classification
Title: Clear audit hooks after destructors
Type: security Stage: patch review
Components: Interpreter Core Versions: Python 3.10, Python 3.9, Python 3.8
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: christian.heimes, frankli, steve.dower, zkonge
Priority: normal Keywords: patch

Created on 2020-06-29 16:28 by steve.dower, last changed 2020-07-06 19:23 by steve.dower.

Files
File name Uploaded Description Edit
clearaudithook.patch zkonge, 2020-06-29 18:09
Pull Requests
URL Status Linked Edit
PR 21222 merged zkonge, 2020-06-29 19:45
PR 21302 merged steve.dower, 2020-07-03 21:20
PR 21303 merged steve.dower, 2020-07-03 22:05
PR 21304 merged steve.dower, 2020-07-03 22:33
Messages (7)
msg372601 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2020-06-29 16:28
Because of when _Py_ClearAuditHooks is called during finalization, it is possible that __del__ destructors will be called after hooks have been cleared. Audit events that would be raised here are dropped.

We should ensure these events are received by any known hooks for the interpreter (Python) or the runtime (C).

(Thanks to Frank Li for the report.)
msg372610 - (view) Author: JIanqiu Tao (zkonge) * Date: 2020-06-29 18:09
Patch attached below works well, but with less functionality for users' audit hook.
Pure Python audit hook implement looks safe enough.
Should we need call _PySys_ClearAuditHooks earlier for more functionality?
msg372892 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2020-07-02 22:47
PR 21222 (with test updates) is a good fix, though we know there can still be arbitrary code executed afterwards. But it's not in a place where we can reliably hook.

Probably the best thing to do is to make sure that events are raised for anything that would be required to add code there. Though that may not be feasible either, but since nobody should be doing that kind of thing deliberately, detection is just as valuable as prevention.
msg372958 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2020-07-03 21:06
New changeset daa0fe03a517d335d48e65ace8e5da636e265a8f by Konge in branch 'master':
bpo-41162: Clear audit hooks later during finalization (GH-21222)
https://github.com/python/cpython/commit/daa0fe03a517d335d48e65ace8e5da636e265a8f
msg372965 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2020-07-03 21:58
New changeset e1d4fdc53347617bea1aff0d7112471453f65003 by Steve Dower in branch '3.9':
bpo-41162: Clear audit hooks later during finalization (GH-21222)
https://github.com/python/cpython/commit/e1d4fdc53347617bea1aff0d7112471453f65003
msg372970 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2020-07-03 23:04
New changeset b9e288cc1bfd583e887f784e38d9c511b43c0c3a by Steve Dower in branch '3.8':
bpo-41162: Clear audit hooks later during finalization (GH-21222)
https://github.com/python/cpython/commit/b9e288cc1bfd583e887f784e38d9c511b43c0c3a
msg373158 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2020-07-06 19:23
Merged the initial fix, but we now need to find any exploitable paths that remain.

Considering how late in finalization they now run, they're very unlikely to succeed at doing anything interesting. However, they'd also qualify as bugs (potentially crashes), so we'll want to find ways to make them run earlier anyway.
History
Date User Action Args
2020-07-06 19:23:17steve.dowersetmessages: + msg373158
2020-07-03 23:04:35steve.dowersetmessages: + msg372970
2020-07-03 22:33:44steve.dowersetpull_requests: + pull_request20456
2020-07-03 22:05:47steve.dowersetpull_requests: + pull_request20452
2020-07-03 21:58:47steve.dowersetmessages: + msg372965
2020-07-03 21:20:40steve.dowersetpull_requests: + pull_request20451
2020-07-03 21:06:52steve.dowersetmessages: + msg372958
2020-07-02 22:47:13steve.dowersetmessages: + msg372892
2020-07-02 10:23:52franklisetnosy: + frankli
2020-06-29 19:45:27zkongesetstage: needs patch -> patch review
pull_requests: + pull_request20374
2020-06-29 18:09:40zkongesetfiles: + clearaudithook.patch

nosy: + zkonge
messages: + msg372610

keywords: + patch
2020-06-29 16:28:11steve.dowercreate