From: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Date: Thu, 7 Oct 2021 23:14:04 +0000 (-0700)
Subject: bpo-45262, asyncio: Fix cache of the running loop holder (GH-28796)
X-Git-Tag: v3.9.8~83
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=87f0156a229e4cda92ad8e50645c5a71030caf7c;p=thirdparty%2FPython%2Fcpython.git

bpo-45262, asyncio: Fix cache of the running loop holder (GH-28796)


Prevent use-after-free of running loop holder via cache.
(cherry picked from commit 392a89835371baa0fc4bf79ae479abb80661f57d)

Co-authored-by: Matthias Reichl <github@hias.horus.com>
---

diff --git a/Misc/NEWS.d/next/Library/2021-10-07-14-04-10.bpo-45262.HqF71Z.rst b/Misc/NEWS.d/next/Library/2021-10-07-14-04-10.bpo-45262.HqF71Z.rst
new file mode 100644
index 000000000000..4cd949fe1ed5
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2021-10-07-14-04-10.bpo-45262.HqF71Z.rst
@@ -0,0 +1 @@
+Prevent use-after-free in asyncio. Make sure the cached running loop holder gets cleared on dealloc to prevent use-after-free in get_running_loop
\ No newline at end of file
diff --git a/Modules/_asynciomodule.c b/Modules/_asynciomodule.c
index b615c48c4318..4457d7bd49e2 100644
--- a/Modules/_asynciomodule.c
+++ b/Modules/_asynciomodule.c
@@ -3258,6 +3258,9 @@ new_running_loop_holder(PyObject *loop)
 static void
 PyRunningLoopHolder_tp_dealloc(PyRunningLoopHolder *rl)
 {
+    if (cached_running_holder == (PyObject *)rl) {
+        cached_running_holder = NULL;
+    }
     Py_CLEAR(rl->rl_loop);
     PyObject_Free(rl);
 }