gh-142831: Fix UAF in `_json` module by ashm-dev · Pull Request #142851 · python/cpython

ashm-dev · 2025-12-17T01:05:11Z

Issue: Use-after-free in json.encoder mapping iteration via re-entrant key encoder #142831

Fixes #142831

serhiy-storchaka

Could you add tests?

Modules/_json.c

ashm-dev · 2025-12-18T11:16:31Z

Added tests

Lib/test/test_json/test_dump.py

…hm-dev/142851

kumaraditya303 · 2025-12-19T08:07:58Z

I pushed a minor test change to make the test run on both pure python and C encoder.

ashm-dev · 2025-12-19T08:17:08Z

@kumaraditya303 But the new tests don't reproduce the issue!
P.S. Here is how I verify the tests: I build Python from main with ASan, and if the tests trigger the leak (the one reported in the issue), then they are good; otherwise, they are not.

This reverts commit 66c3af1.

kumaraditya303 · 2025-12-19T08:38:26Z

But the new tests don't reproduce the issue!

I was able to reproduce it but now I can't, not sure if it was a build cache issue or something. Sorry reverted it back.

Lib/test/test_json/test_dump.py

…ation test

ashm-dev · 2026-03-11T16:31:20Z

I have made the requested changes; please review again

bedevere-app · 2026-03-11T16:31:25Z

Thanks for making the requested changes!

@serhiy-storchaka, @kumaraditya303: please review the changes made to this pull request.

…list mutation test" This reverts commit b4e50c9.

# Conflicts: # Modules/_json.c

_json.c is a library module; the identical fix pythongh-145244 used Library.

Match the style of the comment added by pythongh-145244 for the dict iteration case. These explain why borrowed references from items lists and sequences must be held as strong references during encoding.

gpshead · 2026-04-11T23:04:56Z

nothing the irony of my commit re-adding explanatory comments that earlier reviewer wanted removed. the other PR I merged intersecting with this region and bug had such a comment so put them in here as well. i'll re-look at the whole and pick a direction in a bit.

- Replace bare try/except with direct calls; both tests should succeed without raising since encode_str and default return valid serializable values. - Assert that the mutation path was actually exercised (cleared flag, call_count). - Trigger list mutation on 3rd element instead of 1st, so the loop processes multiple items before the list is cleared mid-iteration. - Add comments explaining what each test verifies.

miss-islington-app · 2026-04-12T00:14:54Z

Thanks @ashm-dev for the PR, and @gpshead for merging it 🌮🎉.. I'm working now to backport this PR to: 3.13, 3.14.
🐍🍒⛏🤖

miss-islington-app · 2026-04-12T00:14:56Z

Sorry, @ashm-dev and @gpshead, I could not cleanly backport this to 3.14 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 235fa7244a0474c492ae98ee444529c7ba2a9047 3.14

miss-islington-app · 2026-04-12T00:15:01Z

Sorry, @ashm-dev and @gpshead, I could not cleanly backport this to 3.13 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 235fa7244a0474c492ae98ee444529c7ba2a9047 3.13

pythongh-142831: Fix UAF in _json module

d69416d

bedevere-app bot added the awaiting review label Dec 17, 2025

bedevere-app bot mentioned this pull request Dec 17, 2025

Use-after-free in json.encoder mapping iteration via re-entrant key encoder #142831

Closed

add news

b153c2a

serhiy-storchaka reviewed Dec 17, 2025

View reviewed changes

kumaraditya303 reviewed Dec 17, 2025

View reviewed changes

Modules/_json.c Outdated Show resolved Hide resolved

kumaraditya303 added needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes labels Dec 17, 2025

ashm-dev added 2 commits December 18, 2025 14:15

add test

64fcd75

fix comments

e385958

Merge branch 'main' into json

211551a

ashm-dev requested review from kumaraditya303 and serhiy-storchaka December 18, 2025 11:16

