Skip to content

gh-143228: Fix UAF in perf trampoline during finalization #143233

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pablogsal merged 1 commit into from
Dec 28, 2025
Merged

gh-143228: Fix UAF in perf trampoline during finalization #143233

pablogsal merged 1 commit into from
Dec 28, 2025
+66 −11

Conversation

@pablogsal
Copy link
Member

@pablogsal pablogsal commented Dec 27, 2025
edited by bedevere-app bot
Loading

When toggling perf trampoline while threads are running, or during
interpreter finalization with daemon threads active, a use-after-free
occurs. The munmap call in free_code_arenas releases executable memory
while other threads may still be executing within trampolines or
unwinding through them, causing SIGSEGV or SystemError.

The fix uses reference counting with a code watcher. Each code object
that receives a trampoline increments a refcount. When code objects are
destroyed, the watcher decrements the refcount and frees arenas only
when it reaches zero. This ensures trampolines are never freed while
any code object could still reference them.

@bedevere-app bedevere-app bot mentioned this pull request Dec 27, 2025
Closed
@pablogsal pablogsal added needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes labels Dec 28, 2025
Fidget-Spinner
Fidget-Spinner reviewed Dec 28, 2025
View reviewed changes
Copy link
Member

@Fidget-Spinner Fidget-Spinner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, just one question

@pablogsal
pythongh-143228: Fix UAF in perf trampoline during finalization
075822f 
When toggling perf trampoline while threads are running, or during
interpreter finalization with daemon threads active, a use-after-free
occurs. The munmap call in free_code_arenas releases executable memory
while other threads may still be executing within trampolines or
unwinding through them, causing SIGSEGV or SystemError.

The fix uses reference counting with a code watcher. Each code object
that receives a trampoline increments a refcount. When code objects are
destroyed, the watcher decrements the refcount and frees arenas only
when it reaches zero. This ensures trampolines are never freed while
any code object could still reference them.
@pablogsal pablogsal merged commit 3ccc76f into python:main Dec 28, 2025
50 checks passed
@miss-islington-app
Copy link

miss-islington-app bot commented Dec 28, 2025

Thanks @pablogsal for the PR 🌮🎉.. I'm working now to backport this PR to: 3.13, 3.14.
🐍🍒⛏🤖

@pablogsal pablogsal deleted the gh-143228 branch December 28, 2025 13:50
@miss-islington-app
Copy link

miss-islington-app bot commented Dec 28, 2025

Sorry, @pablogsal, I could not cleanly backport this to 3.14 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 3ccc76f036bfaabb5a4631783b966501fe64859a 3.14

@miss-islington-app
Copy link

miss-islington-app bot commented Dec 28, 2025

Sorry, @pablogsal, I could not cleanly backport this to 3.13 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 3ccc76f036bfaabb5a4631783b966501fe64859a 3.13

@bedevere-app
Copy link

bedevere-app bot commented Dec 28, 2025

GH-143247 is a backport of this pull request to the 3.14 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.14 bugs and security fixes label Dec 28, 2025
pablogsal added a commit to pablogsal/cpython that referenced this pull request Dec 28, 2025
@pablogsal
[3.14] pythongh-143228: Fix UAF in perf trampoline during finalization (
21a543f 
pythonGH-143233)

(cherry picked from commit 3ccc76f)

Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com>
pablogsal added a commit to pablogsal/cpython that referenced this pull request Dec 28, 2025
@pablogsal
[3.14] pythongh-143228: Fix UAF in perf trampoline during finalization (
312d021 
pythonGH-143233)

(cherry picked from commit 3ccc76f)

Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com>
@bedevere-app
Copy link

bedevere-app bot commented Dec 28, 2025

GH-143248 is a backport of this pull request to the 3.13 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.13 bugs and security fixes label Dec 28, 2025
pablogsal added a commit to pablogsal/cpython that referenced this pull request Dec 28, 2025
@pablogsal
[3.13] pythongh-143228: Fix UAF in perf trampoline during finalization (
7d8452a 
pythonGH-143233)

(cherry picked from commit 3ccc76f)

Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com>
pablogsal added a commit that referenced this pull request Dec 28, 2025
@pablogsal
[3.14] gh-143228: Fix UAF in perf trampoline during finalization (GH-…
892757f 
…143233) (#143247)
pablogsal added a commit that referenced this pull request Dec 28, 2025
@pablogsal
[3.13] gh-143228: Fix UAF in perf trampoline during finalization (GH-…
de34f6d 
…143233) (#143248)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Fidget-Spinner Fidget-Spinner Fidget-Spinner approved these changes

@ericsnowcurrently ericsnowcurrently Awaiting requested review from ericsnowcurrently ericsnowcurrently is a code owner

@ZeroIntensity ZeroIntensity Awaiting requested review from ZeroIntensity ZeroIntensity is a code owner

Assignees

@pablogsal pablogsal

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pablogsal @Fidget-Spinner