Skip to content

Type confusion in zoneinfo_ZoneInfo_impl via overridden cache setdefault() #142781

Closed
#142925
Closed
Type confusion in zoneinfo_ZoneInfo_impl via overridden cache setdefault()#142781
#142925
Labels
extension-modulesC modules in the Modules dirtype-crashA hard crash of the interpreter, possibly with a core dump
@jackfromeast

Description

@jackfromeast
jackfromeast
opened on Dec 16, 2025

What happened?

Handler zoneinfo_ZoneInfo_impl() calls weak_cache.setdefault(key, tmp) and blindly treats the returned object as a ZoneInfo, immediately casting to PyZoneInfo_ZoneInfo and writing to its fields. A subclass can swap _weak_cache with a dict-like object whose setdefault() returns a non-ZoneInfo (e.g., an int), causing type confusion and subsequent memory corruption/crash under ASan. A minimal PoC overrides setdefault() to return the wrong type and triggers a buffer overflow during teardown.

Proof of Concept:

import zoneinfo

class EvilCache(dict):
    def setdefault(self, key, value):
        return 1337  # wrong type

class Evil(zoneinfo.ZoneInfo):
    pass

Evil._weak_cache = EvilCache()  # override the inherited cache

Evil("UTC")

Affected Versions:

Details
Python Version Status Exit Code
Python 3.9.24+ (heads/3.9:9c4638d, Oct 17 2025, 11:19:30) ASAN 1
Python 3.10.19+ (heads/3.10:0142619, Oct 17 2025, 11:20:05) [GCC 13.3.0] ASAN 1
Python 3.11.14+ (heads/3.11:88f3f5b, Oct 17 2025, 11:20:44) [GCC 13.3.0] ASAN 1
Python 3.12.12+ (heads/3.12:8cb2092, Oct 17 2025, 11:21:35) [GCC 13.3.0] ASAN 1
Python 3.13.9+ (heads/3.13:0760a57, Oct 17 2025, 11:22:25) [GCC 13.3.0] ASAN 1
Python 3.14.0+ (heads/3.14:889e918, Oct 17 2025, 11:23:02) [GCC 13.3.0] ASAN 1
Python 3.15.0a1+ (heads/main:fbf0843, Oct 17 2025, 11:23:37) [GCC 13.3.0] ASAN 1

Related Code Snippet

Details 
static PyObject *
zoneinfo_ZoneInfo_impl(PyTypeObject *type, PyObject *key)
/*[clinic end generated code: output=95e61dab86bb95c3 input=ef73d7a83bf8790e]*/
{
	   if (instance == Py_None) {
        Py_DECREF(instance);
        PyObject *tmp = zoneinfo_new_instance(state, type, key);
        if (tmp == NULL) {
            return NULL;
        }

        instance =
            PyObject_CallMethod(weak_cache, "setdefault", "OO", key, tmp);
        Py_DECREF(tmp);
        if (instance == NULL) {
            return NULL;
        }
        
	// Bug: Type Confusion
        ((PyZoneInfo_ZoneInfo *)instance)->source = SOURCE_CACHE;
    }

    update_strong_cache(state, type, key, instance);
    return instance;
}

Sanitizer Report

Details 
=================================================================
==1440071==ERROR: AddressSanitizer: global-buffer-overflow on address 0x568a2b530208 at pc 0x568a2ac75512 bp 0x7ffe6e89f060 sp 0x7ffe6e89f050
READ of size 8 at 0x568a2b530208 thread T0
    #0 0x568a2ac75511 in _Py_Dealloc Objects/object.c:3174
    #1 0x568a2acbf5cb in Py_DECREF Include/refcount.h:401
    #2 0x568a2acbf5ea in Py_XDECREF Include/refcount.h:511
    #3 0x568a2acc1a9c in tuple_dealloc Objects/tupleobject.c:213
    #4 0x568a2ac75481 in _Py_Dealloc Objects/object.c:3200
    #5 0x568a2abc2e2b in Py_DECREF Include/refcount.h:401
    #6 0x568a2abc33a8 in Py_XDECREF Include/refcount.h:511
    #7 0x568a2abc533a in code_dealloc Objects/codeobject.c:2423
    #8 0x568a2ac75481 in _Py_Dealloc Objects/object.c:3200
    #9 0x568a2ac0cb65 in Py_DECREF Include/refcount.h:401
    #10 0x568a2ac0f5c9 in func_dealloc Objects/funcobject.c:1158
    #11 0x568a2ac75481 in _Py_Dealloc Objects/object.c:3200
    #12 0x568a2ac40874 in Py_DECREF Include/refcount.h:401
    #13 0x568a2ac40893 in Py_XDECREF Include/refcount.h:511
    #14 0x568a2ac40edf in dictkeys_decref Objects/dictobject.c:462
    #15 0x568a2ac514e9 in clear_lock_held Objects/dictobject.c:2947
    #16 0x568a2ac5168f in PyDict_Clear Objects/dictobject.c:2976
    #17 0x568a2acdca6c in type_clear Objects/typeobject.c:6962
    #18 0x568a2ace181c in subtype_clear Objects/typeobject.c:2690
    #19 0x568a2aee3fe0 in delete_garbage Python/gc.c:1199
    #20 0x568a2aee472c in gc_collect_region Python/gc.c:1814
    #21 0x568a2aee5ce2 in gc_collect_full Python/gc.c:1728
    #22 0x568a2aee7045 in _PyGC_Collect Python/gc.c:2096
    #23 0x568a2aee711a in _PyGC_CollectNoFail Python/gc.c:2137
    #24 0x568a2af5b2dc in finalize_modules Python/pylifecycle.c:1795
    #25 0x568a2af66618 in _Py_Finalize Python/pylifecycle.c:2255
    #26 0x568a2af666f2 in Py_FinalizeEx Python/pylifecycle.c:2378
    #27 0x568a2afc8847 in Py_RunMain Modules/main.c:774
    #28 0x568a2afc8a2e in pymain_main Modules/main.c:802
    #29 0x568a2afc8db3 in Py_BytesMain Modules/main.c:826
    #30 0x568a2aa4c645 in main Programs/python.c:15
    #31 0x7add2d02a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #32 0x7add2d02a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #33 0x568a2aa4c574 in _start (/home/jackfromeast/Desktop/entropy/tasks/grammar-afl++-latest/targets/cpython/python+0x2dd574) (BuildId: ff3dc40ea460bd4beb2c3a72283cca525b319bf0)

Address 0x568a2b530208 is a wild pointer inside of access range of size 0x000000000008.
SUMMARY: AddressSanitizer: global-buffer-overflow Objects/object.c:3174 in _Py_Dealloc
Shadow bytes around the buggy address:
  0x568a2b52ff80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x568a2b530000: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x568a2b530080: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x568a2b530100: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x568a2b530180: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
=>0x568a2b530200: f9[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x568a2b530280: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x568a2b530300: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x568a2b530380: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x568a2b530400: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x568a2b530480: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1440071==ABORTING

Linked PRs

Metadata

Metadata

Assignees

No one assigned

    Labels

    extension-modulesC modules in the Modules dirtype-crashA hard crash of the interpreter, possibly with a core dump

    Projects

    Date and time issues 🕰️

    Status

    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions