Deadlock when array.fromfile re-enters append via __index__ #6549
Description
What happened?
array.fromfile calls the user-provided f.read(), and that callback can append objects to the same array while it is being resized. The append path grabs the array's write lock before converting the element, then calls the object's __index__. If __index__ performs another array.append (as in the PoC), the second append blocks forever on the already-held PyRwLock, causing a deadlock instead of raising an error.
Proof of Concept:
import array
a = array.array("b")
class X:
def __index__(self):
a.append(0)
return 0
class R:
def read(self, n):
a.append(X())
return b"\0" * n
a.fromfile(R(), 1)Affected Versions
| RustPython Version | Status | Exit Code |
|---|---|---|
Python 3.13.0alpha (heads/main-dirty:21300f689, Dec 13 2025, 22:16:49) [RustPython 0.4.0 with rustc 1.90.0-nightly (11ad40bb8 2025-06-28)] |
Deadlock | 124 |
Vulnerable Code
#[pymethod]
fn fromfile(&self, f: PyObjectRef, n: isize, vm: &VirtualMachine) -> PyResult<()> {
let b = vm.call_method(&f, "read", (n_bytes,))?; // user f.read runs arbitrary code while the array can still be mutated
...
}
#[pymethod]
fn append(zelf: &Py<Self>, x: PyObjectRef, vm: &VirtualMachine) -> PyResult<()> {
zelf.try_resizable(vm)?.push(x, vm) // takes a non-reentrant PyRwLock write guard before converting x
}
impl ArrayElement for i8 {
fn try_into_from_object(vm: &VirtualMachine, obj: PyObjectRef) -> PyResult<Self> {
obj.try_index(vm)?.try_to_primitive(vm) // invokes __index__ while the write lock is held; reentrant array.append inside __index__ deadlocks
}
}
impl BufferResizeGuard for PyArray {
fn try_resizable_opt(&self) -> Option<Self::Resizable<'_>> {
let w = self.write(); // second append blocks here waiting on the same PyRwLock, hanging the interpreter
(self.exports.load(atomic::Ordering::SeqCst) == 0).then_some(w)
}
}Rust Output
Program hangs forever
CPython Output
(No output)