diff options
| author | Bénédikt Tran <10796600+picnixz@users.noreply.github.com> | 2024-10-27 17:10:10 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-10-27 17:10:10 (GMT) |
| commit | ed5059eeb1aa50b481957307db5a34b937497382 (patch) | |
| tree | ff2267640d6fab42f381aafa8ebbbe6a4af65134 /Lib/test/test_asyncio | |
| parent | 0922a4ae0d2803e3a4e9f3d2ccd217364cfd700e (diff) | |
| download | cpython-ed5059eeb1aa50b481957307db5a34b937497382.zip cpython-ed5059eeb1aa50b481957307db5a34b937497382.tar.gz cpython-ed5059eeb1aa50b481957307db5a34b937497382.tar.bz2 | |
gh-125966: fix use-after-free on `fut->fut_callback0` due to an evil callback's `__eq__` in asyncio (#125967)
Diffstat (limited to 'Lib/test/test_asyncio')
| -rw-r--r-- | Lib/test/test_asyncio/test_futures.py | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/Lib/test/test_asyncio/test_futures.py b/Lib/test/test_asyncio/test_futures.py index bac76b0..3a4291e 100644 --- a/Lib/test/test_asyncio/test_futures.py +++ b/Lib/test/test_asyncio/test_futures.py @@ -999,6 +999,24 @@ class BaseFutureDoneCallbackTests(): # returns an empty list but the C implementation returns None. self.assertIn(fut._callbacks, (None, [])) + def test_use_after_free_on_fut_callback_0_with_evil__eq__(self): + # Special thanks to Nico-Posada for the original PoC. + # See https://github.com/python/cpython/issues/125966. + + fut = self._new_future() + + class cb_pad: + def __eq__(self, other): + return True + + class evil(cb_pad): + def __eq__(self, other): + fut.remove_done_callback(None) + return NotImplemented + + fut.add_done_callback(cb_pad()) + fut.remove_done_callback(evil()) + def test_use_after_free_on_fut_callback_0_with_evil__getattribute__(self): # see: https://github.com/python/cpython/issues/125984 |