Skip to content

UAF: xml.etree.ElementTree.Element.find* when concurrent mutations happen #126037

New issue
New issue
Closed
Closed
UAF: xml.etree.ElementTree.Element.find* when concurrent mutations happen#126037
Assignees
picnixz
Labels
3.12only security fixes3.13bugs and security fixes3.14bugs and security fixesextension-modulesC modules in the Modules dirtopic-XMLtype-crashA hard crash of the interpreter, possibly with a core dump
@picnixz

Description

@picnixz
picnixz
opened on Oct 27, 2024

Crash report

What happened?

Similar to #126033, the following crashes:

import xml.etree.ElementTree as ET

class EvilTag(str):
    def __eq__(self, other):
        base.clear()
        return False

base = ET.Element('a')
base.append(ET.Element(EvilTag('x')))
base.find('a')

Attacked code:

cpython/Modules/_elementtree.c

Lines 1264 to 1275 in dc76a4a

for (i = 0; i < self->extra->length; i++) {
PyObject* item = self->extra->children[i];
int rc;
assert(Element_Check(st, item));
Py_INCREF(item);
rc = PyObject_RichCompareBool(((ElementObject*)item)->tag, path, Py_EQ);
if (rc > 0)
return item;
Py_DECREF(item);
if (rc < 0)
return NULL;
}

The findall and findtext methods also suffer from the same vulnerability. I haven't tried to attack Element.iterfind yet since it delegates to the Python function ElementPath.iterfind instead.

CPython versions tested on:

CPython main branch

Operating systems tested on:

No response

Output from running 'python -VV' on the command line:

No response

Linked PRs

Metadata

Metadata

Assignees

Labels

3.12only security fixes3.13bugs and security fixes3.14bugs and security fixesextension-modulesC modules in the Modules dirtopic-XMLtype-crashA hard crash of the interpreter, possibly with a core dump

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions