KEMBAR78
Use-After-Free in `PyImport_ImportModuleLevelObject` · Issue #134100 · python/cpython · GitHub
Skip to content

Use-After-Free in PyImport_ImportModuleLevelObject #134100

@Nico-Posada

Description

@Nico-Posada

Bug report

Bug description:

If you try to import something with a level >= 1 and it somehow fails to put it into sys.modules after importing, you'll get a nice error message letting you know.

cpython/Python/import.c

Lines 3857 to 3863 in d94b1e9

Py_DECREF(to_return);
if (final_mod == NULL) {
if (!_PyErr_Occurred(tstate)) {
_PyErr_Format(tstate, PyExc_KeyError,
"%R not in sys.modules as expected",
to_return);
}

However, this error message uses to_return which was freed a couple of lines before. Because it's used just after being freed, you can't do anything too malicious with it, but you can crash python by allocating a large enough string and having it be unmapped after being freed so that it's invalid memory when it's accessed.

(No crash but triggers ASAN with use-after-free)

import sys
sys.modules = {f"a.b.c": {}}
__import__(f"b.c", {"__package__": "a"}, level=1)

(Crash)

import sys

loooong = "".ljust(0x100000, "b")
sys.modules = {f"a.{loooong}.c": {}}
__import__(f"{loooong}.c", {"__package__": "a"}, level=1)

Fix is to have the decref after it makes the error message.

CPython versions tested on:

3.12, 3.13, 3.14

Operating systems tested on:

Windows, Linux

Linked PRs

Metadata

Metadata

Assignees

No one assigned

    Labels

    interpreter-core(Objects, Python, Grammar, and Parser dirs)topic-importlibtype-crashA hard crash of the interpreter, possibly with a core dump

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions