[3.14] gh-151416: fix a borrowed ref potential use after free via fspath in os.spawnv/spawnve (GH-151417)#152536
Merged
Merged
Conversation
…th in os.spawnv/spawnve (pythonGH-151417) * pythongh-151416: Fix use-after-free in os.spawnv/spawnve when __fspath__ mutates argv The argv conversion loops passed references borrowed from the argv list into fsconvert_strdup(). An item's __fspath__() can mutate the list and release its reference to the item, leaving the converter operating on a freed object. A shrunk list could also make PyList_GetItem() return NULL, which PyUnicode_FS{Converter,Decoder}() treat as a request to release an uninitialized output variable. Hold a strong reference to each item across the conversion, matching parse_arglist() and parse_envlist(). * pythongh-151416: Don't mask non-TypeError argv conversion errors in os.spawnv os.spawnv() replaced any error raised during argv item conversion, such as MemoryError, codec errors, or the embedded-null ValueError, with a generic TypeError. Only add the contextual message when the conversion actually raised TypeError, matching how os.spawnve() and the exec functions propagate these errors. The test is gated to the native C spawnv: the Python fallback used elsewhere reports conversion failures from the forked child as exit status 127 instead of raising. (cherry picked from commit f57d3d6)
This was referenced Jun 29, 2026
|
Thanks @gpshead for the PR 🌮🎉.. I'm working now to backport this PR to: 3.13. |
|
GH-152539 is a backport of this pull request to the 3.13 branch. |
gpshead
added a commit
that referenced
this pull request
Jun 29, 2026
…ath in os.spawnv/spawnve (GH-151417) (GH-152536) (#152539) [3.14] gh-151416: fix a borrowed ref potential use after free via fspath in os.spawnv/spawnve (GH-151417) (GH-152536) gh-151416: fix a borrowed ref potential use after free via fspath in os.spawnv/spawnve (GH-151417) * gh-151416: Fix use-after-free in os.spawnv/spawnve when __fspath__ mutates argv The argv conversion loops passed references borrowed from the argv list into fsconvert_strdup(). An item's __fspath__() can mutate the list and release its reference to the item, leaving the converter operating on a freed object. A shrunk list could also make PyList_GetItem() return NULL, which PyUnicode_FS{Converter,Decoder}() treat as a request to release an uninitialized output variable. Hold a strong reference to each item across the conversion, matching parse_arglist() and parse_envlist(). * gh-151416: Don't mask non-TypeError argv conversion errors in os.spawnv os.spawnv() replaced any error raised during argv item conversion, such as MemoryError, codec errors, or the embedded-null ValueError, with a generic TypeError. Only add the contextual message when the conversion actually raised TypeError, matching how os.spawnve() and the exec functions propagate these errors. The test is gated to the native C spawnv: the Python fallback used elsewhere reports conversion failures from the forked child as exit status 127 instead of raising. (cherry picked from commit 11a2482) (cherry picked from commit f57d3d6) Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
__fspath__mutates argv #151416: Fix use-after-free in os.spawnv/spawnve when fspath mutates argvThe argv conversion loops passed references borrowed from the argv list
into fsconvert_strdup(). An item's fspath() can mutate the list and
release its reference to the item, leaving the converter operating on a
freed object. A shrunk list could also make PyList_GetItem() return
NULL, which PyUnicode_FS{Converter,Decoder}() treat as a request to
release an uninitialized output variable.
Hold a strong reference to each item across the conversion, matching
parse_arglist() and parse_envlist().
__fspath__mutates argv #151416: Don't mask non-TypeError argv conversion errors in os.spawnvos.spawnv() replaced any error raised during argv item conversion,
such as MemoryError, codec errors, or the embedded-null ValueError,
with a generic TypeError. Only add the contextual message when the
conversion actually raised TypeError, matching how os.spawnve() and
the exec functions propagate these errors.
The test is gated to the native C spawnv: the Python fallback used
elsewhere reports conversion failures from the forked child as exit
status 127 instead of raising.
(cherry picked from commit f57d3d6)