gh-143988: Fix re-entrant mutation crashes in socket sendmsg/recvmsg_into via __buffer__

Fix crashes in socket.sendmsg() and socket.recvmsg_into() that could
occur if buffer sequences are mutated re-entrantly during argument
parsing via __buffer__ protocol callbacks.

The vulnerability occurs because:
1. PySequence_Fast() returns the original list object when the input
   is already a list (not a copy)
2. During iteration, PyObject_GetBuffer() triggers __buffer__
   callbacks which may clear the list
3. Subsequent iterations access invalid memory (heap OOB read)

The fix replaces PySequence_Fast() with PySequence_Tuple() which
always creates a new tuple, ensuring the sequence cannot be mutated
during iteration.

This addresses two vulnerabilities related to gh-143637:
- sendmsg() argument 1 (data buffers) - via __buffer__
- recvmsg_into() argument 1 (buffers) - via __buffer__

Author: tonghuaroot

Lib/test/test_socket_reentrant.py

@@ -0,0 +1,88 @@
+"""
+Tests for re-entrant mutation vulnerabilities in socket module.
+
+These tests verify that mutating sequences during argument parsing
+via __buffer__ protocol does not cause crashes.
+"""
+
+import socket
+import unittest
+
+
+class ReentrantMutationTests(unittest.TestCase):
+    """Tests for re-entrant mutation vulnerabilities in sendmsg/recvmsg_into."""
+
+    @unittest.skipUnless(hasattr(socket.socket, "sendmsg"),
+                         "sendmsg not supported")
+    def test_sendmsg_reentrant_data_mutation(self):
+        # Test that sendmsg() handles re-entrant mutation of data buffers
+        # via __buffer__ protocol.
+        seq = []
+
+        class MutBuffer:
+            def __init__(self, data):
+                self._data = bytes(data)
+                self.tripped = False
+
+            def __buffer__(self, flags):
+                if not self.tripped:
+                    self.tripped = True
+                    seq.clear()
+                return memoryview(self._data)
+
+        seq[:] = [
+            MutBuffer(b'Hello'),
+            b'World',
+            b'Test',
+        ]
+
+        left, right = socket.socketpair()
+        try:
+            # Should not crash
+            try:
+                left.sendmsg(seq)
+            except (TypeError, OSError):
+                pass  # Expected - the important thing is no crash
+        finally:
+            left.close()
+            right.close()
+
+    @unittest.skipUnless(hasattr(socket.socket, "recvmsg_into"),
+                         "recvmsg_into not supported")
+    def test_recvmsg_into_reentrant_buffer_mutation(self):
+        # Test that recvmsg_into() handles re-entrant mutation of buffers
+        # via __buffer__ protocol.
+        seq = []
+
+        class MutBuffer:
+            def __init__(self, data):
+                self._data = bytearray(data)
+                self.tripped = False
+
+            def __buffer__(self, flags):
+                if not self.tripped:
+                    self.tripped = True
+                    seq.clear()
+                return memoryview(self._data)
+
+        seq[:] = [
+            MutBuffer(b'x' * 100),
+            bytearray(100),
+            bytearray(100),
+        ]
+
+        left, right = socket.socketpair()
+        try:
+            left.send(b'Hello World!')
+            # Should not crash
+            try:
+                right.recvmsg_into(seq)
+            except (TypeError, OSError):
+                pass  # Expected - the important thing is no crash
+        finally:
+            left.close()
+            right.close()
+
+
+if __name__ == '__main__':
+    unittest.main()

Misc/NEWS.d/next/Security/2026-01-18-06-42-47.gh-issue-143988.MtLtCP.rst

@@ -0,0 +1,3 @@
+Fixed crashes in :meth:`socket.socket.sendmsg` and :meth:`socket.socket.recvmsg_into`
+that could occur if buffer sequences are mutated re-entrantly during argument parsing
+via ``__buffer__`` protocol callbacks.

Modules/socketmodule.c

@@ -4527,11 +4527,13 @@ sock_recvmsg_into(PyObject *self, PyObject *args)
                           &buffers_arg, &ancbufsize, &flags))
         return NULL;
 
-    if ((fast = PySequence_Fast(buffers_arg,
-                                "recvmsg_into() argument 1 must be an "
-                                "iterable")) == NULL)
+    fast = PySequence_Tuple(buffers_arg);
+    if (fast == NULL) {
+        PyErr_SetString(PyExc_TypeError,
+                        "recvmsg_into() argument 1 must be an iterable");
         return NULL;
-    nitems = PySequence_Fast_GET_SIZE(fast);
+    }
+    nitems = PyTuple_GET_SIZE(fast);
     if (nitems > INT_MAX) {
         PyErr_SetString(PyExc_OSError, "recvmsg_into() argument 1 is too long");
         goto finally;
@@ -4545,7 +4547,7 @@ sock_recvmsg_into(PyObject *self, PyObject *args)
         goto finally;
     }
     for (; nbufs < nitems; nbufs++) {
-        if (!PyArg_Parse(PySequence_Fast_GET_ITEM(fast, nbufs),
+        if (!PyArg_Parse(PyTuple_GET_ITEM(fast, nbufs),
                          "w*;recvmsg_into() argument 1 must be an iterable "
                          "of single-segment read-write buffers",
                          &bufs[nbufs]))
@@ -4854,14 +4856,14 @@ sock_sendmsg_iovec(PySocketSockObject *s, PyObject *data_arg,
 
     /* Fill in an iovec for each message part, and save the Py_buffer
        structs to release afterwards. */
-    data_fast = PySequence_Fast(data_arg,
-                                "sendmsg() argument 1 must be an "
-                                "iterable");
+    data_fast = PySequence_Tuple(data_arg);
     if (data_fast == NULL) {
+        PyErr_SetString(PyExc_TypeError,
+                        "sendmsg() argument 1 must be an iterable");
         goto finally;
     }
 
-    ndataparts = PySequence_Fast_GET_SIZE(data_fast);
+    ndataparts = PyTuple_GET_SIZE(data_fast);
     if (ndataparts > INT_MAX) {
         PyErr_SetString(PyExc_OSError, "sendmsg() argument 1 is too long");
         goto finally;
@@ -4883,7 +4885,7 @@ sock_sendmsg_iovec(PySocketSockObject *s, PyObject *data_arg,
         }
     }
     for (; ndatabufs < ndataparts; ndatabufs++) {
-        if (PyObject_GetBuffer(PySequence_Fast_GET_ITEM(data_fast, ndatabufs),
+        if (PyObject_GetBuffer(PyTuple_GET_ITEM(data_fast, ndatabufs),
             &databufs[ndatabufs], PyBUF_SIMPLE) < 0)
             goto finally;
         iovs[ndatabufs].iov_base = databufs[ndatabufs].buf;