[3.12] gh-126138: Fix use-after-free in `_asyncio.Task` by evil `__getattribute__...

author Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>

Sat, 2 Nov 2024 08:03:51 +0000 (09:03 +0100)

committer GitHub <noreply@github.com>

Sat, 2 Nov 2024 08:03:51 +0000 (08:03 +0000)
author Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Sat, 2 Nov 2024 08:03:51 +0000 (09:03 +0100)
committer GitHub <noreply@github.com>
Sat, 2 Nov 2024 08:03:51 +0000 (08:03 +0000)
diff --git a/Misc/NEWS.d/next/Library/2024-11-01-14-31-41.gh-issue-126138.yTniOG.rst b/Misc/NEWS.d/next/Library/2024-11-01-14-31-41.gh-issue-126138.yTniOG.rst

new file mode 100644 (file)

index 0000000..459eebc
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2024-11-01-14-31-41.gh-issue-126138.yTniOG.rst
@@ -0,0 +1,3 @@
+Fix a use-after-free crash on :class:`asyncio.Task` objects
+whose underlying coroutine yields an object that implements
+an evil :meth:`~object.__getattribute__`. Patch by Nico Posada.
diff --git a/Modules/_asynciomodule.c b/Modules/_asynciomodule.c

index 9bb71623ba6c7eb967c87124a742683002b64d0f..20a9d992834b0e0ea9dbb95f79e459337229fd76 100644 (file)
--- a/Modules/_asynciomodule.c
+++ b/Modules/_asynciomodule.c
@@ -2994,8 +2994,17 @@ task_step_handle_result_impl(asyncio_state *state, TaskObj *task, PyObject *resu
          if (task->task_must_cancel) {
              PyObject *r;
              int is_true;
+
+            // Beware: An evil `__getattribute__` could
+            // prematurely delete task->task_cancel_msg before the
+            // task is cancelled, thereby causing a UAF crash.
+            //
+            // See https://github.com/python/cpython/issues/126138
+            PyObject *task_cancel_msg = Py_NewRef(task->task_cancel_msg);
              r = PyObject_CallMethodOneArg(result, &_Py_ID(cancel),
-                                             task->task_cancel_msg);
+                                          task_cancel_msg);
+            Py_DECREF(task_cancel_msg);
+
              if (r == NULL) {
                  return NULL;
              }
@@ -3087,8 +3096,17 @@ task_step_handle_result_impl(asyncio_state *state, TaskObj *task, PyObject *resu
          if (task->task_must_cancel) {
              PyObject *r;
              int is_true;
+
+            // Beware: An evil `__getattribute__` could
+            // prematurely delete task->task_cancel_msg before the
+            // task is cancelled, thereby causing a UAF crash.
+            //
+            // See https://github.com/python/cpython/issues/126138
+            PyObject *task_cancel_msg = Py_NewRef(task->task_cancel_msg);
              r = PyObject_CallMethodOneArg(result, &_Py_ID(cancel),
-                                             task->task_cancel_msg);
+                                          task_cancel_msg);
+            Py_DECREF(task_cancel_msg);
+
              if (r == NULL) {
                  return NULL;
              }
author	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
	Sat, 2 Nov 2024 08:03:51 +0000 (09:03 +0100)
committer	GitHub <noreply@github.com>
	Sat, 2 Nov 2024 08:03:51 +0000 (08:03 +0000)
Misc/NEWS.d/next/Library/2024-11-01-14-31-41.gh-issue-126138.yTniOG.rst	[new file with mode: 0644]	patch \| blob
Modules/_asynciomodule.c		patch \| blob \| blame \| history