Use-after-free in `zoneinfo.get_weak_cache` via weak DECREF assumption

[jackfromeast]

What happened?

get_weak_cache() assumes that _weak_cache is always owned by the object and safe to DECREF. When _weak_cache is a descriptor returning a new object, this assumption breaks, causing the cache object to be freed too early and leading to a use-after-free in zoneinfo_ZoneInfo_impl().

Proof of Concept:

from zoneinfo import ZoneInfo

class Cache:
 def get(self, *args, **kwargs):
 return None
 def setdefault(self, *args, **kwargs):
 return None
 def clear(self, *args, **kwargs):
 pass

class BombDescriptor:
 def __get__(self, obj, owner):
 return Cache()

class EvilZoneInfo(ZoneInfo):
 pass

EvilZoneInfo._weak_cache = BombDescriptor()

EvilZoneInfo("UTC")

Related Code Snippet

static PyObject *
zoneinfo_ZoneInfo_impl(PyTypeObject *type, PyObject *key)
/*[clinic end generated code: output=95e61dab86bb95c3 input=ef73d7a83bf8790e]*/
{
 zoneinfo_state *state = zoneinfo_get_state_by_self(type);
 PyObject *instance = zone_from_strong_cache(state, type, key); // Trigged __eq__ method
 if (instance != NULL || PyErr_Occurred()){
 return instance;
 }

 PyObject *weak_cache = get_weak_cache(state, type);
 instance = PyObject_CallMethod(weak_cache, "get", "O", key, Py_None);
 if (instance == NULL){
 return NULL;
 }

 if (instance == Py_None){
 Py_DECREF(instance);
 PyObject *tmp = zoneinfo_new_instance(state, type, key);
 if (tmp == NULL){
 return NULL;
 }

 instance =
 PyObject_CallMethod(weak_cache, "setdefault", "OO", key, tmp);
 Py_DECREF(tmp);
 if (instance == NULL){
 return NULL;
 }
 ((PyZoneInfo_ZoneInfo *)instance)->source = SOURCE_CACHE;
 }

 update_strong_cache(state, type, key, instance);
 return instance;
}

static PyObject *
get_weak_cache(zoneinfo_state *state, PyTypeObject *type)
{
 if (type == state->ZoneInfoType){
 return state->ZONEINFO_WEAK_CACHE;
 }
 else{
 PyObject *cache =
 PyObject_GetAttrString((PyObject *)type, "_weak_cache");
 
 // BUG: The following DECREF free the newly assign cache and leads to UAF
 // We are assuming that the type lives at least as long as the function
 // that calls get_weak_cache, and that it holds a reference to the
 // cache, so we'll return a "borrowed reference".
 Py_XDECREF(cache);
 return cache;
 }
}

Affected Versions:

Python Version	Status	Exit Code
Python 3.9.24+ (heads/3.9:9c4638d, Oct 17 2025, 11:19:30)	ASAN	1
Python 3.10.19+ (heads/3.10:0142619, Oct 17 2025, 11:20:05) [GCC 13.3.0]	ASAN	1
Python 3.11.14+ (heads/3.11:88f3f5b, Oct 17 2025, 11:20:44) [GCC 13.3.0]	ASAN	1
Python 3.12.12+ (heads/3.12:8cb2092, Oct 17 2025, 11:21:35) [GCC 13.3.0]	ASAN	1
Python 3.13.9+ (heads/3.13:0760a57, Oct 17 2025, 11:22:25) [GCC 13.3.0]	ASAN	1
Python 3.14.0+ (heads/3.14:889e918, Oct 17 2025, 11:23:02) [GCC 13.3.0]	ASAN	1
Python 3.15.0a1+ (heads/main:fbf0843, Oct 17 2025, 11:23:37) [GCC 13.3.0]	ASAN	1

