Skip to content

gh-140607: Validate returned byte count in RawIOBase.read #140611

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Oct 27, 2025
Merged

gh-140607: Validate returned byte count in RawIOBase.read #140611

merged 7 commits into from
Oct 27, 2025
+30 −3

Conversation

@cmaloney
Copy link
Contributor

@cmaloney cmaloney commented Oct 26, 2025
edited
Loading

While readinto implementations should return a count of bytes between 0 and the length of the given buffer, they are not required to. Add validation inside RawIOBase.read that the returned byte count is reasonable.

@cmaloney
pythongh-140607: Validate returned byte count in RawIOBase.read
f25ce8a 
While `RawIOBase.readinto` should return a count of bytes between 0 and
the length of the given buffer, it is not required to. Add validation
inside RawIOBase.read that the returned byte count is reasonable.
@cmaloney cmaloney added topic-IO needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes labels Oct 26, 2025
@bedevere-app bedevere-app bot mentioned this pull request Oct 26, 2025
Closed
@cmaloney
Copy link
Contributor Author

cmaloney commented Oct 26, 2025

It looks like the IOBase C implementation has never checked range here. I think it's reasonable to back port to bugfix releases as a ValueError could be raised in other cases (not adding a new exception; just more cases) and a bad value allows access to unallocated memory. Cherry picks will likely need to be manual to cross the I/O test refactoring.

The _pyio change could also potentially use a n = n.__index__() to make sure the .readinto return is an integer at that point; not sure it's worth adding though.

cc: @vstinner

efimov-mikhail
efimov-mikhail reviewed Oct 26, 2025
View reviewed changes
ashm-dev
ashm-dev suggested changes Oct 26, 2025
View reviewed changes
@cmaloney cmaloney requested a review from ashm-dev October 26, 2025 19:03
efimov-mikhail
efimov-mikhail reviewed Oct 26, 2025
View reviewed changes
efimov-mikhail
efimov-mikhail reviewed Oct 26, 2025
View reviewed changes
efimov-mikhail
efimov-mikhail reviewed Oct 26, 2025
View reviewed changes
efimov-mikhail
efimov-mikhail approved these changes Oct 26, 2025
View reviewed changes
Copy link
Member

@efimov-mikhail efimov-mikhail left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

vstinner
vstinner reviewed Oct 27, 2025
View reviewed changes
ashm-dev
ashm-dev reviewed Oct 27, 2025
View reviewed changes
Modules/_io/iobase.c
Comment on lines 944 to 954
if (bytes_filled == -1 && PyErr_Occurred()) {
Py_DECREF(b);
return NULL;
}
if (bytes_filled < 0 || bytes_filled > n) {
Py_DECREF(b);
PyErr_Format(PyExc_ValueError,
"readinto returned '%zd' outside buffer size '%zd'",
bytes_filled, n);
return NULL;
}
Copy link
Contributor

@ashm-dev ashm-dev Oct 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

if (bytes_filled == -1 && PyErr_Occurred())
    goto error;

if (bytes_filled < 0 || bytes_filled > n) {
    PyErr_Format(PyExc_ValueError,
                 "readinto returned '%zd' outside buffer size '%zd'",
                 bytes_filled, n);
    goto error;
}

error:
    Py_DECREF(b);
    return NULL;

maybe do it this way to remove duplication and improve readability

Copy link
Contributor Author

@cmaloney cmaloney Oct 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have a personal preference not to use gotos although agree this function is one where Py_DECREF(b); return res; would deduplicate and reduce lines of code.

To do that the Py_DECREF(res); would need to turn into Py_CLEAR(res) (so res is set to NULL) + a couple cases earlier could use it as well... Not planning to do that but can if there's a strong press to.

Copy link
Member

@vstinner vstinner Oct 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

goto

Copy link
Member

@vstinner vstinner Oct 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just kidding. In general, I also like using goto in C to factorize code to cleanup resources before exit. Here it's just a matter of taste. I'm fine with the current code 😀

@vstinner vstinner removed needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes labels Oct 27, 2025
@vstinner
Copy link
Member

vstinner commented Oct 27, 2025

I think it's reasonable to back port to bugfix releases as a ValueError could be raised in other cases (not adding a new exception; just more cases) and a bad value allows access to unallocated memory.

I prefer to not backport the change. Existing code may just work by luck and this change making Python more strict can break it.

vstinner
vstinner approved these changes Oct 27, 2025
View reviewed changes
Copy link
Member

@vstinner vstinner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

ashm-dev
ashm-dev approved these changes Oct 27, 2025
View reviewed changes
Copy link
Contributor

@ashm-dev ashm-dev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@vstinner vstinner enabled auto-merge (squash) October 27, 2025 17:43
@vstinner vstinner merged commit 0f0a362 into python:main Oct 27, 2025
45 checks passed
@cmaloney cmaloney deleted the gh-140607 branch October 27, 2025 18:22
@vstinner vstinner added needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes labels Oct 28, 2025
@miss-islington-app
Copy link

miss-islington-app bot commented Oct 28, 2025

Thanks @cmaloney for the PR, and @vstinner for merging it 🌮🎉.. I'm working now to backport this PR to: 3.13.
🐍🍒⛏🤖

