Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

_SelectorSocketTransport.writelines is missing a flow control check allowing writes to fill memory until exhausted #127655

Closed
bdraco opened this issue Dec 5, 2024 · 5 comments
Labels
3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes stdlib Python modules in the Lib dir topic-asyncio type-bug An unexpected behavior, bug, or error type-security A security issue

Comments

@bdraco
Copy link
Contributor

bdraco commented Dec 5, 2024

Bug report

Bug description:

This is the public issue for GHSA-fw89-6wjj-8j95

CPython versions tested on:

3.12

Operating systems tested on:

Linux, macOS

Linked PRs

@bdraco bdraco added the type-bug An unexpected behavior, bug, or error label Dec 5, 2024
@picnixz picnixz added type-security A security issue stdlib Python modules in the Lib dir 3.11 only security fixes 3.10 only security fixes 3.9 only security fixes 3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes topic-asyncio labels Dec 6, 2024
@github-project-automation github-project-automation bot moved this to Todo in asyncio Dec 6, 2024
@picnixz
Copy link
Member

picnixz commented Dec 6, 2024

@bdraco I put all security labels but does it affect 3.9/3.10/3.11? (can't check for now)

@bdraco
Copy link
Contributor Author

bdraco commented Dec 6, 2024

Its 3.12+ only since writelines was implemented in asyncio selector transport in 3.12

@picnixz picnixz removed 3.11 only security fixes 3.10 only security fixes 3.9 only security fixes labels Dec 6, 2024
kumaraditya303 added a commit that referenced this issue Dec 6, 2024
…otocol if needed (#127656)

Ensure `_SelectorSocketTransport.writelines` pauses the protocol if it reaches the high water mark as needed. 

Co-authored-by: Kumar Aditya <[email protected]>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Dec 6, 2024
…the protocol if needed (pythonGH-127656)

Ensure `_SelectorSocketTransport.writelines` pauses the protocol if it reaches the high water mark as needed.
(cherry picked from commit e991ac8)

Co-authored-by: J. Nick Koston <[email protected]>
Co-authored-by: Kumar Aditya <[email protected]>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Dec 6, 2024
…the protocol if needed (pythonGH-127656)

Ensure `_SelectorSocketTransport.writelines` pauses the protocol if it reaches the high water mark as needed.
(cherry picked from commit e991ac8)

Co-authored-by: J. Nick Koston <[email protected]>
Co-authored-by: Kumar Aditya <[email protected]>
@kumaraditya303
Copy link
Contributor

Thanks @bdraco

I assume aiohttp would be affected by this too if it uses writelines. If possible do share any performance numbers you have of how much impact the zero copy writes have made to aiohttp.

@bdraco
Copy link
Contributor Author

bdraco commented Dec 6, 2024

Thanks @bdraco

I assume aiohttp would be affected by this too if it uses writelines. If possible do share any performance numbers you have of how much impact the zero copy writes have made to aiohttp.

@kumaraditya303

aio-libs/aiohttp#10126 is the PR from a few hours ago that turned off zero copy writes which was released as part of aiohttp 3.11.10

The codspeed report shows the degraded performances however its not so great because we were pushing the CI pretty hard at the time and it wasn't keeping up. codspeed is set to only show changes >8% on GH so you'd have to look at the report directly to get a better idea.

This run https://codspeed.io/aio-libs/aiohttp/runs/675241d947498039ef29339c is probably the best one to look at for aiohttp 3.11.x. For aiohttp master branch https://codspeed.io/aio-libs/aiohttp/branches/disable_zero_copy as its going to show the difference the memcpy makes.

The relevant benchmarks that show a real difference are (keep in mind we are benchmarking disabling zero copy writes):

test_one_hundred_get_requests_with_1024_chunked_payload +3% (writelines is a bit worse for tiny payloads)
test_one_hundred_get_requests_with_512kib_chunked_payload -21% (writelines is a lot better for large payloads)
test_one_hundred_get_requests_with_30000_chunked_payload -4% (writelines is a slightly better for medium size payloads)

Note that the margin of error is ~1-3% with the benchmarking (but if you have experience and a bit of wetware memory of previous runs, you can look at the flame-graphs you can usually tell if its error or actual change). Based on that, I'd say the above seems accurate and the error rate here is likely <1% between runs.

