mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-09-26 18:29:57 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

[3.13] gh-126080: fix UAF on task->task_context in task_call_step_soon due to an evil loop.__getattribute__ (GH-126120) (#126250)

Browse source 
gh-126080: fix UAF on `task->task_context` in `task_call_step_soon` due to an evil `loop.__getattribute__` (GH-126120)
(cherry picked from commit 0e8665554b)

Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
This commit is contained in:
Miss Islington (bot) 2024-10-31 20:32:47 +01:00 committed by GitHub
parent 588da2e26a
commit abe64a3780
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 8 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
Misc/NEWS.d/next/Library/2024-10-29-10-38-28.gh-issue-126080.qKRBuo.rst Normal file
View file

@ -0,0 +1,3 @@
Fix a use-after-free crash on :class:`asyncio.Task` objects for which the
underlying event loop implements an evil :meth:`~object.__getattribute__`.
Reported by Nico-Posada. Patch by Bénédikt Tran.

6
Modules/_asynciomodule.c
View file

@ -2678,7 +2678,11 @@ task_call_step_soon(asyncio_state *state, TaskObj *task, PyObject *arg)
return -1; return -1;
} }
int ret = call_soon(state, task->task_loop, cb, NULL, task->task_context); // Beware: An evil call_soon could alter task_context.
// See: https://github.com/python/cpython/issues/126080.
PyObject *task_context = Py_NewRef(task->task_context);
int ret = call_soon(state, task->task_loop, cb, NULL, task_context);
Py_DECREF(task_context);
Py_DECREF(cb); Py_DECREF(cb);
return ret; return ret;
} }