@miss-islington-app
Copy link

miss-islington-app bot commented Oct 28, 2025

Thanks @cmaloney for the PR, and @vstinner for merging it 🌮🎉.. I'm working now to backport this PR to: 3.14.
🐍🍒⛏🤖

@miss-islington-app
Copy link

miss-islington-app bot commented Oct 28, 2025

Sorry, @cmaloney and @vstinner, I could not cleanly backport this to 3.13 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 0f0a362768aecb4c791724cce486d8317533a94d 3.13

@miss-islington-app
Copy link

miss-islington-app bot commented Oct 28, 2025

Sorry, @cmaloney and @vstinner, I could not cleanly backport this to 3.14 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 0f0a362768aecb4c791724cce486d8317533a94d 3.14

@vstinner
Copy link
Member

vstinner commented Oct 28, 2025

I prefer to not backport the change. Existing code may just work by luck and this change making Python more strict can break it.

I read again the issue and I missed the AddressSanitizer report in the issue. It changed my mind and I know agree that it's better to backport this change.

@cmaloney: Can you try to backport the change to 3.14? The automated backport failed.

@cmaloney
Copy link
Contributor Author

cmaloney commented Oct 28, 2025

👍 will work on backports today

@bedevere-app
Copy link

bedevere-app bot commented Oct 28, 2025

GH-140728 is a backport of this pull request to the 3.14 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.14 bugs and security fixes label Oct 28, 2025
cmaloney added a commit to cmaloney/cpython that referenced this pull request Oct 28, 2025
@cmaloney @ashm-dev @vstinner
[3.14] pythongh-140607: Validate returned byte count in RawIOBase.read (
9f114fa 
pythonGH-140611)

While `RawIOBase.readinto` should return a count of bytes between 0 and
the length of the given buffer, it is not required to. Add validation
inside RawIOBase.read() that the returned byte count is valid.
(cherry picked from commit 0f0a362)

Co-authored-by: Cody Maloney <[email protected]>
Co-authored-by: Shamil <[email protected]>
Co-authored-by: Victor Stinner <[email protected]>
cmaloney added a commit to cmaloney/cpython that referenced this pull request Oct 28, 2025
@cmaloney @ashm-dev @vstinner
[3.13] pythongh-140607: Validate returned byte count in RawIOBase.read (
dcded72 
pythonGH-140611)

While `RawIOBase.readinto` should return a count of bytes between 0 and
the length of the given buffer, it is not required to. Add validation
inside RawIOBase.read() that the returned byte count is valid.
(cherry picked from commit 0f0a362)

Co-authored-by: Cody Maloney <[email protected]>
Co-authored-by: Shamil <[email protected]>
Co-authored-by: Victor Stinner <[email protected]>
@bedevere-app
Copy link

bedevere-app bot commented Oct 28, 2025

GH-140730 is a backport of this pull request to the 3.13 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.13 bugs and security fixes label Oct 28, 2025
vstinner added a commit that referenced this pull request Oct 29, 2025
@cmaloney @ashm-dev @vstinner
[3.14] gh-140607: Validate returned byte count in RawIOBase.read (GH-…
9a7dccd 
…140611) (#140728)

* [3.14] gh-140607: Validate returned byte count in RawIOBase.read (GH-140611)

While `RawIOBase.readinto` should return a count of bytes between 0 and
the length of the given buffer, it is not required to. Add validation
inside RawIOBase.read() that the returned byte count is valid.
(cherry picked from commit 0f0a362)

Co-authored-by: Cody Maloney <[email protected]>
Co-authored-by: Shamil <[email protected]>
Co-authored-by: Victor Stinner <[email protected]>

* fixup: Use older attribute name

---------

Co-authored-by: Shamil <[email protected]>
Co-authored-by: Victor Stinner <[email protected]>
vstinner added a commit that referenced this pull request Oct 29, 2025
@cmaloney @ashm-dev @vstinner
[3.13] gh-140607: Validate returned byte count in RawIOBase.read (GH-…
a1a71ef 
…140611) (#140730)

* [3.13] gh-140607: Validate returned byte count in RawIOBase.read (GH-140611)

While `RawIOBase.readinto` should return a count of bytes between 0 and
the length of the given buffer, it is not required to. Add validation
inside RawIOBase.read() that the returned byte count is valid.
(cherry picked from commit 0f0a362)

Co-authored-by: Cody Maloney <[email protected]>
Co-authored-by: Shamil <[email protected]>
Co-authored-by: Victor Stinner <[email protected]>

* fixup: Use older attribute name

---------

Co-authored-by: Shamil <[email protected]>
Co-authored-by: Victor Stinner <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vstinner vstinner vstinner approved these changes

@efimov-mikhail efimov-mikhail efimov-mikhail approved these changes

+1 more reviewer

@ashm-dev ashm-dev ashm-dev approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@vstinner vstinner

Labels

topic-IO

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@cmaloney @vstinner @efimov-mikhail @ashm-dev