Skip to content

gh-133009: fix UAF in xml.etree.ElementTree.Element.__deepcopy__ #133010

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
+44 −8
Open

gh-133009: fix UAF in xml.etree.ElementTree.Element.__deepcopy__ #133010

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
2b5be5f
fix UAF in `xml.etree.ElementTree.Element.__deepcopy__`
picnixz Apr 26, 2025
721481d
always protect against possible mutations in `__deepcopy__`
picnixz Apr 27, 2025
cef5146
remove bad assertion
picnixz Apr 27, 2025
8297c8a
Update Modules/_elementtree.c
picnixz Apr 27, 2025
7f8ed28
use `Py_CLEAR` to be on the safe side
picnixz Apr 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions Lib/test/test_xml_etree.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2960,6 +2960,24 @@ def element_factory(x, y):
del b
gc_collect()

def test_deepcopy(self):
# Prevent crashes when __deepcopy__() mutates the element being copied.
# See https://github.com/python/cpython/issues/133009.
class X(ET.Element):
def __deepcopy__(self, memo):
root.clear()
return self

root = ET.Element('a')
evil = X('x')
root.extend([evil, ET.Element('y')])
if is_python_implementation():
self.assertRaises(RuntimeError, copy.deepcopy, root)
else:
c = copy.deepcopy(root)
# In the C implementation, we can still copy the evil element.
self.assertListEqual(list(c), [evil])


class MutationDeleteElementPath(str):
def __new__(cls, elem, *args):
Expand Down
3 changes: 3 additions & 0 deletions Misc/NEWS.d/next/Library/2025-04-26-15-50-12.gh-issue-133009.etBuz5.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
:mod:`xml.etree.ElementTree`: Fix a crash in :meth:`Element.__deepcopy__
<object.__deepcopy__>` when the element is concurrently mutated.
Patch by Bénédikt Tran.
31 changes: 23 additions & 8 deletions Modules/_elementtree.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -805,6 +805,7 @@ _elementtree_Element___deepcopy___impl(ElementObject *self, PyObject *memo)
{
Py_ssize_t i;
ElementObject* element;
PyObject* tmp;
PyObject* tag;
PyObject* attrib;
PyObject* text;
Expand All @@ -813,12 +814,16 @@ _elementtree_Element___deepcopy___impl(ElementObject *self, PyObject *memo)

PyTypeObject *tp = Py_TYPE(self);
elementtreestate *st = get_elementtree_state_by_type(tp);
tag = deepcopy(st, self->tag, memo);
tmp = Py_NewRef(self->tag);
tag = deepcopy(st, tmp, memo);
Py_CLEAR(tmp);
if (!tag)
return NULL;

if (self->extra && self->extra->attrib) {
attrib = deepcopy(st, self->extra->attrib, memo);
tmp = Py_NewRef(self->extra->attrib);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will kill the optimization in deepcopy(). Only increment the refcount after checking the fast path.

attrib = deepcopy(st, tmp, memo);
Py_CLEAR(tmp);
if (!attrib) {
Py_DECREF(tag);
return NULL;
Expand All @@ -835,12 +840,16 @@ _elementtree_Element___deepcopy___impl(ElementObject *self, PyObject *memo)
if (!element)
return NULL;

text = deepcopy(st, JOIN_OBJ(self->text), memo);
tmp = Py_NewRef(JOIN_OBJ(self->text));
text = deepcopy(st, tmp, memo);
Py_CLEAR(tmp);
if (!text)
goto error;
_set_joined_ptr(&element->text, JOIN_SET(text, JOIN_GET(self->text)));

tail = deepcopy(st, JOIN_OBJ(self->tail), memo);
tmp = Py_NewRef(JOIN_OBJ(self->tail));
tail = deepcopy(st, tmp, memo);
Py_CLEAR(tmp);
if (!tail)
goto error;
_set_joined_ptr(&element->tail, JOIN_SET(tail, JOIN_GET(self->tail)));
Expand All @@ -850,9 +859,10 @@ _elementtree_Element___deepcopy___impl(ElementObject *self, PyObject *memo)
if (element_resize(element, self->extra->length) < 0)
goto error;

// TODO(picnixz): check for an evil child's __deepcopy__ on 'self'
for (i = 0; i < self->extra->length; i++) {
PyObject* child = deepcopy(st, self->extra->children[i], memo);
for (i = 0; self->extra && i < self->extra->length; i++) {
tmp = Py_NewRef(self->extra->children[i]);
PyObject* child = deepcopy(st, tmp, memo);
Py_CLEAR(tmp);
if (!child || !Element_Check(st, child)) {
if (child) {
raise_type_error(child);
Expand All @@ -865,7 +875,12 @@ _elementtree_Element___deepcopy___impl(ElementObject *self, PyObject *memo)
}

assert(!element->extra->length);
element->extra->length = self->extra->length;
/*
* The original 'self->extra' may be gone at this point if deepcopy()
* had side-effects. However, 'i' is the number of copied items that
* we were able to successfully copy.
*/
element->extra->length = i;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not directly related but the Py_REFCNT(object) == 1 in deepcopy() below is likely unsafe for similar reasons as #132070. I don't really understand what that check is doing, though: it seems what it does could work too if the refcnt > 1.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh I don't know. I'm leaving on Monday evening for ~10 days. Maybe we can track the issue separately?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes definitely a separate issue! Just noticed it while reading code around your change.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the refcnt > 1, we need to check in memo, and use a reference to already made copy if it is found. We need also to update memo. It is complicated and adds a lot of overhead.

}

/* add object to memo dictionary (so deepcopy won't visit it again) */
Expand Down
Loading