** Description changed:

+ [ Impact ]
+ 
+  * Accessing ssl.SSLSocket.session is leaking memory, which impacts both
+ clients and servers. For some servers and applications this memory leak
+ ultimately impacts the stability of the system/
+ 
+  * The root cause also added a significant performance penalty for
+ accessing ssl.SSLSocket.session, which will also be removed with the
+ proposed fix.
+ 
+ [ Test Plan ]
+ 
+  * Save the following script into a file like ./test.py
+ import ssl
+ import socket
+ import time
+ host = '185.125.190.20' # ubuntu.com
+ port = 443
+ 
+ session = None
+ context = ssl._create_unverified_context(protocol=ssl.PROTOCOL_TLSv1_2)
+ with socket.create_connection((host, port)) as sock:
+     with context.wrap_socket(sock, server_hostname=host, session = session) 
as ssock:
+         for i in range(300000):
+             session = ssock.session
+ 
+  * Run /usr/bin/time -v python3 ./test.py. Under "Average resident set
+ size (kbytes)" the output should list a memory usage of multiple
+ mergabytes (likely 20-30MB) compared to the memory leak output of
+ multiple GB
+ 
+ [ Where problems could occur ]
+ 
+  * If the patch is incorrect it could impact the ssl module of Python.
+ This could mean a correctness issue (potentially blocking clients or
+ servers from accepting connections) or a security issue (introducing a
+ vulnerability to Python).
+ 
+  * I tried to keep the potential impact as low as possible by using the
+ reviewed and published patch from upstream cpython. Additionally the
+ modified code does not directly handle any of the cryptographic
+ operations.
+ 
+ [ Other Info ]
+ 
+  * The patch has ben in upstream cpython for about 2 years by now and
+ was officially backported to 3.13 and 3.12, meaning that it has been
+ vetted by the community and should be stable and correct.
+ 
+ ---
+ 
  When ssl.SSLSocket.session` property was accessed, there's a memory leak
  which was introduced in CPython 3.10.
- 
  
  Upstream bug report: https://github.com/python/cpython/issues/116810
  
  Upstream patch: https://github.com/python/cpython/pull/123249

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2157534

Title:
  getting ssl.SSLSocket.session brings to memory leak

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python3.10/+bug/2157534/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to