CPython Use-After-Free Vulnerability in Unicode Escape Decoder

A use-after-free vulnerability has been identified in CPython's handling of the 'bytes.decode' method with the 'unicode_escape' encoding and certain error handlers. This issue can lead to a crash, as the vulnerability allows for memory corruption by creating a temporary bytes object that, once deleted, invalidates pointers to the decoded data. The problem arises when the 'unicode_escape' decoder is used with error handlers that modify the decoding process, such as 'ignore' or 'replace'.

Impact

Exploitation of this vulnerability causes a segmentation fault, leading to a crash of the Python interpreter. However, when Python is built with AddressSanitizer, the use-after-free can be detected as a memory error, indicating potential for memory corruption.

Reproduction

The vulnerability can be reproduced by using the 'bytes.decode' method with the 'unicode_escape' encoding and an error handler that modifies the default behavior, such as 'ignore' or 'replace'. This can be done by creating a bytes object that contains invalid escape sequences, such as octal escapes that are out of range, and then decoding it with the specified encoding and error handler. The resulting segmentation fault can be observed when the modified bytes object is used in a way that triggers the vulnerability, such as by accessing the decoded data after the temporary bytes object has been destroyed.

Remediation

Users can avoid this vulnerability by not using the 'unicode_escape' encoding with the 'error' parameter. Instead, the 'bytes.decode' method can be called without the 'error' parameter, and any decoding errors can be handled manually using a try-except block.