UAF on `fut->fut_{callback,context}0` with evil `__getattribute__` in `_asynciomodule.c`

[picnixz]

Crash report

What happened?

import asyncio

class EvilLoop:
 def call_soon(*args):
 # will crash before it actually gets here 
 print(args)

 def get_debug(self):
 return False

 def __getattribute__(self, name):
 global tracker
 if name == "call_soon":
 fut.remove_done_callback(tracker)
 del tracker
 print("returning call_soon method after clearing callback0")
 
 return object.__getattribute__(self, name)

class TrackDel:
 def __del__(self):
 print("deleted", self)

fut = asyncio.Future(loop=EvilLoop())

tracker = TrackDel()
fut.add_done_callback(tracker)
fut.set_result("kaboom")

Originally posted by @Nico-Posada in #125970 (comment)

Not sure I'll be able to work on it today, so anyone's free to take on it.

---

Traceback

deleted <__main__.TrackDel object at 0x7f4ab660a420>
returning call_soon method after clearing callback0
Python/context.c:534: _PyObject_GC_UNTRACK: Assertion "_PyObject_GC_IS_TRACKED(((PyObject*)(op)))" failed: object not tracked by the garbage collector
Enable tracemalloc to get the memory block allocation traceback

object address : 0x7f4ab64ca4b0
object refcount : 0
object type : 0x9bfc60
object type name: _contextvars.Context
object repr : <refcnt 0 at 0x7f4ab64ca4b0>

Fatal Python error: _PyObject_AssertFailed: _PyObject_AssertFailed
Python runtime state: initialized
TypeError: EvilLoop.call_soon() got an unexpected keyword argument 'context'

Linked PRs

• gh-125984: fix UAF on fut->fut_{callback,context}0 due to an evil loop.__getattribute__ #126003
• [3.13] gh-125984: fix use-after-free on fut->fut_{callback,context}0 due to an evil loop.__getattribute__ (GH-126003) #126043
• [3.12] gh-125984: fix use-after-free on fut->fut_{callback,context}0 due to an evil loop.__getattribute__ (GH-126003) #126044

[Nico-Posada]

should be an easy fix, just incref fut->fut_callback0 before usage here

cpython/Modules/_asynciomodule.c

Lines 412 to 418 in 417c130

	if (fut->fut_callback0 != NULL){
	/* There's a 1st callback */
	int ret = call_soon(state,
	fut->fut_loop, fut->fut_callback0,
	(PyObject *)fut, fut->fut_context0);

[picnixz]

should be an easy fix, just incref fut->fut_callback0 before usage here

Ah so there was an issue here as well! I wondered how to trigger it but I haven't considered the __getattribute__. If you want, you can write a PR for this one (I mean, you deserve lots of credits for finding those UAFs :')). [I'm going offline for today, at least I won't have access to my dev environment, that's why I said "not today"]

[Nico-Posada]

Might have to split this off into a broader issue (or just rename this one). Just figured out you can also corrupt fut_context0 (and possibly fut_loop if you can somehow get its refcount down to 0 before it calls call_soon).

Here's a PoC with a UAF on fut_callback0 and fut_context0

import asyncio

class EvilLoop:
 def call_soon(*args, **kwargs):
 # might crash before this point
 print(args, kwargs)

 def get_debug(self):
 return False

 def __getattribute__(self, name):
 if name == "call_soon":
 x = lambda: ...
 x.get_debug = lambda: False
 fut.__init__(loop=x) # resets basically everything
 print("returning get_soon fn after calling __init__")
 
 return object.__getattribute__(self, name)

 def __del__(self):
 print("deleted", self)

class TrackDel:
 def __init__(self, name):
 self.name = name

 def __del__(self):
 print("deleted", self.name, self)

fut = asyncio.Future(loop=EvilLoop())

cb = TrackDel("cb obj")
ctx = TrackDel("ctx obj")
fut.add_done_callback(cb, context=ctx)
del cb, ctx

fut.set_result("kaboom")

Output

deleted cb obj <__main__.TrackDel object at 0x7f6979371a90>
deleted ctx obj <__main__.TrackDel object at 0x7f6979380e10>
returning get_soon fn after calling __init__
(<__main__.EvilLoop object at 0x7f6979371940>, <__main__.TrackDel object at 0x7f6979371a90>, <Future pending>){'context': <__main__.TrackDel object at 0x7f6979380e10>}
Segmentation fault

You can see cb and ctx both got deleted but then get given to us as args we can access in call_soon. Once again, the fix should just be to incref both fut_callback0 and fut_context0 before the call_soon call.