gh-143988: tation crashes in socket sendmsg/recvmsg_into via __buffer__

[tonghuaroot]

Summary

This PR fixes two heap out-of-bounds read vulnerabilities in socket.sendmsg() and socket.recvmsg_into() that are related to gh-143637.

While gh-143637 addresses the __index__ re-entrancy issue in sendmsg() ancillary data parsing (argument 2), there are two additional vulnerable code paths that use the __buffer__ protocol:

1. socket.sendmsg() argument 1 (data buffers) - in sock_sendmsg_iovec()
2. socket.recvmsg_into() argument 1 (buffers) - in sock_recvmsg_into()

Root Cause

The vulnerability occurs because:

1. PySequence_Fast() returns the original list object when the input is already a list (not a copy)
2. During iteration, PyObject_GetBuffer() triggers __buffer__ protocol callbacks which may clear the list
3. Subsequent iterations access invalid memory (heap OOB read), leading to a crash (SIGSEGV)

Proof of Concept

sendmsg() data buffers crash:

import socket

seq = []

class MutBuffer:
    def __init__(self, data):
        self._data = bytes(data)
        self.tripped = False
    
    def __buffer__(self, flags):
        if not self.tripped:
            self.tripped = True
            seq.clear()  # Clear during iteration!
        return memoryview(self._data)

seq[:] = [MutBuffer(b'Hello'), b'World', b'Test']
left, right = socket.socketpair()
left.sendmsg(seq)  # CRASH: SIGSEGV

recvmsg_into() buffers crash:

import socket

seq = []

class MutBuffer:
    def __init__(self, data):
        self._data = bytearray(data)
        self.tripped = False
    
    def __buffer__(self, flags):
        if not self.tripped:
            self.tripped = True
            seq.clear()  # Clear during iteration!
        return memoryview(self._data)

seq[:] = [MutBuffer(b'x' * 100), bytearray(100), bytearray(100)]
left, right = socket.socketpair()
left.send(b'Hello World!')
right.recvmsg_into(seq)  # CRASH: SIGSEGV

Fix

Replace PySequence_Fast() with PySequence_Tuple() which always creates a new tuple, ensuring the sequence cannot be mutated during iteration.

Testing

Added Lib/test/test_socket_reentrant.py with regression tests for both vulnerable code paths.

---

Note: This is related to but separate from PR #143892 which fixes the __index__ issue.

• Issue: socket.sendmsg() and socket.recvmsg_into() crash via __buffer__ re-entrancy (related to gh-143637) #143988

[bedevere-app]

A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.

And if you don't make the requested changes, you will be poked with soft cushions!

[tonghuaroot]

I have made the requested changes; please review again.

[bedevere-app]

Thanks for making the requested changes!

@picnixz: please review the changes made to this pull request.

[picnixz]

In this case use assertRaises.

[picnixz]

Instead of finally, use addCleanup.

[picnixz]

Make it on one line..It is short enough. And no need for a slice replacement. You can just write seq = ... (or would there be some NameError?)

[picnixz]

Add a refwrence to the gh issue as well. Using plain comments and

"See: URL TO THE ISSUE."

And not just gh-XXXXXX. URLs can be opened directly from IDEs, but not gh-* objects.

[picnixz]

I do not think you need an attribute. You can just return a memoryview on the fly.

[bedevere-app]

A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.

[picnixz]

Please read the devguide:

• Do not forcepush.
• Do not hit the "update branch" button if there is no need to (that is, if the CI is already green for the tests). it wastes resources and notifies everyone..

[tonghuaroot]

Please read the devguide:

• Do not forcepush.
• Do not hit the "update branch" button if there is no need to (that is, if the CI is already green for the tests). it wastes resources and notifies everyone..

Sorry about the force pushes - I'll use regular commits going forward. Thanks for the reminder about the devguide.

[tonghuaroot]

I have made the requested changes; please review again.

[bedevere-app]

Thanks for making the requested changes!

@picnixz: please review the changes made to this pull request.

[picnixz]

Remove the useless comments. It is obvious that we do not want a crash. However, I want to know why we silence the exceptions. Ideally we want an exact exception catching (whatever it is) with assertRaises or there should be no exception at all.

[picnixz]

Here as well you do not need the attribute I guess.

[picnixz]

that could occur if buffer sequences are concurrently mutated

• Remove argument parsing mention. It is an implementation detail.
• We do not really use the term re-entrency. I do not share the definition of re-entrency and prefer using concurrently here (you do two things at the same time)

[picnixz]

I am a bit confused with this one. There is nothing that checks for the fact that this really a buffer object or did I forget about PyArg_Parse?