Sanitizer Report

=================================================================
==1448338==ERROR: AddressSanitizer: heap-use-after-free on address 0x513000037278 at pc 0x59e6317834ef bp 0x7ffc3a4859b0 sp 0x7ffc3a4859a0
READ of size 8 at 0x513000037278 thread T0
 #0 0x59e6317834ee in _Py_TYPE Include/object.h:277
 #1 0x59e6317834ee in PyObject_GetAttrString Objects/object.c:1178
 #2 0x59e6316c3b2a in PyObject_CallMethod Objects/call.c:638
 #3 0x7674c13914f2 in zoneinfo_ZoneInfo_impl Modules/_zoneinfo.c:329
 #4 0x7674c1391710 in zoneinfo_ZoneInfo Modules/clinic/_zoneinfo.c.h:64
 #5 0x59e6317e9346 in type_call Objects/typeobject.c:2448
 #6 0x59e6316c2c71 in _PyObject_MakeTpCall Objects/call.c:242
 #7 0x59e6316c2f19 in _PyObject_VectorcallTstate Include/internal/pycore_call.h:167
 #8 0x59e6316c2f72 in PyObject_Vectorcall Objects/call.c:327
 #9 0x59e631941056 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:1620
 #10 0x59e631984e54 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:121
 #11 0x59e631985148 in _PyEval_Vector Python/ceval.c:2001
 #12 0x59e6319853f8 in PyEval_EvalCode Python/ceval.c:884
 #13 0x59e631a7c507 in run_eval_code_obj Python/pythonrun.c:1365
 #14 0x59e631a7c723 in run_mod Python/pythonrun.c:1459
 #15 0x59e631a7d57a in pyrun_file Python/pythonrun.c:1293
 #16 0x59e631a80220 in _PyRun_SimpleFileObject Python/pythonrun.c:521
 #17 0x59e631a804f6 in _PyRun_AnyFileObject Python/pythonrun.c:81
 #18 0x59e631ad174d in pymain_run_file_obj Modules/main.c:410
 #19 0x59e631ad19b4 in pymain_run_file Modules/main.c:429
 #20 0x59e631ad31b2 in pymain_run_python Modules/main.c:691
 #21 0x59e631ad3842 in Py_RunMain Modules/main.c:772
 #22 0x59e631ad3a2e in pymain_main Modules/main.c:802
 #23 0x59e631ad3db3 in Py_BytesMain Modules/main.c:826
 #24 0x59e631557645 in main Programs/python.c:15
 #25 0x7674c202a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
 #26 0x7674c202a28a in __libc_start_main_impl ../csu/libc-start.c:360
 #27 0x59e631557574 in _start (/home/jackfromeast/Desktop/entropy/tasks/grammar-afl++-latest/targets/cpython/python+0x2dd574) (BuildId: ff3dc40ea460bd4beb2c3a72283cca525b319bf0)

0x513000037278 is located 56 bytes inside of 352-byte region [0x513000037240,0x5130000373a0)
freed by thread T0 here:
 #0 0x7674c24fc4d8 in free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
 #1 0x59e63178996d in _PyMem_RawFree Objects/obmalloc.c:91
 #2 0x59e63178bcd9 in _PyMem_DebugRawFree Objects/obmalloc.c:2955
 #3 0x59e63178bd1a in _PyMem_DebugFree Objects/obmalloc.c:3100
 #4 0x59e6317b406c in PyObject_Free Objects/obmalloc.c:1522
 #5 0x59e6319f2cf7 in PyObject_GC_Del Python/gc.c:2435
 #6 0x59e6317ce1cb in object_dealloc Objects/typeobject.c:7177
 #7 0x59e6317ec663 in subtype_dealloc Objects/typeobject.c:2852
 #8 0x59e631780481 in _Py_Dealloc Objects/object.c:3200
 #9 0x7674c138967b in Py_DECREF Include/refcount.h:401
 #10 0x7674c138969a in Py_XDECREF Include/refcount.h:511
 #11 0x7674c138b07b in get_weak_cache Modules/_zoneinfo.c:303
 #12 0x7674c13914ca in zoneinfo_ZoneInfo_impl Modules/_zoneinfo.c:328
 #13 0x7674c1391710 in zoneinfo_ZoneInfo Modules/clinic/_zoneinfo.c.h:64
 #14 0x59e6317e9346 in type_call Objects/typeobject.c:2448
 #15 0x59e6316c2c71 in _PyObject_MakeTpCall Objects/call.c:242
 #16 0x59e6316c2f19 in _PyObject_VectorcallTstate Include/internal/pycore_call.h:167
 #17 0x59e6316c2f72 in PyObject_Vectorcall Objects/call.c:327
 #18 0x59e631941056 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:1620
 #19 0x59e631984e54 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:121
 #20 0x59e631985148 in _PyEval_Vector Python/ceval.c:2001
 #21 0x59e6319853f8 in PyEval_EvalCode Python/ceval.c:884
 #22 0x59e631a7c507 in run_eval_code_obj Python/pythonrun.c:1365
 #23 0x59e631a7c723 in run_mod Python/pythonrun.c:1459
 #24 0x59e631a7d57a in pyrun_file Python/pythonrun.c:1293
 #25 0x59e631a80220 in _PyRun_SimpleFileObject Python/pythonrun.c:521
 #26 0x59e631a804f6 in _PyRun_AnyFileObject Python/pythonrun.c:81
 #27 0x59e631ad174d in pymain_run_file_obj Modules/main.c:410
 #28 0x59e631ad19b4 in pymain_run_file Modules/main.c:429
 #29 0x59e631ad31b2 in pymain_run_python Modules/main.c:691

