UAF on fut->fut_{callback,context}0 with evil __getattribute__ in _asynciomodule.c #125984
Description
Crash report
What happened?
import asyncio class EvilLoop: def call_soon(*args): # will crash before it actually gets here print(args) def get_debug(self): return False def __getattribute__(self, name): global tracker if name == "call_soon": fut.remove_done_callback(tracker) del tracker print("returning call_soon method after clearing callback0") return object.__getattribute__(self, name) class TrackDel: def __del__(self): print("deleted", self) fut = asyncio.Future(loop=EvilLoop()) tracker = TrackDel() fut.add_done_callback(tracker) fut.set_result("kaboom")Originally posted by @Nico-Posada in #125970 (comment)
Not sure I'll be able to work on it today, so anyone's free to take on it.
Traceback
deleted <__main__.TrackDel object at 0x7f4ab660a420> returning call_soon method after clearing callback0 Python/context.c:534: _PyObject_GC_UNTRACK: Assertion "_PyObject_GC_IS_TRACKED(((PyObject*)(op)))" failed: object not tracked by the garbage collector Enable tracemalloc to get the memory block allocation traceback object address : 0x7f4ab64ca4b0 object refcount : 0 object type : 0x9bfc60 object type name: _contextvars.Context object repr : <refcnt 0 at 0x7f4ab64ca4b0> Fatal Python error: _PyObject_AssertFailed: _PyObject_AssertFailed Python runtime state: initialized TypeError: EvilLoop.call_soon() got an unexpected keyword argument 'context' Linked PRs
- gh-125984: fix UAF on
fut->fut_{callback,context}0due to an evilloop.__getattribute__#126003 - [3.13] gh-125984: fix use-after-free on
fut->fut_{callback,context}0due to an evilloop.__getattribute__(GH-126003) #126043 - [3.12] gh-125984: fix use-after-free on
fut->fut_{callback,context}0due to an evilloop.__getattribute__(GH-126003) #126044
Metadata
Metadata
Assignees
Labels
Projects
Status