Skip to content

UAF on fut->fut_{callback,context}0 with evil __getattribute__ in _asynciomodule.c #125984

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
picnixz opened this issue Oct 25, 2024 · 5 comments
Closed

UAF on fut->fut_{callback,context}0 with evil __getattribute__ in _asynciomodule.c #125984

picnixz opened this issue Oct 25, 2024 · 5 comments
Assignees
@picnixz
Labels
3.12 only security fixes 3.13 bugs and security fixes 3.14 bugs and security fixes topic-asyncio type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@picnixz
Copy link
Member

picnixz commented Oct 25, 2024
edited by bedevere-app bot
Loading

Crash report

What happened?

import asyncio

class EvilLoop:
    def call_soon(*args):
        # will crash before it actually gets here 
        print(args)

    def get_debug(self):
        return False

    def __getattribute__(self, name):
        global tracker
        if name == "call_soon":
            fut.remove_done_callback(tracker)
            del tracker
            print("returning call_soon method after clearing callback0")
        
        return object.__getattribute__(self, name)

class TrackDel:
    def __del__(self):
        print("deleted", self)

fut = asyncio.Future(loop=EvilLoop())

tracker = TrackDel()
fut.add_done_callback(tracker)
fut.set_result("kaboom")

Originally posted by @Nico-Posada in #125970 (comment)

Not sure I'll be able to work on it today, so anyone's free to take on it.

Traceback

deleted <__main__.TrackDel object at 0x7f4ab660a420>
returning call_soon method after clearing callback0
Python/context.c:534: _PyObject_GC_UNTRACK: Assertion "_PyObject_GC_IS_TRACKED(((PyObject*)(op)))" failed: object not tracked by the garbage collector
Enable tracemalloc to get the memory block allocation traceback

object address  : 0x7f4ab64ca4b0
object refcount : 0
object type     : 0x9bfc60
object type name: _contextvars.Context
object repr     : <refcnt 0 at 0x7f4ab64ca4b0>

Fatal Python error: _PyObject_AssertFailed: _PyObject_AssertFailed
Python runtime state: initialized
TypeError: EvilLoop.call_soon() got an unexpected keyword argument 'context'

Linked PRs
@picnixz picnixz added topic-asyncio type-crash A hard crash of the interpreter, possibly with a core dump labels Oct 25, 2024
@github-project-automation github-project-automation bot moved this to Todo in asyncio Oct 25, 2024
@picnixz picnixz mentioned this issue Oct 25, 2024
Merged
@picnixz picnixz added 3.12 only security fixes 3.13 bugs and security fixes 3.14 bugs and security fixes labels Oct 25, 2024
@picnixz picnixz changed the title UAF on fut->fut_callback0 and an evil call_soon in _asynciomodule.c UAF on fut->fut_callback0 with evil call_soon in _asynciomodule.c Oct 25, 2024
@Nico-Posada
Copy link
Contributor

should be an easy fix, just incref fut->fut_callback0 before usage here

cpython/Modules/_asynciomodule.c

Lines 412 to 418 in 417c130

if (fut->fut_callback0 != NULL) {
/* There's a 1st callback */
int ret = call_soon(state,
fut->fut_loop, fut->fut_callback0,
(PyObject *)fut, fut->fut_context0);

@picnixz
Copy link
Member Author

picnixz commented Oct 25, 2024
edited
Loading

should be an easy fix, just incref fut->fut_callback0 before usage here

Ah so there was an issue here as well! I wondered how to trigger it but I haven't considered the __getattribute__. If you want, you can write a PR for this one (I mean, you deserve lots of credits for finding those UAFs :')). [I'm going offline for today, at least I won't have access to my dev environment, that's why I said "not today"]

@Nico-Posada
Copy link
Contributor

Might have to split this off into a broader issue (or just rename this one). Just figured out you can also corrupt fut_context0 (and possibly fut_loop if you can somehow get its refcount down to 0 before it calls call_soon).

Here's a PoC with a UAF on fut_callback0 and fut_context0

import asyncio

class EvilLoop:
    def call_soon(*args, **kwargs):
        # might crash before this point
        print(args, kwargs)

    def get_debug(self):
        return False

    def __getattribute__(self, name):
        if name == "call_soon":
            x = lambda: ...
            x.get_debug = lambda: False
            fut.__init__(loop=x) # resets basically everything
            print("returning get_soon fn after calling __init__")
        
        return object.__getattribute__(self, name)

    def __del__(self):
        print("deleted", self)

class TrackDel:
    def __init__(self, name):
        self.name = name

    def __del__(self):
        print("deleted", self.name, self)

fut = asyncio.Future(loop=EvilLoop())

cb = TrackDel("cb obj")
ctx = TrackDel("ctx obj")
fut.add_done_callback(cb, context=ctx)
del cb, ctx

fut.set_result("kaboom")

Output

deleted cb obj <__main__.TrackDel object at 0x7f6979371a90>
deleted ctx obj <__main__.TrackDel object at 0x7f6979380e10>
returning get_soon fn after calling __init__
(<__main__.EvilLoop object at 0x7f6979371940>, <__main__.TrackDel object at 0x7f6979371a90>, <Future pending>) {'context': <__main__.TrackDel object at 0x7f6979380e10>}
Segmentation fault

You can see cb and ctx both got deleted but then get given to us as args we can access in call_soon. Once again, the fix should just be to incref both fut_callback0 and fut_context0 before the call_soon call.

