Skip to content

gh-125984: fix UAF on fut->fut_{callback,context}0 due to an evil loop.__getattribute__ #126003

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 27, 2024
Merged

gh-125984: fix UAF on fut->fut_{callback,context}0 due to an evil loop.__getattribute__ #126003

merged 3 commits into from
Oct 27, 2024

Conversation

picnixz
Copy link
Member

@picnixz picnixz commented Oct 26, 2024
edited
Loading

Minimal PoCs:

import asyncio

class EvilLoop:
	def call_soon(self, *args, **kwargs):
		print(1)  # crashes just after printing

    def get_debug(self):
        return False

    def __getattribute__(self, name):
        global tracker
        if name == "call_soon":
            fut.remove_done_callback(tracker)
            del tracker
        return object.__getattribute__(self, name)

fut = asyncio.Future(loop=EvilLoop())
tracker = lambda: ...
fut.add_done_callback(tracker)
fut.set_result("boom")

and

import asyncio

class EvilLoop:
	def call_soon(self, *args, **kwargs):
		raise Exception("unreachable")

    def get_debug(self):
        return False

    def __getattribute__(self, name):
        if name == "call_soon":
            x = lambda: ...
            x.get_debug = lambda: False
            fut.__init__(loop=x)
        return object.__getattribute__(self, name)

fut = asyncio.Future(loop=EvilLoop())
cb, ctx = lambda: ..., lambda: ...
fut.add_done_callback(cb, context=ctx)
del cb, ctx
fut.set_result("kaboom")

Note that depending on how the PoC is written, the crash may happen at interpreter shutdown instead. The above PoCs are a bit different from the original ones and from the ones in the tests though, but I've confirmed that without the ownership transfer, all PoCs crash.

cc @Nico-Posada

@picnixz
Fix UAFs on an asyncio.Future with an evil loop.
88c7e1c 
UAFs (on `fut->fut_callback0` and on `fut->fut_context0`)
can be triggered if the future's event loop implements an
evil `__getattribute__`.
@picnixz
blurb
0a09b21
@bedevere-app bedevere-app bot mentioned this pull request Oct 26, 2024
Closed
@picnixz picnixz added needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes labels Oct 26, 2024
@picnixz picnixz changed the title gh-125984: fix UAF on fut->fut_{callback,context}0 due an evil loop.__getattribute__ gh-125984: fix UAF on fut->fut_{callback,context}0 due to an evil loop.__getattribute__ Oct 26, 2024
kumaraditya303
kumaraditya303 reviewed Oct 26, 2024
View reviewed changes
picnixz
picnixz commented Oct 26, 2024
View reviewed changes
@kumaraditya303 kumaraditya303 merged commit f819d43 into python:main Oct 27, 2024
41 checks passed
@miss-islington-app
Copy link

Thanks @picnixz for the PR, and @kumaraditya303 for merging it 🌮🎉.. I'm working now to backport this PR to: 3.12, 3.13.
🐍🍒⛏🤖

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Oct 27, 2024
@picnixz @miss-islington
pythongh-125984: fix use-after-free on fut->fut_{callback,context}0
6870430 
… due to an evil `loop.__getattribute__` (pythonGH-126003)

(cherry picked from commit f819d43)

Co-authored-by: Bénédikt Tran <[email protected]>
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Oct 27, 2024
@picnixz @miss-islington
pythongh-125984: fix use-after-free on fut->fut_{callback,context}0
acad5a1 
… due to an evil `loop.__getattribute__` (pythonGH-126003)

(cherry picked from commit f819d43)

Co-authored-by: Bénédikt Tran <[email protected]>
@bedevere-app
Copy link

bedevere-app bot commented Oct 27, 2024

GH-126043 is a backport of this pull request to the 3.13 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.13 bugs and security fixes label Oct 27, 2024
@bedevere-app
Copy link

bedevere-app bot commented Oct 27, 2024

GH-126044 is a backport of this pull request to the 3.12 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.12 only security fixes label Oct 27, 2024
@picnixz picnixz deleted the fix/future-uaf-head-callback-125984 branch October 27, 2024 15:05
kumaraditya303 pushed a commit that referenced this pull request Oct 27, 2024
@miss-islington @picnixz
[3.12] gh-125984: fix use-after-free on `fut->fut_{callback,context}0…
fdedb26 
…` due to an evil `loop.__getattribute__` (GH-126003) (#126044)

gh-125984: fix use-after-free on `fut->fut_{callback,context}0` due to an evil `loop.__getattribute__` (GH-126003)
(cherry picked from commit f819d43)

Co-authored-by: Bénédikt Tran <[email protected]>
kumaraditya303 pushed a commit that referenced this pull request Oct 27, 2024
@miss-islington @picnixz
[3.13] gh-125984: fix use-after-free on `fut->fut_{callback,context}0…
25421c7 
…` due to an evil `loop.__getattribute__` (GH-126003) (#126043)

gh-125984: fix use-after-free on `fut->fut_{callback,context}0` due to an evil `loop.__getattribute__` (GH-126003)
(cherry picked from commit f819d43)

Co-authored-by: Bénédikt Tran <[email protected]>
picnixz added a commit to picnixz/cpython that referenced this pull request Dec 8, 2024
@picnixz
pythongh-125984: fix use-after-free on fut->fut_{callback,context}0
bad4fd3 
… due to an evil `loop.__getattribute__` (python#126003)
ebonnal pushed a commit to ebonnal/cpython that referenced this pull request Jan 12, 2025
@picnixz @ebonnal
pythongh-125984: fix use-after-free on fut->fut_{callback,context}0
88c8023 
… due to an evil `loop.__getattribute__` (python#126003)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asvetlov asvetlov asvetlov approved these changes

@kumaraditya303 kumaraditya303 kumaraditya303 approved these changes

@1st1 1st1 Awaiting requested review from 1st1 1st1 is a code owner

@gvanrossum gvanrossum Awaiting requested review from gvanrossum

@willingc willingc Awaiting requested review from willingc willingc is a code owner

Assignees
No one assigned
Labels
topic-asyncio
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@picnixz @asvetlov @kumaraditya303