The following code generates a segfault on the Pickle module [it's a crafted datetime object] (Python 3.10.0a0 (heads/master:b40e434, Jul 4 2020), Python 3.6.11 and Python 3.7.2):

import io
import pickle


hex_string = "8004952A000000000000008C086461746574696D65948C086461746574696D65949388430A07B2010100000000000092059452942E"
myb = bytes.fromhex(hex_string)
f = io.BytesIO(myb)
print(f)
data = pickle.load(f)
print(data)
print('We have segfault but we cannot see!')

datetime_new assumes that args is a tuple. load_newobj_ex() doesn't check that args is a tuple and kwargs is a dictionary. The demo exploit passes True as args, which triggers a segfault in PyTuple_GET_SIZE in datetime_new.

#0 datetime_new (type=0x7fffea5d2740 <PyDateTime_DateTimeType>, args=True, kw=b'\x07\xb2\x01\x01\x00\x00\x00\x00\x00\x00') at /usr/src/debug/python3-3.8.3-2.fc32.x86_64/Modules/_datetimemodule.c:4737
#1 0x00007fffea637b1e in load_newobj_ex (self=0x7fffea7a7820) at /usr/src/debug/python3-3.8.3-2.fc32.x86_64/Modules/_pickle.c:6008
#2 0x00007fffea632e7a in load (self=0x7fffea7a7820) at /usr/src/debug/python3-3.8.3-2.fc32.x86_64/Modules/_pickle.c:6943
#3 0x00007fffea63795e in _pickle_load_impl (module=<optimized out>, buffers=0x0, errors=0x7fffea639149 "strict", encoding=0x7fffea6391fa "ASCII", fix_imports=1, file=<_io.BytesIO at remote 0x7fffea888180>)
at /usr/src/debug/python3-3.8.3-2.fc32.x86_64/Modules/_pickle.c:1688
#4 _pickle_load (module=<optimized out>, args=<optimized out>, nargs=<optimized out>, kwnames=<optimized out>) at /usr/src/debug/python3-3.8.3-2.fc32.x86_64/Modules/clinic/_pickle.c.h:731
#5 0x00007ffff7bd1ced in cfunction_vectorcall_FASTCALL_KEYWORDS (func=<built-in method load of module object at remote 0x7fffea680270>, args=<optimized out>, nargsf=<optimized out>, kwnames=0x0)
at /usr/src/debug/python3-3.8.3-2.fc32.x86_64/Objects/methodobject.c:437

New changeset 4f309ab by Serhiy Storchaka in branch 'master':
bpo-41288: Fix a crash in unpickling invalid NEWOBJ_EX. (GH-21458)
4f309ab

Ned, would you like to get this fix backported to 3.6 and 3.7?

Sounds like a good idea.

New changeset f56c75e by Miss Islington (bot) in branch '3.8':
bpo-41288: Fix a crash in unpickling invalid NEWOBJ_EX. (GH-21458)
f56c75e

New changeset 57c984f by Miss Islington (bot) in branch '3.9':
bpo-41288: Fix a crash in unpickling invalid NEWOBJ_EX. (GH-21458)
57c984f

New changeset 620e276 by Miss Islington (bot) in branch '3.7':
bpo-41288: Fix a crash in unpickling invalid NEWOBJ_EX. (GH-21458) (GH-21461)
620e276

New changeset 6463cf0 by Miss Islington (bot) in branch '3.6':
bpo-41288: Fix a crash in unpickling invalid NEWOBJ_EX. (GH-21458) (GH-21462)
6463cf0

New changeset b4c98ed by Serhiy Storchaka in branch 'master':
bpo-41288: Refactor of unpickling NEWOBJ and NEWOBJ_EX opcodes. (GH-21472)
b4c98ed

Is this fix causing the refleak build to fail on 3.8? See: https://buildbot.python.org/all/#/builders/484/builds/149

This fix touched the unpickling code, and the test crashed during pickling, so it is not directly related. But it may be some compiler glitch, when changing one part of code affects compilation of other parts of code. The next run on the buildbot was passed, and there were failures in the past (but logs were not saved), so it may be just unstable test.

@serhiy.storchaka Hi Serhiy, do you count this issue as a security issue? Also, I didn't see that in the latest changelog. Is it now patched on the latest version?

https://docs.python.org/release/3.8.5/whatsnew/changelog.html

I do not think it is a security issue. The crash cannot be triggered by the user input unless you accept the pickle data from untrusted sources, but in that case you are in large danger, because you allow executing arbitrary code.

The changes in this issue just help to debug in some cases when you play with pickle format. In any case thank you for your report.

Thank you for patching that.