Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitabe64a3

Browse files
[3.13]gh-126080: fix UAF ontask->task_context intask_call_step_soon due to an evilloop.__getattribute__ (GH-126120) (#126250)
gh-126080: fix UAF on `task->task_context` in `task_call_step_soon` due to an evil `loop.__getattribute__` (GH-126120)(cherry picked from commit0e86655)Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
1 parent588da2e commitabe64a3

File tree

2 files changed

+8
-1
lines changed

2 files changed

+8
-1
lines changed
Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
Fix a use-after-free crash on:class:`asyncio.Task` objects for which the
2+
underlying event loop implements an evil:meth:`~object.__getattribute__`.
3+
Reported by Nico-Posada. Patch by Bénédikt Tran.

‎Modules/_asynciomodule.c‎

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2678,7 +2678,11 @@ task_call_step_soon(asyncio_state *state, TaskObj *task, PyObject *arg)
26782678
return-1;
26792679
}
26802680

2681-
intret=call_soon(state,task->task_loop,cb,NULL,task->task_context);
2681+
// Beware: An evil call_soon could alter task_context.
2682+
// See: https://github.com/python/cpython/issues/126080.
2683+
PyObject*task_context=Py_NewRef(task->task_context);
2684+
intret=call_soon(state,task->task_loop,cb,NULL,task_context);
2685+
Py_DECREF(task_context);
26822686
Py_DECREF(cb);
26832687
returnret;
26842688
}

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp