gh-143988: Fix re-entrant mutation crashes in socket sendmsg/recvmsg_into via __buffer__

[tonghuaroot]

Summary

This PR fixes two heap out-of-bounds read vulnerabilities in socket.sendmsg() and socket.recvmsg_into() that are related to gh-143637.

While gh-143637 addresses the __index__ re-entrancy issue in sendmsg() ancillary data parsing (argument 2), there are two additional vulnerable code paths that use the __buffer__ protocol:

1. socket.sendmsg() argument 1 (data buffers) - in sock_sendmsg_iovec()
2. socket.recvmsg_into() argument 1 (buffers) - in sock_recvmsg_into()

Root Cause

The vulnerability occurs because:

1. PySequence_Fast() returns the original list object when the input is already a list (not a copy)
2. During iteration, PyObject_GetBuffer() triggers __buffer__ protocol callbacks which may clear the list
3. Subsequent iterations access invalid memory (heap OOB read), leading to a crash (SIGSEGV)

Proof of Concept

sendmsg() data buffers crash:

import socket

seq = []

class MutBuffer:
    def __init__(self, data):
        self._data = bytes(data)
        self.tripped = False
    
    def __buffer__(self, flags):
        if not self.tripped:
            self.tripped = True
            seq.clear()  # Clear during iteration!
        return memoryview(self._data)

seq[:] = [MutBuffer(b'Hello'), b'World', b'Test']
left, right = socket.socketpair()
left.sendmsg(seq)  # CRASH: SIGSEGV

recvmsg_into() buffers crash:

import socket

seq = []

class MutBuffer:
    def __init__(self, data):
        self._data = bytearray(data)
        self.tripped = False
    
    def __buffer__(self, flags):
        if not self.tripped:
            self.tripped = True
            seq.clear()  # Clear during iteration!
        return memoryview(self._data)

seq[:] = [MutBuffer(b'x' * 100), bytearray(100), bytearray(100)]
left, right = socket.socketpair()
left.send(b'Hello World!')
right.recvmsg_into(seq)  # CRASH: SIGSEGV

Fix

Replace PySequence_Fast() with PySequence_Tuple() which always creates a new tuple, ensuring the sequence cannot be mutated during iteration.

Testing

Added Lib/test/test_socket_reentrant.py with regression tests for both vulnerable code paths.

---

Note: This is related to but separate from PR #143892 which fixes the __index__ issue.

• Issue: socket.sendmsg() and socket.recvmsg_into() crash via __buffer__ re-entrancy (related to gh-143637) #143988

[bedevere-app]

A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.

And if you don't make the requested changes, you will be poked with soft cushions!

[tonghuaroot]

I have made the requested changes; please review again.

[bedevere-app]

Thanks for making the requested changes!

@picnixz: please review the changes made to this pull request.

[bedevere-app]

A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.

[picnixz]

Please read the devguide:

• Do not forcepush.
• Do not hit the "update branch" button if there is no need to (that is, if the CI is already green for the tests). it wastes resources and notifies everyone..

[tonghuaroot]

Please read the devguide:

• Do not forcepush.
• Do not hit the "update branch" button if there is no need to (that is, if the CI is already green for the tests). it wastes resources and notifies everyone..

Sorry about the force pushes - I'll use regular commits going forward. Thanks for the reminder about the devguide.

[tonghuaroot]

I have made the requested changes; please review again.

[bedevere-app]

Thanks for making the requested changes!

@picnixz: please review the changes made to this pull request.

[picnixz]

that could occur if buffer sequences are concurrently mutated

• Remove argument parsing mention. It is an implementation detail.
• We do not really use the term re-entrency. I do not share the definition of re-entrency and prefer using concurrently here (you do two things at the same time)

[tonghuaroot]

Thanks @vstinner! Addressed all three:

• Renamed fast to buffers_tuple in sock_recvmsg_into.
• Trimmed the ReentrantMutationTests docstring to fit 80 columns.
• Moved the NEWS entry from Security/ to Library/ — agreed this is a crash-robustness fix rather than a security vulnerability.

The failing Docs (pull_request) job looks unrelated to this change: it errors on a missing Doc/tools/check-html-ids.py on the runner, while this PR only touches socketmodule.c, test_socket.py, and the NEWS entry.

[vstinner]

@picnixz: Would you mind to review the updated PR? It seems like 2 of your comments were not addressed yet.

.

[picnixz]

I think the docs issue is because of the branch not being up-to-date. You can hit the "Update branch" button to merge main into this branch (just don't force push)

[miss-islington-app]

Thanks @tonghuaroot for the PR, and @vstinner for merging it 🌮🎉.. I'm working now to backport this PR to: 3.13.
🐍🍒⛏🤖

[miss-islington-app]

Thanks @tonghuaroot for the PR, and @vstinner for merging it 🌮🎉.. I'm working now to backport this PR to: 3.15.
🐍🍒⛏🤖

[miss-islington-app]

Thanks @tonghuaroot for the PR, and @vstinner for merging it 🌮🎉.. I'm working now to backport this PR to: 3.14.
🐍🍒⛏🤖

[miss-islington-app]

Sorry, @tonghuaroot and @vstinner, I could not cleanly backport this to 3.14 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 896f7fdc7d0ba6d4ace06935b9d67c4da0f9ecbe 3.14

[miss-islington-app]

Sorry, @tonghuaroot and @vstinner, I could not cleanly backport this to 3.13 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 896f7fdc7d0ba6d4ace06935b9d67c4da0f9ecbe 3.13

[bedevere-app]

GH-151246 is a backport of this pull request to the 3.15 branch.

[bedevere-app]

GH-151251 is a backport of this pull request to the 3.14 branch.

[vstinner]

Merged, thanks for your fix. I backport the change to 3.14 and 3.15 branches. (The 3.14 backport will be backported to 3.13 once it will be merged.)