oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CPython CVE-2025-4516: Use-after-free crash using bytes.decode("unicode_escape", error="ignore|replace")

From: Hanno Böck <hanno () hboeck de>
Date: Mon, 19 May 2025 09:44:26 +0200
Hi,

I had reported this to Python a while ago.
I'm attaching my original report below.

--------------------

I stumbled upon a segfault in python that turned out to be a use after
free error. As UAF bugs can lead to memory corruption and potentially
security issues, and as this issue is triggered by input to a very
common function (encode()), reporting this as a security issue, as it
may have larger security implications.

A testcase is attached. The zip attached contains a script
"crashme", which will just read the content of a file as binary data
and then run decode("unicode_escape", errors="ignore") on it
(errors="replace" causes the same issue).

With the sample file large.txt, this segfaults python for me:

./crashme large.txt 
Segmentation fault

small.txt is a reduced testcase that will not lead to a crash, but with
a python build with Address Sanitizer/ASAN, it will still show a use
after free.

The ASAN error, showing a use after free read in
_PyUnicode_DecodeUnicodeEscapeStateful, is in asan-error.txt.


-- 
Hanno Böck - Independent security researcher
https://itsec.hboeck.de/
https://badkeys.info/

Attachment: pyuaf.zip
Description:

Previous By Date Next
Previous By Thread Next

Current thread: