Open Nico-Posada opened 2 days ago
Sidenote: This happens in 2 spots so both need to be fixed
First Usage: https://github.com/python/cpython/blob/9effa0ff06047f3d957bf37267742a98106581ff/Modules/_asynciomodule.c#L2964-L2967
Second Usage (the one I linked in my report): https://github.com/python/cpython/blob/9effa0ff06047f3d957bf37267742a98106581ff/Modules/_asynciomodule.c#L3057-L3060
As always, thank you! I really like how you incorporate the bits I put in the test for you previous issue. I am not on my dev environment now (and won't be before at least 12 hours) so if you want to patch this one as well, you can create the PR! (I can review it though).
Crash report
What happened?
This is the bug I mentioned I was looking into in https://github.com/python/cpython/issues/126080#issuecomment-2441969209, but it's the same as all the ones that came before this.
https://github.com/python/cpython/blob/9effa0ff06047f3d957bf37267742a98106581ff/Modules/_asynciomodule.c#L3057-L3060
task->task_cancel_msg
is missing an incref before usage so we can use a malicious__getattribute__
function in our class to free it before it gets sent to ourcancel
function.PoC
Output
CPython versions tested on:
3.13
Operating systems tested on:
Linux
Output from running 'python -VV' on the command line:
Python 3.13.0 (tags/v3.13.0:60403a5409f, Oct 10 2024, 09:24:12) [GCC 13.2.0]