gh-143378: Fix use-after-free BytesIO write via re-entrant buffer access

superboy-zjc · superboy-zjc · commit 240931999cd2 · 2026-01-03T19:58:40.000-08:00
PyObject_GetBuffer() can execute user code (e.g. via __buffer__), which may
close or otherwise mutate a BytesIO object while write() or writelines()
is in progress. This could invalidate the internal buffer and lead to a
use-after-free.

Temporarily bump the exports counter while acquiring the input buffer to
block re-entrant mutation, and add regression tests to ensure such cases
raise BufferError instead of crashing.
diff --git a/Lib/test/test_io/test_memoryio.py b/Lib/test/test_io/test_memoryio.py
@@ -856,6 +856,37 @@ def test_cow_mutable(self):
         memio = self.ioclass(ba)
         self.assertEqual(sys.getrefcount(ba), old_rc)
 
+    @support.cpython_only
+    def test_uaf_buffer_write(self):
+        # Prevent use-after-free when write() triggers a re-entrant call that
+        # closes or mutates the BytesIO object.
+        # See: https://github.com/python/cpython/issues/143378
+        class TBuf:
+            def __init__(self, bio):
+                self.bio = bio
+            def __buffer__(self, flags):
+                self.bio.close()
+                return memoryview(b"A")
+
+        memio = self.ioclass()
+        self.assertRaises(BufferError, memio.write, TBuf(memio))
+
+    @support.cpython_only
+    def test_uaf_buffer_writelines(self):
+        # Prevent use-after-free when writelines() triggers a re-entrant call that
+        # closes or mutates the BytesIO object.
+        # See: https://github.com/python/cpython/issues/143378
+        class TBuf:
+            def __init__(self, bio):
+                self.bio = bio
+            def __buffer__(self, flags):
+                self.bio.close()
+                return memoryview(b"A")
+
+        memio = self.ioclass()
+        self.assertRaises(BufferError, memio.writelines, [TBuf(memio)])
+
+
 class CStringIOTest(PyStringIOTest):
     ioclass = io.StringIO
     UnsupportedOperation = io.UnsupportedOperation
diff --git a/Misc/NEWS.d/next/Library/2026-01-03-19-41-36.gh-issue-143378.29AvE7.rst b/Misc/NEWS.d/next/Library/2026-01-03-19-41-36.gh-issue-143378.29AvE7.rst
@@ -0,0 +1,2 @@
+Fix use-after-free crashes when a :class:`_io.BytesIO` object is mutated during
+buffer writes via :meth:`write` or :meth:`writelines`.
diff --git a/Modules/_io/bytesio.c b/Modules/_io/bytesio.c
@@ -202,9 +202,14 @@ write_bytes_lock_held(bytesio *self, PyObject *b)
     }
 
     Py_buffer buf;
+    /* Issue #143378: Prevent re-entrant mutation during PyObject_GetBuffer() */
+    self->exports++;
     if (PyObject_GetBuffer(b, &buf, PyBUF_CONTIG_RO) < 0) {
+        self->exports--;
         return -1;
     }
+    self->exports--;
+
     Py_ssize_t len = buf.len;
     if (len == 0) {
         goto done;

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	+Fix use-after-free crashes when a :class:`_io.BytesIO` object is mutated during
	`2`	+buffer writes via :meth:`write` or :meth:`writelines`.
Original file line number	Diff line number	Diff line change
`@@ -202,9 +202,14 @@ write_bytes_lock_held(bytesio self, PyObject b)`
`202`	`202`	`}`
`203`	`203`
`204`	`204`	`Py_buffer buf;`
	`205`	`+ /* Issue #143378: Prevent re-entrant mutation during PyObject_GetBuffer() */`
	`206`	`+ self->exports++;`
`205`	`207`	`if (PyObject_GetBuffer(b, &buf, PyBUF_CONTIG_RO) < 0) {`
	`208`	`+ self->exports--;`
`206`	`209`	`return -1;`
`207`	`210`	`}`
	`211`	`+ self->exports--;`
	`212`	`+`
`208`	`213`	`Py_ssize_t len = buf.len;`
`209`	`214`	`if (len == 0) {`
`210`	`215`	`goto done;`