as harsh, but if you refuse to pay attention to my review comments, I'm not going to spend time reviewing this.
Please review our AI policy. If you use an LLM for translation help, that's fine, but please try to consider what we're asking before copy-pasting the result of the LLM in your PR.
There was a problem hiding this comment.
Thanks for pointing this out. I’ve reverted all unrelated formatting changes and kept only the minimal fix (moving the Py_DECREF(JSONDecodeError) after PyErr_SetObject). Please review again.
| { | ||
| /* Use JSONDecodeError exception to raise a nice looking ValueError subclass */ | ||
| _Py_DECLARE_STR(json_decoder, "json.decoder"); | ||
|
|
| PyObject *exc; | ||
| exc = PyObject_CallFunction(JSONDecodeError, "zOn", msg, s, end); | ||
| Py_DECREF(JSONDecodeError); | ||
| PyObject *exc = PyObject_CallFunction(JSONDecodeError, "zOn", msg, s, end); |
There was a problem hiding this comment.
This is also an unrelated change.
| Py_DECREF(JSONDecodeError); | ||
| } | ||
|
|
||
|
|
There was a problem hiding this comment.
This is an unrelated change again.
| try: | ||
| json.JSONDecodeError = hook | ||
| json.decoder.JSONDecodeError = hook | ||
|
|
||
| # The exact exception type is not important here; | ||
| # this test only ensures we don't crash. | ||
| with self.assertRaises(Exception): | ||
| json.loads('"\\uZZZZ"') | ||
|
|
||
| finally: | ||
| json.JSONDecodeError = orig_json_error | ||
| json.decoder.JSONDecodeError = orig_decoder_error | ||
|
|
There was a problem hiding this comment.
| try: | |
| json.JSONDecodeError = hook | |
| json.decoder.JSONDecodeError = hook | |
| # The exact exception type is not important here; | |
| # this test only ensures we don't crash. | |
| with self.assertRaises(Exception): | |
| json.loads('"\\uZZZZ"') | |
| finally: | |
| json.JSONDecodeError = orig_json_error | |
| json.decoder.JSONDecodeError = orig_decoder_error | |
| with ( | |
| support.swap_attr(json, "JSONDecodeError", hook), | |
| support.swap_attr(json.decoder, "JSONDecodeError", hook) | |
| ): | |
| # The exact exception type is not important here; | |
| # this test only ensures we don't crash. | |
| with self.assertRaises(Exception): | |
| json.loads('"\\uZZZZ"') | |
I still think the exact type of exception is important. We want to be sure that we catch the correct regression and not an exception that was raised prior to the code being patched.
| @@ -1,4 +1,5 @@ | |||
| from test.test_json import PyTest, CTest | |||
| import json | |||
There was a problem hiding this comment.
Do we really need this? I'm asking because TestFail is a mixin class with a self attribute for JSONDecoderError. So should we patch this module directly or not?
|
A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated. Once you have made the requested changes, please leave a comment on this pull request containing the phrase |
4 participants
Summary
When JSONDecodeError is user-replaced and re-enters during JSON parsing,
_raise_errmsg could reuse a freed exception type, leading to a
use-after-free.
This change holds a strong reference across the call and validates the
exception type before setting it, falling back safely when needed.
Issue
_json.raise_errmsgvia re-entrantJSONDecodeErrorhook #143544