gh-126080: fix UAF on task->task_context in task_call_step_soon due to an evil loop.__getattribute__ (#126120)

2024-11-24 08:52:25 +01:00 · 2024-10-31 18:14:47 +01:00 · 2024-10-31 18:14:47 +01:00 · 0e8665554b
commit 0e8665554b
parent 3275cb1953
2 changed files with 8 additions and 1 deletions
--- a/Misc/NEWS.d/next/Library/2024-10-29-10-38-28.gh-issue-126080.qKRBuo.rst
+++ b/Misc/NEWS.d/next/Library/2024-10-29-10-38-28.gh-issue-126080.qKRBuo.rst
@ -0,0 +1,3 @@
+Fix a use-after-free crash on :class:`asyncio.Task` objects for which the
+underlying event loop implements an evil :meth:`~object.__getattribute__`.
+Reported by Nico-Posada. Patch by Bénédikt Tran.
--- a/Modules/_asynciomodule.c
+++ b/Modules/_asynciomodule.c
@ -2738,7 +2738,11 @@ task_call_step_soon(asyncio_state *state, TaskObj *task, PyObject *arg)
        return -1;
    }

-    int ret = call_soon(state, task->task_loop, cb, NULL, task->task_context);
+    // Beware: An evil call_soon could alter task_context.
+    // See: https://github.com/python/cpython/issues/126080.
+    PyObject *task_context = Py_NewRef(task->task_context);
+    int ret = call_soon(state, task->task_loop, cb, NULL, task_context);
+    Py_DECREF(task_context);
    Py_DECREF(cb);
    return ret;
 }