[Python-checkins] bpo-43362: Fix invalid free and return check in _sha3 module (GH-25463)

tiran webhook-mailer at python.org
Sun Apr 18 02:39:48 EDT 2021 

https://github.com/python/cpython/commit/aa6da32edc3c6ddfda5e849561e20273b8d82771
commit: aa6da32edc3c6ddfda5e849561e20273b8d82771
branch: master
author: Christian Heimes <christian at python.org>
committer: tiran <christian at python.org>
date: 2021-04-18T08:39:39+02:00
summary:

bpo-43362: Fix invalid free and return check in _sha3 module (GH-25463)

Commit 93d50a6a8d0c5d332c11aef267e66573a09765ac / GH-21855 changed the
order of variable definitions, which introduced a potential invalid free
bug. Py_buffer object is now initialized earlier and the result of
Keccak initialize is verified.

Co-authored-by: Alex Henrie <alexhenrie24 at gmail.com>
Signed-off-by: Christian Heimes <christian at python.org>

Co-authored-by: Alex Henrie <alexhenrie24 at gmail.com>

files:
A Misc/NEWS.d/next/Security/2021-04-18-00-56-44.bpo-43362.__5aiP.rst
M Modules/_sha3/sha3module.c

diff --git a/Misc/NEWS.d/next/Security/2021-04-18-00-56-44.bpo-43362.__5aiP.rst b/Misc/NEWS.d/next/Security/2021-04-18-00-56-44.bpo-43362.__5aiP.rst
new file mode 100644
index 0000000000000..713a683bc8eb3
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2021-04-18-00-56-44.bpo-43362.__5aiP.rst
@@ -0,0 +1,2 @@
+Fix invalid free in _sha3 module. The issue was introduced in 3.10.0a1.
+Python 3.9 and earlier are not affected.
diff --git a/Modules/_sha3/sha3module.c b/Modules/_sha3/sha3module.c
index cae10f99d5b8d..27f69385cc3eb 100644
--- a/Modules/_sha3/sha3module.c
+++ b/Modules/_sha3/sha3module.c
@@ -193,15 +193,16 @@ static PyObject *
 py_sha3_new_impl(PyTypeObject *type, PyObject *data, int usedforsecurity)
 /*[clinic end generated code: output=90409addc5d5e8b0 input=bcfcdf2e4368347a]*/
 {
+    HashReturn res;
+    Py_buffer buf = {NULL, NULL};
+    SHA3State *state = PyType_GetModuleState(type);
     SHA3object *self = newSHA3object(type);
     if (self == NULL) {
         goto error;
     }
 
-    SHA3State *state = PyType_GetModuleState(type);
     assert(state != NULL);
 
-    HashReturn res;
     if (type == state->sha3_224_type) {
         res = Keccak_HashInitialize_SHA3_224(&self->hash_state);
     } else if (type == state->sha3_256_type) {
@@ -229,7 +230,12 @@ py_sha3_new_impl(PyTypeObject *type, PyObject *data, int usedforsecurity)
         goto error;
     }
 
-    Py_buffer buf = {NULL, NULL};
+    if (res != SUCCESS) {
+        PyErr_SetString(PyExc_RuntimeError,
+                        "internal error in SHA3 initialize()");
+        goto error;
+    }
+
     if (data) {
         GET_BUFFER_VIEW_OR_ERROR(data, &buf, goto error);
         if (buf.len >= HASHLIB_GIL_MINSIZE) {

More information about the Python-checkins mailing list