UAF: `xml.etree.ElementTree.Element.find*` when concurrent mutations happen

[picnixz]

Crash report

What happened?

Similar to #126033, the following crashes:

import xml.etree.ElementTree as ET

class EvilTag(str):
    def __eq__(self, other):
        base.clear()
        return False

base = ET.Element('a')
base.append(ET.Element(EvilTag('x')))
base.find('a')

Attacked code:

cpython/Modules/_elementtree.c

Lines 1264 to 1275 in dc76a4a

	for (i = 0; i < self->extra->length; i++) {
	PyObject* item = self->extra->children[i];
	int rc;
	assert(Element_Check(st, item));
	Py_INCREF(item);
	rc = PyObject_RichCompareBool(((ElementObject*)item)->tag, path, Py_EQ);
	if (rc > 0)
	return item;
	Py_DECREF(item);
	if (rc < 0)
	return NULL;
	}

The findall and findtext methods also suffer from the same vulnerability. I haven't tried to attack Element.iterfind yet since it delegates to the Python function ElementPath.iterfind instead.

CPython versions tested on:

CPython main branch

Operating systems tested on:

No response

Output from running 'python -VV' on the command line:

No response

Linked PRs

• gh-126037: fix UAF in xml.etree.ElementTree.Element.find* when concurrent mutations happen #127964
• [3.13] gh-126037: fix UAF in xml.etree.ElementTree.Element.find* when current mutations happen (#127964) #131931
• [3.12] gh-126037: fix UAF in xml.etree.ElementTree.Element.find* when concurrent mutations happen (#127964) #131932