kumaraditya303 reviewed Dec 18, 2025

View reviewed changes

Lib/test/test_json/test_dump.py Outdated Show resolved Hide resolved

fix test

5d6b2a8

ashm-dev requested a review from kumaraditya303 December 18, 2025 11:28

kumaraditya303 added 3 commits December 19, 2025 13:30

Merge branch 'main' into json

a5a76d6

clean up test

66c3af1

Merge branch 'json' of https://github.com/ashm-dev/cpython into pr/as…

aa92e34

…hm-dev/142851

kumaraditya303 approved these changes Dec 19, 2025

View reviewed changes

bedevere-app bot added awaiting merge and removed awaiting review labels Dec 19, 2025

ashm-dev requested a review from kumaraditya303 December 19, 2025 08:17

Revert "clean up test"

adfeee2

This reverts commit 66c3af1.

Merge branch 'main' into json

948ef90

serhiy-storchaka reviewed Dec 19, 2025

View reviewed changes

Lib/test/test_json/test_dump.py Outdated Show resolved Hide resolved

Lib/test/test_json/test_dump.py Outdated Show resolved Hide resolved

fix lint error

3c29d13

This comment was marked as resolved.

Sign in to view

raminfp mentioned this pull request Feb 26, 2026

_json: Use After Free in encoder_encode_key_value() - borrowed 'key' used after free #145244

Closed

ashm-dev added 2 commits March 11, 2026 19:28

Address review: remove redundant comments, use nonlocal, add list mut…

b4e50c9

…ation test

Merge branch 'main' into json

37b25e9

bedevere-app bot requested a review from serhiy-storchaka March 11, 2026 16:31

ashm-dev and others added 6 commits March 11, 2026 19:37

Revert "Address review: remove redundant comments, use nonlocal, add …

cced98b

…list mutation test" This reverts commit b4e50c9.

Address review: use nonlocal, add gc_collect, add list mutation test

cfee66f

Remove redundant comments per review

878a3ed

Merge remote-tracking branch 'origin/main' into json

951b206

# Conflicts: # Modules/_json.c

Move NEWS entry from Core_and_Builtins to Library

646b447

_json.c is a library module; the identical fix pythongh-145244 used Library.

Add comments explaining why Py_INCREF is needed in iteration functions

a412165

Match the style of the comment added by pythongh-145244 for the dict iteration case. These explain why borrowed references from items lists and sequences must be held as strong references during encoding.

gpshead self-assigned this Apr 11, 2026

gpshead added 2 commits April 11, 2026 23:33

Simplify borrowed-ref comments to focus on the why

727696d

gpshead added awaiting core review and removed awaiting change review labels Apr 11, 2026

gpshead approved these changes Apr 11, 2026

View reviewed changes

bedevere-app bot added awaiting merge and removed awaiting core review labels Apr 11, 2026

gpshead enabled auto-merge (squash) April 11, 2026 23:54

gpshead merged commit 235fa72 into python:main Apr 12, 2026
62 of 63 checks passed

bedevere-app bot removed the awaiting merge label Apr 12, 2026

ashm-dev deleted the json branch April 12, 2026 00:18

Uh oh!

Conversation

ashm-dev commented Dec 17, 2025 • edited by gpshead Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

serhiy-storchaka left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

ashm-dev commented Dec 18, 2025

Uh oh!

Uh oh!

kumaraditya303 commented Dec 19, 2025

Uh oh!

ashm-dev commented Dec 19, 2025

Uh oh!

kumaraditya303 commented Dec 19, 2025

Uh oh!

Uh oh!

Uh oh!

This comment was marked as resolved.

Uh oh!

ashm-dev commented Mar 11, 2026

Uh oh!

bedevere-app bot commented Mar 11, 2026

Uh oh!

gpshead commented Apr 11, 2026

Uh oh!

Uh oh!

miss-islington-app bot commented Apr 12, 2026

Uh oh!

miss-islington-app bot commented Apr 12, 2026

Uh oh!

miss-islington-app bot commented Apr 12, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

ashm-dev commented Dec 17, 2025 •

edited by gpshead

Loading