Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork34k
gh-143228: Fix UAF in perf trampoline during finalization#143233
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
Fidget-Spinner left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Looks good, just one question
Uh oh!
There was an error while loading.Please reload this page.
When toggling perf trampoline while threads are running, or duringinterpreter finalization with daemon threads active, a use-after-freeoccurs. The munmap call in free_code_arenas releases executable memorywhile other threads may still be executing within trampolines orunwinding through them, causing SIGSEGV or SystemError.The fix uses reference counting with a code watcher. Each code objectthat receives a trampoline increments a refcount. When code objects aredestroyed, the watcher decrements the refcount and frees arenas onlywhen it reaches zero. This ensures trampolines are never freed whileany code object could still reference them.
3ccc76f intopython:mainUh oh!
There was an error while loading.Please reload this page.
Thanks@pablogsal for the PR 🌮🎉.. I'm working now to backport this PR to: 3.13, 3.14. |
Sorry,@pablogsal, I could not cleanly backport this to |
Sorry,@pablogsal, I could not cleanly backport this to |
GH-143247 is a backport of this pull request to the3.14 branch. |
pythonGH-143233)(cherry picked from commit3ccc76f)Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com>
pythonGH-143233)(cherry picked from commit3ccc76f)Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com>
GH-143248 is a backport of this pull request to the3.13 branch. |
pythonGH-143233)(cherry picked from commit3ccc76f)Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com>
Uh oh!
There was an error while loading.Please reload this page.
When toggling perf trampoline while threads are running, or during
interpreter finalization with daemon threads active, a use-after-free
occurs. The munmap call in free_code_arenas releases executable memory
while other threads may still be executing within trampolines or
unwinding through them, causing SIGSEGV or SystemError.
The fix uses reference counting with a code watcher. Each code object
that receives a trampoline increments a refcount. When code objects are
destroyed, the watcher decrements the refcount and frees arenas only
when it reaches zero. This ensures trampolines are never freed while
any code object could still reference them.