Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Evil call_soon may cause OOB in future_schedule_callbacks #125969

Closed
picnixz opened this issue Oct 25, 2024 · 1 comment
Closed

Evil call_soon may cause OOB in future_schedule_callbacks #125969

picnixz opened this issue Oct 25, 2024 · 1 comment
Assignees
@picnixz
Labels
3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes topic-asyncio type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@picnixz
Copy link
Contributor

picnixz commented Oct 25, 2024
edited by bedevere-app bot
Loading

Crash report

Bug description:

In future_schedule_callbacks, the length of the callback list is assumed to be constant, but an evil call_soon can make it change.

PoC:

import asyncio
called_on_fut_callback0 = False

pad = lambda: ...

def evil_call_soon(*args, **kwargs):
    global called_on_fut_callback0
    if called_on_fut_callback0:
        # Called when handling fut->fut_callbacks[0]
        # and mutates the length fut->fut_callbacks.
        fut.remove_done_callback(int)
        fut.remove_done_callback(pad)
    else:
        called_on_fut_callback0 = True

fake_event_loop = lambda: ...
fake_event_loop.call_soon = evil_call_soon
fake_event_loop.get_debug = lambda: False  # suppress traceback
fut = asyncio.Future(loop=fake_event_loop)
fut.add_done_callback(str)  # sets fut->fut_callback0
fut.add_done_callback(int)  # sets fut->fut_callbacks[0]
fut.add_done_callback(pad)  # sets fut->fut_callbacks[1]
fut.add_done_callback(pad)  # sets fut->fut_callbacks[2]
fut.set_result("boom")

CPython versions tested on:

CPython main branch

Operating systems tested on:

No response

Linked PRs
@picnixz picnixz added topic-asyncio type-crash A hard crash of the interpreter, possibly with a core dump labels Oct 25, 2024
@picnixz picnixz self-assigned this Oct 25, 2024
@bedevere-app bedevere-app bot mentioned this issue Oct 25, 2024
Merged
@picnixz picnixz added 3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes labels Oct 25, 2024
kumaraditya303 pushed a commit that referenced this issue Oct 25, 2024
@picnixz @asvetlov
gh-125969: fix OOB in future_schedule_callbacks due to an evil `cal…
c5b99f5 
…l_soon` (#125970)

Co-authored-by: Andrew Svetlov <[email protected]>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Oct 25, 2024
@picnixz @asvetlov @miss-islington
pythongh-125969: fix OOB in future_schedule_callbacks due to an evi…
0b7fad3 
…l `call_soon` (pythonGH-125970)

(cherry picked from commit c5b99f5)

Co-authored-by: Bénédikt Tran <[email protected]>
Co-authored-by: Andrew Svetlov <[email protected]>
@bedevere-app bedevere-app bot mentioned this issue Oct 25, 2024
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Oct 25, 2024
@picnixz @asvetlov @miss-islington
pythongh-125969: fix OOB in future_schedule_callbacks due to an evi…
4a95a26 
…l `call_soon` (pythonGH-125970)

(cherry picked from commit c5b99f5)

Co-authored-by: Bénédikt Tran <[email protected]>
Co-authored-by: Andrew Svetlov <[email protected]>
@bedevere-app bedevere-app bot mentioned this issue Oct 25, 2024
Merged
kumaraditya303 pushed a commit that referenced this issue Oct 25, 2024
@miss-islington @picnixz @asvetlov
[3.12] gh-125969: fix OOB in future_schedule_callbacks due to an ev…
f6682fb 
…il `call_soon` (GH-125970) (#125992)

gh-125969: fix OOB in `future_schedule_callbacks` due to an evil `call_soon` (GH-125970)
(cherry picked from commit c5b99f5)

Co-authored-by: Bénédikt Tran <[email protected]>
Co-authored-by: Andrew Svetlov <[email protected]>
kumaraditya303 pushed a commit that referenced this issue Oct 25, 2024
@miss-islington @picnixz @asvetlov
[3.13] gh-125969: fix OOB in future_schedule_callbacks due to an ev…
9c6cda5 
…il `call_soon` (GH-125970) (#125991)

gh-125969: fix OOB in `future_schedule_callbacks` due to an evil `call_soon` (GH-125970)
(cherry picked from commit c5b99f5)

Co-authored-by: Bénédikt Tran <[email protected]>
Co-authored-by: Andrew Svetlov <[email protected]>
@kumaraditya303
Copy link
Contributor

thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@picnixz picnixz

Labels
3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes topic-asyncio type-crash A hard crash of the interpreter, possibly with a core dump
Projects
asyncio
Status: Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@picnixz @kumaraditya303