gh-151295: Fix use-after-free in bytes.join()/bytearray.join() via re-entrant __buffer__

tonghuaroot · tonghuaroot · commit c424703f602b · 2026-06-11T11:18:59.000+08:00
diff --git a/Lib/test/test_bytes.py b/Lib/test/test_bytes.py
@@ -645,6 +645,44 @@ def test_join(self):
         with self.assertRaises(TypeError):
             dot_join([memoryview(b"ab"), "cd", b"ef"])
 
+    def test_join_reentrant_buffer_mutation(self):
+        # An item's __buffer__() may run Python that drops the last reference
+        # to that item by mutating the joined sequence.
+        # See: https://github.com/python/cpython/issues/151295
+        def make_seq(mutate):
+            # The mutating item is only referenced from the list slot, so
+            # mutate() drops its last reference mid-join.
+            class Item:
+                def __buffer__(self, flags):
+                    mutate(seq)
+                    return memoryview(b'x')
+            seq = [b'a', Item(), b'c']
+            return seq
+
+        class Benign:
+            def __buffer__(self, flags):
+                return memoryview(b'x')
+
+        for sep in (self.type2test(b''), self.type2test(b'::')):
+            with self.subTest(sep=sep):
+                # Clearing the list changes its length, which is reported as a
+                # RuntimeError.
+                seq = make_seq(lambda seq: seq.clear())
+                self.assertRaises(RuntimeError, sep.join, seq)
+
+                # Replacing the item in place keeps the list length unchanged,
+                # so the size-change recheck cannot fire; only keeping the item
+                # alive across __buffer__() prevents the use-after-free, and
+                # the join uses the buffer returned by __buffer__().
+                def replace(seq):
+                    seq[1] = b'z'
+                seq = make_seq(replace)
+                self.assertEqual(sep.join(seq), sep.join([b'a', b'x', b'c']))
+
+                # A benign __buffer__() that does not mutate joins normally.
+                self.assertEqual(sep.join([Benign(), b'Y', Benign()]),
+                                 sep.join([b'x', b'Y', b'x']))
+
     def test_count(self):
         b = self.type2test(b'mississippi')
         i = 105
diff --git a/Misc/NEWS.d/next/Library/2026-06-11-00-00-00.gh-issue-151295.NQYUzW.rst b/Misc/NEWS.d/next/Library/2026-06-11-00-00-00.gh-issue-151295.NQYUzW.rst
@@ -0,0 +1,4 @@
+Fixed a crash (use-after-free) in :meth:`bytes.join` and
+:meth:`bytearray.join` that could occur if an item's
+:meth:`~object.__buffer__` concurrently mutates the sequence being joined.
+The mutation is now reported as a :exc:`RuntimeError` instead.
diff --git a/Objects/stringlib/join.h b/Objects/stringlib/join.h
@@ -68,13 +68,21 @@ STRINGLIB(bytes_join)(PyObject *sep, PyObject *iterable)
             buffers[i].len = PyBytes_GET_SIZE(item);
         }
         else {
+            /* Keep item alive across PyObject_GetBuffer(): item is only
+               borrowed from the sequence, and its __buffer__() may run
+               Python that drops that last reference (e.g. by mutating the
+               sequence being joined), freeing item while the buffer
+               machinery is still using it. */
+            Py_INCREF(item);
             if (PyObject_GetBuffer(item, &buffers[i], PyBUF_SIMPLE) != 0) {
+                Py_DECREF(item);
                 PyErr_Format(PyExc_TypeError,
                              "sequence item %zd: expected a bytes-like object, "
                              "%.80s found",
                              i, Py_TYPE(item)->tp_name);
                 goto error;
             }
+            Py_DECREF(item);
             /* If the backing objects are mutable, then dropping the GIL
              * opens up race conditions where another thread tries to modify
              * the object which we hold a buffer on it. Such code has data
