[Python-checkins] [3.13] gh-126080: fix UAF on `task->task_context` in `task_call_step_soon` due to an evil `loop.__getattribute__` (GH-126120) (#126250)

Thu, 31 Oct 2024 12:52:20 -0700 

https://github.com/python/cpython/commit/abe64a3780ecaf954cb9bafb5dc6eaee1b680bf4
commit: abe64a3780ecaf954cb9bafb5dc6eaee1b680bf4
branch: 3.13
author: Miss Islington (bot) <[email protected]>
committer: willingc <[email protected]>
date: 2024-10-31T19:32:47Z
summary:

[3.13] gh-126080: fix UAF on `task->task_context` in `task_call_step_soon` due 
to an evil `loop.__getattribute__` (GH-126120) (#126250)

gh-126080: fix UAF on `task->task_context` in `task_call_step_soon` due to an 
evil `loop.__getattribute__` (GH-126120)
(cherry picked from commit 0e8665554b2f1334e530fd6de5b3a4e908405419)

Co-authored-by: Bénédikt Tran <[email protected]>

files:
A Misc/NEWS.d/next/Library/2024-10-29-10-38-28.gh-issue-126080.qKRBuo.rst
M Modules/_asynciomodule.c

diff --git 
a/Misc/NEWS.d/next/Library/2024-10-29-10-38-28.gh-issue-126080.qKRBuo.rst 
b/Misc/NEWS.d/next/Library/2024-10-29-10-38-28.gh-issue-126080.qKRBuo.rst
new file mode 100644
index 00000000000000..e54ac17b217c92
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2024-10-29-10-38-28.gh-issue-126080.qKRBuo.rst
@@ -0,0 +1,3 @@
+Fix a use-after-free crash on :class:`asyncio.Task` objects for which the
+underlying event loop implements an evil :meth:`~object.__getattribute__`.
+Reported by Nico-Posada. Patch by Bénédikt Tran.
diff --git a/Modules/_asynciomodule.c b/Modules/_asynciomodule.c
index 44529f633fbe2e..40fe7d839552cc 100644
--- a/Modules/_asynciomodule.c
+++ b/Modules/_asynciomodule.c
@@ -2678,7 +2678,11 @@ task_call_step_soon(asyncio_state *state, TaskObj *task, 
PyObject *arg)
         return -1;
     }
 
-    int ret = call_soon(state, task->task_loop, cb, NULL, task->task_context);
+    // Beware: An evil call_soon could alter task_context.
+    // See: https://github.com/python/cpython/issues/126080.
+    PyObject *task_context = Py_NewRef(task->task_context);
+    int ret = call_soon(state, task->task_loop, cb, NULL, task_context);
+    Py_DECREF(task_context);
     Py_DECREF(cb);
     return ret;
 }

_______________________________________________
Python-checkins mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3/lists/python-checkins.python.org/
Member address: [email protected]

Reply via email to