Skip to content

gh-143545: Fix UAF in lsprof via re-entrant external timer #143550

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
OutisNemosseus wants to merge 6 commits into
base: main
Choose a base branch
from
Open

gh-143545: Fix UAF in lsprof via re-entrant external timer #143550

OutisNemosseus wants to merge 6 commits into from

Conversation

@OutisNemosseus
Copy link

@OutisNemosseus OutisNemosseus commented Jan 8, 2026
edited by bedevere-app bot
Loading

Fix use-after-free in _lsprof module when external timer's __index__ method clears the profiler during callback.

Problem

prof._pystart_callback installs a new ProfilerContext and calls the external timer. If the timer's __index__ clears the profiler, it frees currentProfilerContext while initContext or Stop still writes to it, causing heap-use-after-free.

Solution

Added inCallback flag to ProfilerObject to prevent clearEntries from freeing memory while timer callback is executing.

Changes

  • Added int inCallback field to ProfilerObject struct
  • Set flag before/after call_timer() in initContext and Stop
  • Check flag at start of clearEntries to prevent freeing during callback
  • Added test case test_lsprof_uaf.py

Closes #143545

@bedevere-app
Copy link

bedevere-app bot commented Jan 8, 2026

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

@python-cla-bot
Copy link

python-cla-bot bot commented Jan 8, 2026
edited
Loading

The following commit authors need to sign the Contributor License Agreement:

CLA not signed

@bedevere-app bedevere-app bot mentioned this pull request Jan 8, 2026
Open
aisk
aisk reviewed Jan 8, 2026
View reviewed changes
Modules/_lsprof.c
ProfilerEntry *ctxEntry;
} ProfilerContext;


Copy link
Contributor

@aisk aisk Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please avoid changing the formatting of code that you do not touch, as this makes review and backporting more difficult.

aisk
aisk reviewed Jan 8, 2026
View reviewed changes
Modules/_lsprof.c
Comment on lines +329 to +331
pObj->inCallback = 1;
self->t0 = call_timer(pObj);
pObj->inCallback = 0;
Copy link
Contributor

@aisk aisk Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The indentation is inaccurate.

aisk
aisk reviewed Jan 8, 2026
View reviewed changes
Misc/NEWS.d/next/Security/2026-01-08-08-05-23.gh-issue-143545.qruuXH.rst
@@ -0,0 +1 @@
Fix use-after-free in the ``_lsprof`` module when external timer's ``__index__`` method clears the profiler during callback.
Copy link
Contributor

@aisk aisk Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Fix use-after-free in the ``_lsprof`` module when external timer's ``__index__`` method clears the profiler during callback.
Fix use-after-free in the :mod:`_lsprof` module when external timer's ``__index__`` method clears the profiler during callback.

Copy link
Contributor

@aisk aisk Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure whether we should mention _lsprof here, because it's a private module that users should not use directly. Users interact with it via profile and cProfile, so I think we should describe the news entry in terms of those two modules instead.

aisk
aisk reviewed Jan 8, 2026
View reviewed changes
Lib/test/test_lsprof_uaf.py
@@ -0,0 +1,37 @@
"""Test for gh-143545: UAF in lsprof via re-entrant external timer."""
Copy link
Contributor

@aisk aisk Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Although this happens in the _lsprof module, the user interface and the test code are related to cProfile (and profile), so I think we should move the test case to the test files for those modules.

aisk
aisk reviewed Jan 8, 2026
View reviewed changes
Modules/_lsprof.c
double externalTimerUnit;
int tool_id;
PyObject* missing;
int inCallback;
Copy link
Contributor

@aisk aisk Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we are using C11, we can use bool in <stdbool.h> for boolean values.

sobolevn
sobolevn reviewed Jan 9, 2026
View reviewed changes
Lib/test/test_lsprof_uaf.py
try:
prof._pystart_callback(victim.__code__, 0)
except (RuntimeError, ValueError):
pass # Expected if we block the operation
Copy link
Member

@sobolevn sobolevn Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this is expected - maybe we should use with self.assertRaisesRegex?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aisk aisk aisk left review comments

@sobolevn sobolevn sobolevn left review comments

Assignees

No one assigned

Labels

awaiting review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Use-after-free in lsprof initContext via re-entrant external timer __index__

3 participants

@OutisNemosseus @aisk @sobolevn