Mirror
/
cpython
mirror of https://github.com/python/cpython
4
1
Fork 0
Code Issues Releases Wiki Activity

[3.13] gh-125966: fix use-after-free on `fut->fut_callback0` due to an evil callback's `__eq__` in asyncio (GH-125967) (#126047) 

gh-125966: fix use-after-free on `fut->fut_callback0` due to an evil callback's `__eq__` in asyncio (GH-125967)
(cherry picked from commit ed5059eeb1)

Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
This commit is contained in:
Miss Islington (bot) 2024-10-27 18:36:10 +01:00 committed by GitHub
parent 25421c715d
commit ac31a2607f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 26 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
Lib/test/test_asyncio/test_futures.py
View File

@ -1007,6 +1007,24 @@ class BaseFutureDoneCallbackTests():
# returns an empty list but the C implementation returns None. # returns an empty list but the C implementation returns None.
self.assertIn(fut._callbacks, (None, [])) self.assertIn(fut._callbacks, (None, []))
def test_use_after_free_on_fut_callback_0_with_evil__eq__(self):
# Special thanks to Nico-Posada for the original PoC.
# See https://github.com/python/cpython/issues/125966.
fut = self._new_future()
class cb_pad:
def __eq__(self, other):
return True
class evil(cb_pad):
def __eq__(self, other):
fut.remove_done_callback(None)
return NotImplemented
fut.add_done_callback(cb_pad())
fut.remove_done_callback(evil())
def test_use_after_free_on_fut_callback_0_with_evil__getattribute__(self): def test_use_after_free_on_fut_callback_0_with_evil__getattribute__(self):
# see: https://github.com/python/cpython/issues/125984 # see: https://github.com/python/cpython/issues/125984

2
Misc/NEWS.d/next/Library/2024-10-25-10-53-56.gh-issue-125966.eOCYU_.rst Normal file
View File

@ -0,0 +1,2 @@
Fix a use-after-free crash in :meth:`asyncio.Future.remove_done_callback`.
Patch by Bénédikt Tran.

7
Modules/_asynciomodule.c
View File

@ -965,7 +965,12 @@ _asyncio_Future_remove_done_callback_impl(FutureObj *self, PyTypeObject *cls,
ENSURE_FUTURE_ALIVE(state, self) ENSURE_FUTURE_ALIVE(state, self)
if (self->fut_callback0 != NULL) { if (self->fut_callback0 != NULL) {
int cmp = PyObject_RichCompareBool(self->fut_callback0, fn, Py_EQ); // Beware: An evil PyObject_RichCompareBool could free fut_callback0
// before a recursive call is made with that same arg. For details, see
// https://github.com/python/cpython/pull/125967#discussion_r1816593340.
PyObject *fut_callback0 = Py_NewRef(self->fut_callback0);
int cmp = PyObject_RichCompareBool(fut_callback0, fn, Py_EQ);
Py_DECREF(fut_callback0);
if (cmp == -1) { if (cmp == -1) {
return NULL; return NULL;
} }