Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UAF on fut->fut_callback0 with evil __eq__ in _asynciomodule.c #125966

Closed
picnixz opened this issue Oct 25, 2024 · 0 comments
Closed

UAF on fut->fut_callback0 with evil __eq__ in _asynciomodule.c #125966

picnixz opened this issue Oct 25, 2024 · 0 comments
Assignees
@picnixz
Labels
3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes topic-asyncio type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@picnixz
Copy link
Member

picnixz commented Oct 25, 2024
edited by bedevere-app bot
Loading

Crash report

Bug description:

This is an issue just to track the progress of fixing the UAF on fut->fut_callback0 (see #125833 (comment)).

The UAF that could be exploited by clearing fut._callbacks won't be triggered anymore since after #125922, we will not mutate the internal list itself anymore but it is still be possilbe to mutate fut->fut_callback0 directly: #125833 (comment).

CPython versions tested on:

CPython main branch

Operating systems tested on:

No response

Linked PRs
@picnixz picnixz added topic-asyncio type-crash A hard crash of the interpreter, possibly with a core dump labels Oct 25, 2024
@picnixz picnixz self-assigned this Oct 25, 2024
@github-project-automation github-project-automation bot moved this to Todo in asyncio Oct 25, 2024
@picnixz picnixz moved this from Todo to In Progress in asyncio Oct 25, 2024
@bedevere-app bedevere-app bot mentioned this issue Oct 25, 2024
Merged
@picnixz picnixz added 3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes labels Oct 25, 2024
@picnixz picnixz changed the title UAF on fut->fut_callback0 in _asynciomodule.c UAF on fut->fut_callback0 and evil __eq__ in _asynciomodule.c Oct 25, 2024
@picnixz picnixz changed the title UAF on fut->fut_callback0 and evil __eq__ in _asynciomodule.c UAF on fut->fut_callback0 with evil __eq__ in _asynciomodule.c Oct 25, 2024
kumaraditya303 pushed a commit that referenced this issue Oct 27, 2024
@picnixz
gh-125966: fix use-after-free on fut->fut_callback0 due to an evil …
ed5059e 
…callback's `__eq__` in asyncio (#125967)
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Oct 27, 2024
@picnixz @miss-islington
pythongh-125966: fix use-after-free on fut->fut_callback0 due to an…
cedc31b 
… evil callback's `__eq__` in asyncio (pythonGH-125967)

(cherry picked from commit ed5059e)

Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Oct 27, 2024
@picnixz @miss-islington
pythongh-125966: fix use-after-free on fut->fut_callback0 due to an…
208865b 
… evil callback's `__eq__` in asyncio (pythonGH-125967)

(cherry picked from commit ed5059e)

Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
This was referenced Oct 27, 2024
Merged
Merged
@github-project-automation github-project-automation bot moved this from In Progress to Done in asyncio Oct 27, 2024
kumaraditya303 pushed a commit that referenced this issue Oct 27, 2024
@miss-islington @picnixz
[3.12] gh-125966: fix use-after-free on fut->fut_callback0 due to a…
4fc1da1 
…n evil callback's `__eq__` in asyncio (GH-125967) (#126048)

gh-125966: fix use-after-free on `fut->fut_callback0` due to an evil callback's `__eq__` in asyncio (GH-125967)
(cherry picked from commit ed5059e)

Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
kumaraditya303 pushed a commit that referenced this issue Oct 27, 2024
@miss-islington @picnixz
[3.13] gh-125966: fix use-after-free on fut->fut_callback0 due to a…
ac31a26 
…n evil callback's `__eq__` in asyncio (GH-125967) (#126047)

gh-125966: fix use-after-free on `fut->fut_callback0` due to an evil callback's `__eq__` in asyncio (GH-125967)
(cherry picked from commit ed5059e)

Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
picnixz added a commit to picnixz/cpython that referenced this issue Dec 8, 2024
@picnixz
pythongh-125966: fix use-after-free on fut->fut_callback0 due to an…
e7c0b0a 
… evil callback's `__eq__` in asyncio (python#125967)
ebonnal pushed a commit to ebonnal/cpython that referenced this issue Jan 12, 2025
@picnixz @ebonnal
pythongh-125966: fix use-after-free on fut->fut_callback0 due to an…
23666ac 
… evil callback's `__eq__` in asyncio (python#125967)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@picnixz picnixz

Labels
3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes topic-asyncio type-crash A hard crash of the interpreter, possibly with a core dump
Projects
asyncio
Status: Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@picnixz @kumaraditya303