mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-11-01 18:51:43 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 21

gh-126138: Fix use-after-free in _asyncio.Task by evil __getattribute__ (#126305)

Browse source 
Co-authored-by: Carol Willing <carolcode@willingconsulting.com>
This commit is contained in:
Nico-Posada 2024-11-02 03:46:00 -04:00 committed by GitHub
parent 914356f4d4
commit f032f6ba8f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 23 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

22
Modules/_asynciomodule.c
View file

@ -2967,8 +2967,17 @@ task_step_handle_result_impl(asyncio_state *state, TaskObj *task, PyObject *resu
if (task->task_must_cancel) {
PyObject *r;
int is_true;
// Beware: An evil `__getattribute__` could
// prematurely delete task->task_cancel_msg before the
// task is cancelled, thereby causing a UAF crash.
//
// See https://github.com/python/cpython/issues/126138
PyObject *task_cancel_msg = Py_NewRef(task->task_cancel_msg);
r = PyObject_CallMethodOneArg(result, &_Py_ID(cancel),
task->task_cancel_msg);
task_cancel_msg);
Py_DECREF(task_cancel_msg);
if (r == NULL) {
return NULL;
}
@ -3060,8 +3069,17 @@ task_step_handle_result_impl(asyncio_state *state, TaskObj *task, PyObject *resu
if (task->task_must_cancel) {
PyObject *r;
int is_true;
// Beware: An evil `__getattribute__` could
// prematurely delete task->task_cancel_msg before the
// task is cancelled, thereby causing a UAF crash.
//
// See https://github.com/python/cpython/issues/126138
PyObject *task_cancel_msg = Py_NewRef(task->task_cancel_msg);
r = PyObject_CallMethodOneArg(result, &_Py_ID(cancel),
task->task_cancel_msg);
task_cancel_msg);
Py_DECREF(task_cancel_msg);
if (r == NULL) {
return NULL;
}