QUERY · ISSUE
uctypes.bytes_at() accepts out-of-range (non-canonical) address and segfaults
bug
Port, board and/or hardware
Unix port
MicroPython version
MicroPython v1.27.0-preview.107.gd1607598f on 2025-09-09; linux [GCC 14.2.0] version
Reproduction
A Python-level exception when the address is obviously invalid, e.g.:
- ValueError/OverflowError for negative/out-of-range addresses, or
- OSError if the runtime chooses to probe and detect unreadable memory on the unix port.
At minimum, reject negative addresses and detect addr + size overflow to avoid trivial VM crashes.
Expected behaviour
import uctypes
ptr = 1 << 48
arr = uctypes.bytes_at(ptr, 8)
print('READ', arr)
Observed behaviour
Program received signal SIGSEGV, Segmentation fault.
#0 qstr_compute_hash(data=0x1000000000000, len=0x8)
#1 mp_obj_new_str_copy(type=mp_type_bytes, data=0x1000000000000, len=0x8)
#2 mp_obj_new_bytes(...)
#3 uctypes_struct_bytes_at(ptr=0x1000000000000, size=0x8)
#4 fun_builtin_2_call(...)
#5 mp_call_function_n_kw(...)
#6 mp_execute_bytecode(...)
...
Additional Information
No, I've provided everything above.
Code of Conduct
Yes, I agree
CANDIDATE · PULL REQUEST
extmod/moductypes: Add address validation to bytes_at/bytearray_at
Fixes #18167, #18166, #18172
Problem:
uctypes.bytes_at() and bytearray_at() accept invalid addresses including:
- Negative values (convert to huge unsigned values)
- NULL pointers (address 0)
- Non-canonical addresses causing overflow
This leads to segfaults when accessing invalid memory regions.
Solution:
Add comprehensive address validation in both functions:
- Reject negative addresses before unsigned conversion
- Reject NULL pointer (address 0)
- Check for address + size overflow
Impact:
- Prevents arbitrary memory read/write vulnerabilities
- Provides clear error messages for invalid addresses
- Protects against segfaults from malformed input