Skip to content

Commit

Permalink
[3.13] pythongh-126080: fix UAF on task->task_context in `task_call…
Browse files Browse the repository at this point in the history
…_step_soon` due to an evil `loop.__getattribute__` (pythonGH-126120) (python#126250)

pythongh-126080: fix UAF on `task->task_context` in `task_call_step_soon` due to an evil `loop.__getattribute__` (pythonGH-126120)
(cherry picked from commit 0e86655)

Co-authored-by: Bénédikt Tran <[email protected]>
  • Loading branch information
miss-islington and picnixz authored Oct 31, 2024
1 parent 588da2e commit abe64a3
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 1 deletion.
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
Fix a use-after-free crash on :class:`asyncio.Task` objects for which the
underlying event loop implements an evil :meth:`~object.__getattribute__`.
Reported by Nico-Posada. Patch by Bénédikt Tran.
6 changes: 5 additions & 1 deletion Modules/_asynciomodule.c
Original file line number Diff line number Diff line change
Expand Up @@ -2678,7 +2678,11 @@ task_call_step_soon(asyncio_state *state, TaskObj *task, PyObject *arg)
return -1;
}

int ret = call_soon(state, task->task_loop, cb, NULL, task->task_context);
// Beware: An evil call_soon could alter task_context.
// See: https://github.com/python/cpython/issues/126080.
PyObject *task_context = Py_NewRef(task->task_context);
int ret = call_soon(state, task->task_loop, cb, NULL, task_context);
Py_DECREF(task_context);
Py_DECREF(cb);
return ret;
}
Expand Down

0 comments on commit abe64a3

Please sign in to comment.