bpo-45262, asyncio: Fix cache of the running loop holder (GH-28796) (GH-28816)

author Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>

Fri, 8 Oct 2021 08:55:41 +0000 (01:55 -0700)

committer GitHub <noreply@github.com>

Fri, 8 Oct 2021 08:55:41 +0000 (10:55 +0200)
author Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Fri, 8 Oct 2021 08:55:41 +0000 (01:55 -0700)
committer GitHub <noreply@github.com>
Fri, 8 Oct 2021 08:55:41 +0000 (10:55 +0200)
diff --git a/Misc/NEWS.d/next/Library/2021-10-07-14-04-10.bpo-45262.HqF71Z.rst b/Misc/NEWS.d/next/Library/2021-10-07-14-04-10.bpo-45262.HqF71Z.rst

new file mode 100644 (file)

index 0000000..4cd949f
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2021-10-07-14-04-10.bpo-45262.HqF71Z.rst
@@ -0,0 +1 @@
+Prevent use-after-free in asyncio. Make sure the cached running loop holder gets cleared on dealloc to prevent use-after-free in get_running_loop
+\ No newline at end of file
diff --git a/Modules/_asynciomodule.c b/Modules/_asynciomodule.c

index ecc73d1ca8bf0f577a096617ff6837cfae60dcb4..56079b0277d1a677165b6ec82a968fbc775cff1b 100644 (file)
--- a/Modules/_asynciomodule.c
+++ b/Modules/_asynciomodule.c
@@ -3239,6 +3239,9 @@ new_running_loop_holder(PyObject *loop)
  static void
  PyRunningLoopHolder_tp_dealloc(PyRunningLoopHolder *rl)
  {
+    if (cached_running_holder == (PyObject *)rl) {
+        cached_running_holder = NULL;
+    }
      Py_CLEAR(rl->rl_loop);
      PyObject_Free(rl);
  }
author	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
	Fri, 8 Oct 2021 08:55:41 +0000 (01:55 -0700)
committer	GitHub <noreply@github.com>
	Fri, 8 Oct 2021 08:55:41 +0000 (10:55 +0200)
Misc/NEWS.d/next/Library/2021-10-07-14-04-10.bpo-45262.HqF71Z.rst	[new file with mode: 0644]	patch \| blob
Modules/_asynciomodule.c		patch \| blob \| blame \| history