gh-136053: Memory Safety Issue in marshal.c TYPE_SLICE Case #136054
Conversation
Misc/NEWS.d/next/Security/2025-06-27-20-14-11.gh-issue-136053._pnEv0.rst
Outdated
Show resolved
Hide resolved
|
Thanks for the fix but please add a regression test. Even if it's not easily reproducible, I'd like to see a PoC. |
There was a problem hiding this comment.
The test does not work.
For testing, you need to create at least 2147483646 (0x7ffffffe) references. This is impossible on 32-bit platform, and on 64-bit platforms it will consume at least 16 GiB (and maybe 32 GiB or 64 GiB due to overallocation) only for the list, not counting the referred objects. This is a bigmem test. This will also take a significant amount of time to run. I do not think it is worth to add an expensive test for trivial fix.
|
@picnixz This can be merged. |
|
Thanks @akshat62 for the PR, and @serhiy-storchaka for merging it 🌮🎉.. I'm working now to backport this PR to: 3.14. |
…6054) Fix a possible crash when deserializing a large marshal data (at least several GiBs) containing a slice. (cherry picked from commit 30ba03e) Co-authored-by: Akshat Gupta <[email protected]>
|
GH-136092 is a backport of this pull request to the 3.14 branch. |
…GH-136092) Fix a possible crash when deserializing a large marshal data (at least several GiBs) containing a slice. (cherry picked from commit 30ba03e) Co-authored-by: Akshat Gupta <[email protected]>
|
No 3.13 bp? |
|
New in 3.14. |
Uh oh!
There was an error while loading. Please reload this page.