gh-142783: Fix possible use after free in zoneinfo module (GH-142790)

author wangxiaolei <fatelei@gmail.com>

Wed, 17 Dec 2025 08:35:08 +0000 (16:35 +0800)

committer GitHub <noreply@github.com>

Wed, 17 Dec 2025 08:35:08 +0000 (08:35 +0000)
author wangxiaolei <fatelei@gmail.com>
Wed, 17 Dec 2025 08:35:08 +0000 (16:35 +0800)
committer GitHub <noreply@github.com>
Wed, 17 Dec 2025 08:35:08 +0000 (08:35 +0000)
diff --git a/Lib/test/test_zoneinfo/test_zoneinfo.py b/Lib/test/test_zoneinfo/test_zoneinfo.py

index fad741e477b84a2141701988ad99c2248c0cc70a..8f3ca59c9ef5ed5dfb4e8520148cd62206614958 100644 (file)
--- a/Lib/test/test_zoneinfo/test_zoneinfo.py
+++ b/Lib/test/test_zoneinfo/test_zoneinfo.py
@@ -1551,6 +1551,26 @@ class ZoneInfoCacheTest(TzPathUserMixin, ZoneInfoTestBase):
          except CustomError:
              pass
  
+    def test_weak_cache_descriptor_use_after_free(self):
+        class BombDescriptor:
+            def __get__(self, obj, owner):
+                return {}
+
+        class EvilZoneInfo(self.klass):
+            pass
+
+        # Must be set after the class creation.
+        EvilZoneInfo._weak_cache = BombDescriptor()
+
+        key = "America/Los_Angeles"
+        zone1 = EvilZoneInfo(key)
+        self.assertEqual(str(zone1), key)
+
+        EvilZoneInfo.clear_cache()
+        zone2 = EvilZoneInfo(key)
+        self.assertEqual(str(zone2), key)
+        self.assertIsNot(zone2, zone1)
+
  
  class CZoneInfoCacheTest(ZoneInfoCacheTest):
      module = c_zoneinfo
diff --git a/Misc/NEWS.d/next/Library/2025-12-16-14-49-19.gh-issue-142783.VPV1ig.rst b/Misc/NEWS.d/next/Library/2025-12-16-14-49-19.gh-issue-142783.VPV1ig.rst

new file mode 100644 (file)

index 0000000..f014771
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2025-12-16-14-49-19.gh-issue-142783.VPV1ig.rst
@@ -0,0 +1 @@
+Fix zoneinfo use-after-free with descriptor _weak_cache. a descriptor as _weak_cache could cause crashes during object creation. The fix ensures proper reference counting for descriptor-provided objects.
diff --git a/Modules/_zoneinfo.c b/Modules/_zoneinfo.c

index b99be073db5460d2fbae13a2284fdd26be3ad9e9..e07dfd19efa06d605cce16599b3c333bf794099a 100644 (file)
--- a/Modules/_zoneinfo.c
+++ b/Modules/_zoneinfo.c
@@ -292,16 +292,11 @@ static PyObject *
  get_weak_cache(zoneinfo_state *state, PyTypeObject *type)
  {
      if (type == state->ZoneInfoType) {
+        Py_INCREF(state->ZONEINFO_WEAK_CACHE);
          return state->ZONEINFO_WEAK_CACHE;
      }
      else {
-        PyObject *cache =
-            PyObject_GetAttrString((PyObject *)type, "_weak_cache");
-        // We are assuming that the type lives at least as long as the function
-        // that calls get_weak_cache, and that it holds a reference to the
-        // cache, so we'll return a "borrowed reference".
-        Py_XDECREF(cache);
-        return cache;
+        return PyObject_GetAttrString((PyObject *)type, "_weak_cache");
      }
  }
  
@@ -328,6 +323,7 @@ zoneinfo_ZoneInfo_impl(PyTypeObject *type, PyObject *key)
      PyObject *weak_cache = get_weak_cache(state, type);
      instance = PyObject_CallMethod(weak_cache, "get", "O", key, Py_None);
      if (instance == NULL) {
+        Py_DECREF(weak_cache);
          return NULL;
      }
  
@@ -335,6 +331,7 @@ zoneinfo_ZoneInfo_impl(PyTypeObject *type, PyObject *key)
          Py_DECREF(instance);
          PyObject *tmp = zoneinfo_new_instance(state, type, key);
          if (tmp == NULL) {
+            Py_DECREF(weak_cache);
              return NULL;
          }
  
@@ -342,12 +339,14 @@ zoneinfo_ZoneInfo_impl(PyTypeObject *type, PyObject *key)
              PyObject_CallMethod(weak_cache, "setdefault", "OO", key, tmp);
          Py_DECREF(tmp);
          if (instance == NULL) {
+            Py_DECREF(weak_cache);
              return NULL;
          }
          ((PyZoneInfo_ZoneInfo *)instance)->source = SOURCE_CACHE;
      }
  
      update_strong_cache(state, type, key, instance);
+    Py_DECREF(weak_cache);
      return instance;
  }
  
@@ -510,12 +509,14 @@ zoneinfo_ZoneInfo_clear_cache_impl(PyTypeObject *type, PyTypeObject *cls,
          PyObject *item = NULL;
          PyObject *pop = PyUnicode_FromString("pop");
          if (pop == NULL) {
+            Py_DECREF(weak_cache);
              return NULL;
          }
  
          PyObject *iter = PyObject_GetIter(only_keys);
          if (iter == NULL) {
              Py_DECREF(pop);
+            Py_DECREF(weak_cache);
              return NULL;
          }
  
@@ -540,6 +541,7 @@ zoneinfo_ZoneInfo_clear_cache_impl(PyTypeObject *type, PyTypeObject *cls,
          Py_DECREF(pop);
      }
  
+    Py_DECREF(weak_cache);
      if (PyErr_Occurred()) {
          return NULL;
      }
author	wangxiaolei <fatelei@gmail.com>
	Wed, 17 Dec 2025 08:35:08 +0000 (16:35 +0800)
committer	GitHub <noreply@github.com>
	Wed, 17 Dec 2025 08:35:08 +0000 (08:35 +0000)
Lib/test/test_zoneinfo/test_zoneinfo.py		patch \| blob \| blame \| history
Misc/NEWS.d/next/Library/2025-12-16-14-49-19.gh-issue-142783.VPV1ig.rst	[new file with mode: 0644]	patch \| blob
Modules/_zoneinfo.c		patch \| blob \| blame \| history