Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Evilcall_soon may cause OOB infuture_schedule_callbacks #125969

Closed
Assignees
picnixz
Labels
3.12only security fixes3.13bugs and security fixes3.14bugs and security fixestopic-asynciotype-crashA hard crash of the interpreter, possibly with a core dump
@picnixz

Description

@picnixz

Crash report

Bug description:

Infuture_schedule_callbacks, the length of the callback list is assumed to be constant, but an evilcall_soon can make it change.

PoC:

importasynciocalled_on_fut_callback0=Falsepad=lambda: ...defevil_call_soon(*args,**kwargs):globalcalled_on_fut_callback0ifcalled_on_fut_callback0:# Called when handling fut->fut_callbacks[0]# and mutates the length fut->fut_callbacks.fut.remove_done_callback(int)fut.remove_done_callback(pad)else:called_on_fut_callback0=Truefake_event_loop=lambda: ...fake_event_loop.call_soon=evil_call_soonfake_event_loop.get_debug=lambda:False# suppress tracebackfut=asyncio.Future(loop=fake_event_loop)fut.add_done_callback(str)# sets fut->fut_callback0fut.add_done_callback(int)# sets fut->fut_callbacks[0]fut.add_done_callback(pad)# sets fut->fut_callbacks[1]fut.add_done_callback(pad)# sets fut->fut_callbacks[2]fut.set_result("boom")

CPython versions tested on:

CPython main branch

Operating systems tested on:

No response

Linked PRs

Metadata

Metadata

Assignees

Labels

3.12only security fixes3.13bugs and security fixes3.14bugs and security fixestopic-asynciotype-crashA hard crash of the interpreter, possibly with a core dump

Projects

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions

    [8]ページ先頭
    ©2009-2025 Movatter.jp