]> git.ipfire.org Git - thirdparty/Python/cpython.git/commitdiff
projects / thirdparty / Python / cpython.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3275cb1)
gh-126080: fix UAF on `task->task_context` in `task_call_step_soon` due to an evil...
authorBénédikt Tran <10796600+picnixz@users.noreply.github.com>
Thu, 31 Oct 2024 17:14:47 +0000 (18:14 +0100)
committerGitHub <noreply@github.com>
Thu, 31 Oct 2024 17:14:47 +0000 (10:14 -0700)
Misc/NEWS.d/next/Library/2024-10-29-10-38-28.gh-issue-126080.qKRBuo.rst [new file with mode: 0644] patch | blob
Modules/_asynciomodule.c patch | blob | blame | history

diff --git a/Misc/NEWS.d/next/Library/2024-10-29-10-38-28.gh-issue-126080.qKRBuo.rst b/Misc/NEWS.d/next/Library/2024-10-29-10-38-28.gh-issue-126080.qKRBuo.rst
new file mode 100644 (file)
index 0000000..e54ac17
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2024-10-29-10-38-28.gh-issue-126080.qKRBuo.rst
@@ -0,0 +1,3 @@
+Fix a use-after-free crash on :class:`asyncio.Task` objects for which the
+underlying event loop implements an evil :meth:`~object.__getattribute__`.
+Reported by Nico-Posada. Patch by Bénédikt Tran.
diff --git a/Modules/_asynciomodule.c b/Modules/_asynciomodule.c
index c2500fbd692d4d0b34218a56527d9d6cd23ea1c4..7483e9c0f43acfdf2eb330c9b7bc2bafa3a13690 100644 (file)
--- a/Modules/_asynciomodule.c
+++ b/Modules/_asynciomodule.c
@@ -2738,7 +2738,11 @@ task_call_step_soon(asyncio_state *state, TaskObj *task, PyObject *arg)
         return -1;
     }
 
-    int ret = call_soon(state, task->task_loop, cb, NULL, task->task_context);
+    // Beware: An evil call_soon could alter task_context.
+    // See: https://github.com/python/cpython/issues/126080.
+    PyObject *task_context = Py_NewRef(task->task_context);
+    int ret = call_soon(state, task->task_loop, cb, NULL, task_context);
+    Py_DECREF(task_context);
     Py_DECREF(cb);
     return ret;
 }
Mirror of https://github.com/python/cpython.git