previously allocated by thread T0 here:
 #0 0x7674c24fd9c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
 #1 0x59e63178a284 in _PyMem_RawMalloc Objects/obmalloc.c:63
 #2 0x59e631789655 in _PyMem_DebugRawAlloc Objects/obmalloc.c:2887
 #3 0x59e6317896bd in _PyMem_DebugRawMalloc Objects/obmalloc.c:2920
 #4 0x59e63178af3b in _PyMem_DebugMalloc Objects/obmalloc.c:3085
 #5 0x59e6317b3f28 in PyObject_Malloc Objects/obmalloc.c:1493
 #6 0x59e6317e603b in _PyObject_MallocWithType Include/internal/pycore_object_alloc.h:46
 #7 0x59e6317e603b in _PyType_AllocNoTrack Objects/typeobject.c:2504
 #8 0x59e6317e61c7 in PyType_GenericAlloc Objects/typeobject.c:2535
 #9 0x59e6317de10e in object_new Objects/typeobject.c:7167
 #10 0x59e6317e9346 in type_call Objects/typeobject.c:2448
 #11 0x59e6316c2c71 in _PyObject_MakeTpCall Objects/call.c:242
 #12 0x59e6316c2f19 in _PyObject_VectorcallTstate Include/internal/pycore_call.h:167
 #13 0x59e6316c2f72 in PyObject_Vectorcall Objects/call.c:327
 #14 0x59e631941056 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:1620
 #15 0x59e631984e54 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:121
 #16 0x59e631985148 in _PyEval_Vector Python/ceval.c:2001
 #17 0x59e6316c29b8 in _PyFunction_Vectorcall Objects/call.c:413
 #18 0x59e6316c2e7f in _PyObject_VectorcallTstate Include/internal/pycore_call.h:169
 #19 0x59e6316c2f72 in PyObject_Vectorcall Objects/call.c:327
 #20 0x59e6317fbf01 in slot_tp_descr_get Objects/typeobject.c:10799
 #21 0x59e6317fdb53 in _Py_type_getattro_impl Objects/typeobject.c:6377
 #22 0x59e6317fdd37 in _Py_type_getattro Objects/typeobject.c:6419
 #23 0x59e6317831cc in PyObject_GetAttr Objects/object.c:1313
 #24 0x59e63178350e in PyObject_GetAttrString Objects/object.c:1183
 #25 0x7674c138b070 in get_weak_cache Modules/_zoneinfo.c:299
 #26 0x7674c13914ca in zoneinfo_ZoneInfo_impl Modules/_zoneinfo.c:328
 #27 0x7674c1391710 in zoneinfo_ZoneInfo Modules/clinic/_zoneinfo.c.h:64
 #28 0x59e6317e9346 in type_call Objects/typeobject.c:2448
 #29 0x59e6316c2c71 in _PyObject_MakeTpCall Objects/call.c:242
 #30 0x59e6316c2f19 in _PyObject_VectorcallTstate Include/internal/pycore_call.h:167

SUMMARY: AddressSanitizer: heap-use-after-free Include/object.h:277 in _Py_TYPE
Shadow bytes around the buggy address:
 0x513000036f80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 0x513000037000: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
 0x513000037080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x513000037100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x513000037180: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
=>0x513000037200: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd[fd]
 0x513000037280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 0x513000037300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 0x513000037380: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
 0x513000037400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 0x513000037480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
 Addressable: 00
 Partially addressable: 01 02 03 04 05 06 07 
 Heap left redzone: fa
 Freed heap region: fd
 Stack left redzone: f1
 Stack mid redzone: f2
 Stack right redzone: f3
 Stack after return: f5
 Stack use after scope: f8
 Global redzone: f9
 Global init order: f6
 Poisoned by user: f7
 Container overflow: fc
 Array cookie: ac
 Intra object redzone: bb
 ASan internal: fe
 Left alloca redzone: ca
 Right alloca redzone: cb
==1448338==ABORTING

Linked PRs

• gh-142783: Fix use-after-free vulnerability in zoneinfo module #142786
• gh-142783: Fix possible use after free in zoneinfo module #142790
• [3.13] gh-142783: Fix possible use after free in zoneinfo module (GH-142790) #142861
• [3.14] gh-142783: Fix possible use after free in zoneinfo module (GH-142790) #142862

[fatelei]

The vulnerability was in the get_weak_cache() function at Modules/_zoneinfo.c:303. The function incorrectly assumed that PyObject_GetAttrString() always returned a borrowed reference that could be immediately decremented with Py_XDECREF(). When _weak_cache was a descriptor (like the BombDescriptor in the PoC) that creates a new object each time it's accessed, this caused the newly created object to be freed too early, leading to use-after-free.

possible fix method

static PyObject *get_weak_cache(zoneinfo_state *state, PyTypeObject *type)
{
 if (type == state->ZoneInfoType){
 Py_INCREF(state->ZONEINFO_WEAK_CACHE);
 return state->ZONEINFO_WEAK_CACHE;
 }
 else{
 return PyObject_GetAttrString((PyObject *)type, "_weak_cache");
 }
}

and call Py_DECREF(weak_cache); in callee