** Description changed: + [ Impact ] + + * Accessing ssl.SSLSocket.session is leaking memory, which impacts both + clients and servers. For some servers and applications this memory leak + ultimately impacts the stability of the system/ + + * The root cause also added a significant performance penalty for + accessing ssl.SSLSocket.session, which will also be removed with the + proposed fix. + + [ Test Plan ] + + * Save the following script into a file like ./test.py + import ssl + import socket + import time + host = '185.125.190.20' # ubuntu.com + port = 443 + + session = None + context = ssl._create_unverified_context(protocol=ssl.PROTOCOL_TLSv1_2) + with socket.create_connection((host, port)) as sock: + with context.wrap_socket(sock, server_hostname=host, session = session) as ssock: + for i in range(300000): + session = ssock.session + + * Run /usr/bin/time -v python3 ./test.py. Under "Average resident set + size (kbytes)" the output should list a memory usage of multiple + mergabytes (likely 20-30MB) compared to the memory leak output of + multiple GB + + [ Where problems could occur ] + + * If the patch is incorrect it could impact the ssl module of Python. + This could mean a correctness issue (potentially blocking clients or + servers from accepting connections) or a security issue (introducing a + vulnerability to Python). + + * I tried to keep the potential impact as low as possible by using the + reviewed and published patch from upstream cpython. Additionally the + modified code does not directly handle any of the cryptographic + operations. + + [ Other Info ] + + * The patch has ben in upstream cpython for about 2 years by now and + was officially backported to 3.13 and 3.12, meaning that it has been + vetted by the community and should be stable and correct. + + --- + When ssl.SSLSocket.session` property was accessed, there's a memory leak which was introduced in CPython 3.10. - Upstream bug report: https://github.com/python/cpython/issues/116810 Upstream patch: https://github.com/python/cpython/pull/123249
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2157534 Title: getting ssl.SSLSocket.session brings to memory leak To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python3.10/+bug/2157534/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
