gh-126080: fix UAF on `task->task_context` in `task_call_step_soon` due to an evil `loop.__getattribute__` (#126120)

author: Bénédikt Tran <10796600+picnixz@users.noreply.github.com> 2024-10-31 17:14:47 (GMT)
committer: GitHub <noreply@github.com> 2024-10-31 17:14:47 (GMT)
commit: 0e8665554b2f1334e530fd6de5b3a4e908405419 (patch)
tree: b4f5b98db38b880062c63f8cdfc836adf8ca16a9 /Modules
parent: 3275cb19530fb5c7115cf8313f1ada9621ed3a92 (diff)
download: cpython-0e8665554b2f1334e530fd6de5b3a4e908405419.zip
cpython-0e8665554b2f1334e530fd6de5b3a4e908405419.tar.gz
cpython-0e8665554b2f1334e530fd6de5b3a4e908405419.tar.bz2
1 files changed, 5 insertions, 1 deletions
diff --git a/Modules/_asynciomodule.c b/Modules/_asynciomodule.c
index c2500fb..7483e9c 100644
--- a/Modules/_asynciomodule.c
+++ b/Modules/_asynciomodule.c
@@ -2738,7 +2738,11 @@ task_call_step_soon(asyncio_state *state, TaskObj *task, PyObject *arg)
         return -1;
     }
 
-    int ret = call_soon(state, task->task_loop, cb, NULL, task->task_context);
+    // Beware: An evil call_soon could alter task_context.
+    // See: https://github.com/python/cpython/issues/126080.
+    PyObject *task_context = Py_NewRef(task->task_context);
+    int ret = call_soon(state, task->task_loop, cb, NULL, task_context);
+    Py_DECREF(task_context);
     Py_DECREF(cb);
     return ret;
 }
author	Bénédikt Tran <10796600+picnixz@users.noreply.github.com>	2024-10-31 17:14:47 (GMT)
committer	GitHub <noreply@github.com>	2024-10-31 17:14:47 (GMT)
commit	0e8665554b2f1334e530fd6de5b3a4e908405419 (patch)
tree	b4f5b98db38b880062c63f8cdfc836adf8ca16a9 /Modules
parent	3275cb19530fb5c7115cf8313f1ada9621ed3a92 (diff)
download	cpython-0e8665554b2f1334e530fd6de5b3a4e908405419.zip cpython-0e8665554b2f1334e530fd6de5b3a4e908405419.tar.gz cpython-0e8665554b2f1334e530fd6de5b3a4e908405419.tar.bz2