Also benchmarks above were run with 3.12. We switched to benchmarking with 3.13 now that the first patch release, 3.13.1 is out a few hours after these runs. https://codspeed.io/aio-libs/aiohttp/runs/67524ceb47498039ef2933c9 is the first run with Python 3.13 for aiohttp 3.11 and shows a few unrelated (to this issue) improvements. More details in aio-libs/aiohttp#10131

kumaraditya303 added a commit that referenced this issue Dec 6, 2024
… the protocol if needed (GH-127656) (#127663)

gh-127655: Ensure `_SelectorSocketTransport.writelines` pauses the protocol if needed (GH-127656)

Ensure `_SelectorSocketTransport.writelines` pauses the protocol if it reaches the high water mark as needed.
(cherry picked from commit e991ac8)

Co-authored-by: J. Nick Koston <[email protected]>
Co-authored-by: Kumar Aditya <[email protected]>
kumaraditya303 added a commit that referenced this issue Dec 6, 2024
… the protocol if needed (GH-127656) (#127664)

gh-127655: Ensure `_SelectorSocketTransport.writelines` pauses the protocol if needed (GH-127656)

Ensure `_SelectorSocketTransport.writelines` pauses the protocol if it reaches the high water mark as needed.
(cherry picked from commit e991ac8)

Co-authored-by: J. Nick Koston <[email protected]>
Co-authored-by: Kumar Aditya <[email protected]>
@bdraco
Copy link
Contributor Author

bdraco commented Dec 6, 2024

Closing issue as linked PRs are merged

@bdraco bdraco closed this as completed Dec 6, 2024
@github-project-automation github-project-automation bot moved this from Todo to Done in asyncio Dec 6, 2024
stratakis pushed a commit to stratakis/cpython that referenced this issue Dec 6, 2024
…ses the protocol if needed

Ensure _SelectorSocketTransport.writelines pauses the protocol if it reaches the high water mark as needed.

Resolved upstream: python#127655

Co-authored-by: J. Nick Koston <[email protected]>
Co-authored-by: Kumar Aditya <[email protected]>
algitbot pushed a commit to alpinelinux/aports that referenced this issue Dec 7, 2024
algitbot pushed a commit to alpinelinux/aports that referenced this issue Dec 7, 2024
algitbot pushed a commit to alpinelinux/aports that referenced this issue Dec 7, 2024
hroncok pushed a commit to fedora-python/cpython that referenced this issue Dec 9, 2024
…ses the protocol if needed

Ensure _SelectorSocketTransport.writelines pauses the protocol if it reaches the high water mark as needed.

Resolved upstream: python#127655

Co-authored-by: J. Nick Koston <[email protected]>
Co-authored-by: Kumar Aditya <[email protected]>
bell-sw pushed a commit to bell-sw/alpaquita-aports that referenced this issue Dec 9, 2024
[ commit 717301b5302681e860de49ca12981cec9166e057 ]

Add patch to fix CVE-2024-12254: "Unbounded memory buffering in
SelectorSocketTransport.writelines()".

- https://mail.python.org/archives/list/[email protected]/thread/H4O3UBAOAQQXGT4RE3E4XQYR5XLROORB/
- python/cpython#127655
- python/cpython#127656
stratakis pushed a commit to fedora-python/cpython that referenced this issue Dec 9, 2024
…ses the protocol if needed

Ensure _SelectorSocketTransport.writelines pauses the protocol if it reaches the high water mark as needed.

Resolved upstream: python#127655

Co-authored-by: Kumar Aditya <[email protected]>
srinivasreddy pushed a commit to srinivasreddy/cpython that referenced this issue Jan 8, 2025
…the protocol if needed (python#127656)

Ensure `_SelectorSocketTransport.writelines` pauses the protocol if it reaches the high water mark as needed. 

Co-authored-by: Kumar Aditya <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes stdlib Python modules in the Lib dir topic-asyncio type-bug An unexpected behavior, bug, or error type-security A security issue
Projects
Status: Done
Development

No branches or pull requests

3 participants