gh-142560: bytearray: prevent UAF in search-like methods by exporting self buffer

[fatelei]

bytearray: prevent UAF in search-like methods by exporting self buffer

Fix a heap use-after-free when bytearray search helpers captured the raw
buffer pointer before normalizing the “sub” argument. A crafted index
or buffer provider could clear/resize the same bytearray during argument
conversion, invalidating the saved pointer and leading to UAF.

Change:
• For bytearray methods find/rfind/index/rindex/count/startswith/endswith/
contains/split/rsplit, export a temporary Py_buffer on self and pass
view.buf/view.len to the Py_bytes* helpers, then release it. While the
export is live, resizing/clearing raises BufferError, preventing stale
pointer dereferences.

Tests:
• Add re-entrancy tests to Lib/test/test_bytes.py that verify BufferError is
raised when index clears the target during find/count/index/rfind/rindex.

This mirrors existing protection used in bytearray.join and removes the
re-entrancy hazard without changing public APIs.

• Issue: Use-after-free in bytearray.count via re-entrant __index__ #142558

• Issue: Use-after-free in bytearray search methods via re-entrant __index__ #142560

[aisk]

Hi, please add a news entry for this change via blurb or blurb-it: https://devguide.python.org/contrib/core-team/committing/#how-to-add-a-news-entry

[aisk]

Hi , according to the devguide, force push should be avoided.

[aisk]

A lot of the methods changed in this PR share the same pattern, such as bytearray_find_impl, bytearray_count_impl, bytearray_index_impl, and so on. This introduces a lot of duplicated code.

Can we add a wrapper function to reduce this boilerplate?

[fatelei]

A lot of the methods changed in this PR share the same pattern, such as bytearray_find_impl, bytearray_count_impl, bytearray_index_impl, and so on. This introduces a lot of duplicated code.

Can we add a wrapper function to reduce this boilerplate?

typedef PyObject* (*_ba_bytes_op)(const char *buf, Py_ssize_t len,
                                  PyObject *sub, Py_ssize_t start,
                                  Py_ssize_t end);

static PyObject *
_bytearray_with_buffer(PyByteArrayObject *self, PyObject *sub,
                       Py_ssize_t start, Py_ssize_t end, _ba_bytes_op op)
{
    Py_buffer view;
    PyObject *res;
    if (PyObject_GetBuffer((PyObject *)self, &view, PyBUF_SIMPLE) != 0) {
        return NULL;
    }
    res = op((const char *)view.buf, view.len, sub, start, end);
    PyBuffer_Release(&view);
    return res;
}

[vstinner]

cc @cmaloney

[cmaloney]

At a high level looks reasonable to me and I like the helper function to simplify. Planning to do a more thorough review this weekend.

Are there other methods which we should audit/check that they don't stash PyByteArray_AS_STRING / PyByteArray_GET_SIZE results before calling arbitrary user code then use after?

(Doesn't need to be in this PR, but would be nice to systemically check these)

[ZeroIntensity]

Hi, please create a new PR. The rebase triggered a review from every codeowner, and they won't be unsubscribed by removing the request for review.