[3.13] gh-126138: Fix use-after-free in `_asyncio.Task` by evil `__getattribute__` (GH-126305) (#126324)

gh-126138: Fix use-after-free in `_asyncio.Task` by evil `__getattribute__` (GH-126305) (cherry picked from commit f032f6ba8f) Co-authored-by: Nico-Posada <102486290+Nico-Posada@users.noreply.github.com> Co-authored-by: Carol Willing <carolcode@willingconsulting.com>
2024-11-02 09:09:18 +01:00 · 2024-11-02 09:09:18 +01:00 · f58d5ab881
parent 6e4b7eadf5
commit f58d5ab881
2 changed files with 23 additions and 2 deletions
--- a/Misc/NEWS.d/next/Library/2024-11-01-14-31-41.gh-issue-126138.yTniOG.rst
+++ b/Misc/NEWS.d/next/Library/2024-11-01-14-31-41.gh-issue-126138.yTniOG.rst
@ -0,0 +1,3 @@
+Fix a use-after-free crash on :class:`asyncio.Task` objects
+whose underlying coroutine yields an object that implements
+an evil :meth:`~object.__getattribute__`. Patch by Nico Posada.
--- a/Modules/_asynciomodule.c
+++ b/Modules/_asynciomodule.c
@ -2907,8 +2907,17 @@ task_step_handle_result_impl(asyncio_state *state, TaskObj *task, PyObject *resu
        if (task->task_must_cancel) {
            PyObject *r;
            int is_true;
+
+            // Beware: An evil `__getattribute__` could
+            // prematurely delete task->task_cancel_msg before the
+            // task is cancelled, thereby causing a UAF crash.
+            //
+            // See https://github.com/python/cpython/issues/126138
+            PyObject *task_cancel_msg = Py_NewRef(task->task_cancel_msg);
            r = PyObject_CallMethodOneArg(result, &_Py_ID(cancel),
-                                             task->task_cancel_msg);
+                                          task_cancel_msg);
+            Py_DECREF(task_cancel_msg);
+
            if (r == NULL) {
                return NULL;
            }
@ -3000,8 +3009,17 @@ task_step_handle_result_impl(asyncio_state *state, TaskObj *task, PyObject *resu
        if (task->task_must_cancel) {
            PyObject *r;
            int is_true;
+
+            // Beware: An evil `__getattribute__` could
+            // prematurely delete task->task_cancel_msg before the
+            // task is cancelled, thereby causing a UAF crash.
+            //
+            // See https://github.com/python/cpython/issues/126138
+            PyObject *task_cancel_msg = Py_NewRef(task->task_cancel_msg);
            r = PyObject_CallMethodOneArg(result, &_Py_ID(cancel),
-                                             task->task_cancel_msg);
+                                          task_cancel_msg);
+            Py_DECREF(task_cancel_msg);
+
            if (r == NULL) {
                return NULL;
            }