gh-145301: Fix double-free in hashlib and hmac module initialization (GH-145321)

krylosov-aa · miss-islington · commit a7e690b9c9df · 2026-03-05T03:48:46.000Z
(cherry picked from commit 6acaf65) Co-authored-by: krylosov-aa <krylosov.andrew@gmail.com> gh-145301: Fix double-free in hashlib and hmac initialization
diff --git a/Misc/NEWS.d/next/Library/2026-02-27-19-00-26.gh-issue-145301.2Wih4b.rst b/Misc/NEWS.d/next/Library/2026-02-27-19-00-26.gh-issue-145301.2Wih4b.rst
@@ -0,0 +1,2 @@
+:mod:`hashlib`: fix a crash when the initialization of the underlying C
+extension module fails.
diff --git a/Misc/NEWS.d/next/Library/2026-02-28-00-55-00.gh-issue-145301.Lk2bRl.rst b/Misc/NEWS.d/next/Library/2026-02-28-00-55-00.gh-issue-145301.Lk2bRl.rst
@@ -0,0 +1,2 @@
+:mod:`hmac`: fix a crash when the initialization of the underlying C
+extension module fails.
diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c
@@ -238,7 +238,7 @@ py_hashentry_table_new(void) {
 
         if (h->py_alias != NULL) {
             if (_Py_hashtable_set(ht, (const void*)entry->py_alias, (void*)entry) < 0) {
-                PyMem_Free(entry);
+                /* entry is already in ht, will be freed by _Py_hashtable_destroy() */
                 goto error;
             }
             entry->refcnt++;
diff --git a/Modules/hmacmodule.c b/Modules/hmacmodule.c
@@ -1604,16 +1604,19 @@ py_hmac_hinfo_ht_new(void)
         assert(value->display_name == NULL);
         value->refcnt = 0;
 
-#define Py_HMAC_HINFO_LINK(KEY)                                 \
-        do {                                                    \
-            int rc = py_hmac_hinfo_ht_add(table, KEY, value);   \
-            if (rc < 0) {                                       \
-                PyMem_Free(value);                              \
-                goto error;                                     \
-            }                                                   \
-            else if (rc == 1) {                                 \
-                value->refcnt++;                                \
-            }                                                   \
+#define Py_HMAC_HINFO_LINK(KEY)                                     \
+        do {                                                        \
+            int rc = py_hmac_hinfo_ht_add(table, (KEY), value);     \
+            if (rc < 0) {                                           \
+                /* entry may already be in ht, freed upon exit */   \
+                if (value->refcnt == 0) {                           \
+                    PyMem_Free(value);                              \
+                }                                                   \
+                goto error;                                         \
+            }                                                       \
+            else if (rc == 1) {                                     \
+                value->refcnt++;                                    \
+            }                                                       \
         } while (0)
         Py_HMAC_HINFO_LINK(e->name);
         Py_HMAC_HINFO_LINK(e->hashlib_name);

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	+:mod:`hashlib`: fix a crash when the initialization of the underlying C
	`2`	`+extension module fails.`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	+:mod:`hmac`: fix a crash when the initialization of the underlying C
	`2`	`+extension module fails.`
Original file line number	Diff line number	Diff line change
`@@ -238,7 +238,7 @@ py_hashentry_table_new(void) {`
`238`	`238`
`239`	`239`	`if (h->py_alias != NULL) {`
`240`	`240`	`if (_Py_hashtable_set(ht, (const void)entry->py_alias, (void)entry) < 0) {`
`241`		`- PyMem_Free(entry);`
	`241`	`+ /* entry is already in ht, will be freed by _Py_hashtable_destroy() */`
`242`	`242`	`goto error;`
`243`	`243`	`}`
`244`	`244`	`entry->refcnt++;`