@picnixz picnixz changed the title UAF on fut->fut_callback0 with evil call_soon in _asynciomodule.c UAF on fut->fut_{callback,context}0 with evil call_soon in _asynciomodule.c Oct 25, 2024
@picnixz picnixz self-assigned this Oct 26, 2024
@picnixz picnixz changed the title UAF on fut->fut_{callback,context}0 with evil call_soon in _asynciomodule.c UAF on fut->fut_{callback,context}0 with evil __getattribute__ in _asynciomodule.c Oct 26, 2024
@bedevere-app bedevere-app bot mentioned this issue Oct 26, 2024
Merged
@picnixz
Copy link
Member Author

picnixz commented Oct 26, 2024

I've opened a PR just for the callback/context and evil __getattribute__ but I haven't tried to make the refcount of the loop itself go to zero. If there is an UAF on the loop itself, let's open another issue (easier to review and this wouldn't hold us).

@picnixz picnixz moved this from Todo to In Progress in asyncio Oct 26, 2024
kumaraditya303 pushed a commit that referenced this issue Oct 27, 2024
@picnixz
gh-125984: fix use-after-free on fut->fut_{callback,context}0 due t…
f819d43 
…o an evil `loop.__getattribute__` (#126003)
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Oct 27, 2024
@picnixz @miss-islington
pythongh-125984: fix use-after-free on fut->fut_{callback,context}0
6870430 
… due to an evil `loop.__getattribute__` (pythonGH-126003)

(cherry picked from commit f819d43)

Co-authored-by: Bénédikt Tran <[email protected]>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Oct 27, 2024
@picnixz @miss-islington
pythongh-125984: fix use-after-free on fut->fut_{callback,context}0
acad5a1 
… due to an evil `loop.__getattribute__` (pythonGH-126003)

(cherry picked from commit f819d43)

Co-authored-by: Bénédikt Tran <[email protected]>
This was referenced Oct 27, 2024
Merged
Merged
kumaraditya303 pushed a commit that referenced this issue Oct 27, 2024
@miss-islington @picnixz
[3.12] gh-125984: fix use-after-free on `fut->fut_{callback,context}0…
fdedb26 
…` due to an evil `loop.__getattribute__` (GH-126003) (#126044)

gh-125984: fix use-after-free on `fut->fut_{callback,context}0` due to an evil `loop.__getattribute__` (GH-126003)
(cherry picked from commit f819d43)

Co-authored-by: Bénédikt Tran <[email protected]>
kumaraditya303 pushed a commit that referenced this issue Oct 27, 2024
@miss-islington @picnixz
[3.13] gh-125984: fix use-after-free on `fut->fut_{callback,context}0…
25421c7 
…` due to an evil `loop.__getattribute__` (GH-126003) (#126043)

gh-125984: fix use-after-free on `fut->fut_{callback,context}0` due to an evil `loop.__getattribute__` (GH-126003)
(cherry picked from commit f819d43)

Co-authored-by: Bénédikt Tran <[email protected]>
@picnixz
Copy link
Member Author

picnixz commented Oct 27, 2024

Closing since completed and backported.

@picnixz picnixz closed this as completed Oct 27, 2024
@github-project-automation github-project-automation bot moved this from In Progress to Done in asyncio Oct 27, 2024
@Nico-Posada Nico-Posada mentioned this issue Oct 28, 2024
Closed
picnixz added a commit to picnixz/cpython that referenced this issue Dec 8, 2024
@picnixz
pythongh-125984: fix use-after-free on fut->fut_{callback,context}0
bad4fd3 
… due to an evil `loop.__getattribute__` (python#126003)
ebonnal pushed a commit to ebonnal/cpython that referenced this issue Jan 12, 2025
@picnixz @ebonnal
pythongh-125984: fix use-after-free on fut->fut_{callback,context}0
88c8023 
… due to an evil `loop.__getattribute__` (python#126003)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@picnixz picnixz

Labels
3.12 only security fixes 3.13 bugs and security fixes 3.14 bugs and security fixes topic-asyncio type-crash A hard crash of the interpreter, possibly with a core dump
Projects
asyncio
Status: Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@picnixz @Nico-Posada