Lack of type checks in asyncio.Future can cause crash or the ability to craft malicious objects #125789
Labels
3.12
bugs and security fixes
3.13
bugs and security fixes
3.14
new features, bugs and security fixes
extension-modules
C modules in the Modules dir
topic-asyncio
type-crash
A hard crash of the interpreter, possibly with a core dump
Crash report
What happened?
In
Modules/_asynciomodule.c
the_asyncio_Future_remove_done_callback_impl
function has a section where it retrieves an item from a list and then immediately assumes it's a tuple without doing any checks (this issue also exists infuture_schedule_callbacks
, but I'll only go over this one for brevity).We can see that it gets item
i
from fut_callbacks and then immediately assumes it's a tuple without doing any checks. This is fine if there's no way for the user to control fut_callbacks, but we can see the Future object has a_callbacks
attribute which usesFutureObj_get_callbacks
as its getterIn the rare case that
fut_callback0
is NULL andfut_callbacks
isn't, this will actually return the real reference tofut_callbacks
allowing us to modify the items in the list to be whatever we want. Here's a short POC to showcase a crash caused by this bug.And if done carefully, this can be used to craft a malicious bytearray object which can write to anywhere in memory. Here's an example of that which works on 64-bit systems (tested on Windows and Linux)
This can be fixed by making it impossible to get a real reference to the fut->fut_callbacks list, or just doing proper type checking in places where it's used.
CPython versions tested on:
3.11, 3.12, 3.13
Operating systems tested on:
Linux, Windows
Output from running 'python -VV' on the command line:
No response
Linked PRs
asyncio
callback scheduling methods #125833The text was updated successfully, but these errors were encountered: