QUERY · ISSUE
uctypes.bytearray_at() accepts negative address and segfaults on write
bugproposed-close
Port, board and/or hardware
Unix port
MicroPython version
MicroPython v1.27.0-preview.107.gd1607598f on 2025-09-09; linux [GCC 14.2.0] version
Reproduction
try:
import uctypes
except ImportError:
print("SKIP missing uctypes")
else:
try:
ba = uctypes.bytearray_at(-9223372036854775808, 4) # -2**63
ba[0] = 1 # write to the mapped memory
print('should not reach here')
except Exception as e:
print("EXC %s" % type(e).__name__)
Expected behaviour
A Python-level exception instead of process crash, e.g.:
-
ValueError/OverflowError for negative address; or
-
OSError if the address is not accessible.
At minimum, uctypes.bytearray_at() should reject negative addresses on 64-bit builds rather than silently converting them to huge unsigned pointers.
Observed behaviour
Program received signal SIGSEGV, Segmentation fault.
#0 mp_binary_set_val_array_from_int(typecode=0x1, p=0x8000000000000000, index=0x0, val=0x1)
#1 mp_binary_set_val_array(...)
#2 array_subscr(...)
#3 mp_obj_subscr(...)
#4 mp_execute_bytecode(...)
Additional Information
No, I've provided everything above.
Code of Conduct
Yes, I agree
CANDIDATE · PULL REQUEST
extmod/moductypes: Add address validation to bytes_at/bytearray_at
Fixes #18167, #18166, #18172
Problem:
uctypes.bytes_at() and bytearray_at() accept invalid addresses including:
- Negative values (convert to huge unsigned values)
- NULL pointers (address 0)
- Non-canonical addresses causing overflow
This leads to segfaults when accessing invalid memory regions.
Solution:
Add comprehensive address validation in both functions:
- Reject negative addresses before unsigned conversion
- Reject NULL pointer (address 0)
- Check for address + size overflow
Impact:
- Prevents arbitrary memory read/write vulnerabilities
- Provides clear error messages for invalid addresses
- Protects against segfaults from malformed input