-
-
Notifications
You must be signed in to change notification settings - Fork 30.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Crash: UAF in task_call_step_soon
in _asynciomodule.c
(with admittedly ridiculous setup)
#126080
Comments
I'll create a PR tomorrow and try to find an easier way to trigger the bug but thanks as always! I forgot about checking UAF for the |
For now, I'm looking into a potential second UAF in |
My personal position on this is that we shouldn't fix extremely contrived ways of crashing C Tasks and Futures. We by all means should fix potential crashers that users can hit with regular code, but making code completely 100% safe for all far fetched hypothetical unreal-world scenarios wasn't ever a goal in CPython (AFAIK). -1. |
…ue to an evil `loop.__getattribute__` (#126120)
…oon` due to an evil `loop.__getattribute__` (pythonGH-126120) (cherry picked from commit 0e86655) Co-authored-by: Bénédikt Tran <[email protected]>
…oon` due to an evil `loop.__getattribute__` (pythonGH-126120) (cherry picked from commit 0e86655) Co-authored-by: Bénédikt Tran <[email protected]>
Closing since completed and backported. Thanks for the report Nico! |
Crash report
What happened?
This is basically an extension to #125984 but it took me a bit to get a working PoC because I have never used asyncio.Task ever.
The crash is caused because of a missing incref before calling
call_soon
intask_call_step_soon
which allows us to corrupttask_context
in an evil__getattribute__
class func before handing it off tocall_soon
. There's probably a much simpler way to trigger the crash but this is the only working route I found.Output:
I am on a version of python that doesn't include all the recent fixes to asyncio, so just to confirm I was triggering this via
task_call_step_soon
I made sure to check the crash backtrace in gdb.The fix for this is to just incref
task->task_context
before callingcall_soon
to avoid deleting it in the evil funccpython/Modules/_asynciomodule.c
Lines 2676 to 2680 in 60403a5
CPython versions tested on:
3.13
Operating systems tested on:
Linux
Output from running 'python -VV' on the command line:
Python 3.13.0 (tags/v3.13.0:60403a5409f, Oct 10 2024, 09:24:12) [GCC 13.2.0]
Linked PRs
task->task_context
intask_call_step_soon
due to an evilloop.__getattribute__
#126120task->task_context
intask_call_step_soon
due to an evilloop.__getattribute__
(GH-126120) #126250task->task_context
intask_call_step_soon
due to an evilloop.__getattribute__
(GH-126120) #126251The text was updated successfully, but these errors were encountered: