Closed
Description
Crash report
What happened?
import asyncio
class EvilLoop:
def call_soon(*args):
# will crash before it actually gets here
print(args)
def get_debug(self):
return False
def __getattribute__(self, name):
global tracker
if name == "call_soon":
fut.remove_done_callback(tracker)
del tracker
print("returning call_soon method after clearing callback0")
return object.__getattribute__(self, name)
class TrackDel:
def __del__(self):
print("deleted", self)
fut = asyncio.Future(loop=EvilLoop())
tracker = TrackDel()
fut.add_done_callback(tracker)
fut.set_result("kaboom")Originally posted by @Nico-Posada in #125970 (comment)
Not sure I'll be able to work on it today, so anyone's free to take on it.
Traceback
deleted <__main__.TrackDel object at 0x7f4ab660a420>
returning call_soon method after clearing callback0
Python/context.c:534: _PyObject_GC_UNTRACK: Assertion "_PyObject_GC_IS_TRACKED(((PyObject*)(op)))" failed: object not tracked by the garbage collector
Enable tracemalloc to get the memory block allocation traceback
object address : 0x7f4ab64ca4b0
object refcount : 0
object type : 0x9bfc60
object type name: _contextvars.Context
object repr : <refcnt 0 at 0x7f4ab64ca4b0>
Fatal Python error: _PyObject_AssertFailed: _PyObject_AssertFailed
Python runtime state: initialized
TypeError: EvilLoop.call_soon() got an unexpected keyword argument 'context'
Linked PRs
- gh-125984: fix UAF on
fut->fut_{callback,context}0due to an evilloop.__getattribute__#126003 - [3.13] gh-125984: fix use-after-free on
fut->fut_{callback,context}0due to an evilloop.__getattribute__(GH-126003) #126043 - [3.12] gh-125984: fix use-after-free on
fut->fut_{callback,context}0due to an evilloop.__getattribute__(GH-126003) #126044
Metadata
Metadata
Assignees
Labels
Projects
Status
Done