Fix use-after-free in atexit.unregister()

benjaminJohnson2204 · benjaminJohnson2204 · commit 6c8db8a5c6ae · 2024-01-15T13:59:39.000-08:00
diff --git a/Lib/test/_test_atexit.py b/Lib/test/_test_atexit.py
@@ -135,6 +135,40 @@ def func():
         finally:
             atexit.unregister(func)
 
+    def test_eq_unregister_clear(self):
+        # Issue #112127: callback's __eq__ may call unregister or _clear
+        global cnt
+        cnt = 0
+        class Func:
+            def __init__(self, action, eq_ret_val):
+                self.action = action
+                self.eq_ret_val = eq_ret_val
+
+            def __call__(self):
+                return
+
+            def __eq__(self, o):
+                global cnt
+                cnt += 1
+                if cnt == 1:
+                    self.action(o)
+                return self.eq_ret_val(o)
+
+        for action, eq_ret_val in (
+            (lambda o: atexit.unregister(self), lambda o: NotImplemented),
+            (lambda o: atexit.unregister(self), lambda o: True),
+            (lambda o: atexit.unregister(o),    lambda o: NotImplemented),
+            (lambda o: atexit.unregister(o),    lambda o: True),
+            (lambda o: atexit._clear(),         lambda o: NotImplemented),
+            (lambda o: atexit._clear(),         lambda o: True),
+        ):
+            cnt = 0
+            f1 = Func(action, eq_ret_val)
+            f2 = Func(action, eq_ret_val)
+            atexit.register(f1)
+            atexit.register(f2)
+            atexit._run_exitfuncs()
+
 
 if __name__ == "__main__":
     unittest.main()
diff --git a/Misc/ACKS b/Misc/ACKS
@@ -881,6 +881,7 @@ Jim Jewett
 Pedro Diaz Jimenez
 Orjan Johansen
 Fredrik Johansson
+Benjamin Johnson
 Gregory K. Johnson
 Kent Johnson
 Michael Johnson
diff --git a/Modules/atexitmodule.c b/Modules/atexitmodule.c
@@ -278,11 +278,20 @@ atexit_unregister(PyObject *module, PyObject *func)
             continue;
         }
 
+        /*
+         * Increment refcounts of func and cb->func because equality check may
+         * unregister one or both
+         */
+        PyObject *cb_func = Py_NewRef(cb->func);
+        PyObject *cur_func = Py_NewRef(func);
         int eq = PyObject_RichCompareBool(cb->func, func, Py_EQ);
+        Py_DECREF(cb_func);
+        Py_DECREF(cur_func);
         if (eq < 0) {
             return NULL;
         }
-        if (eq) {
+        // Equality comparison might have already deleted this callback
+        if (eq && state->callbacks[i] != NULL) {
             atexit_delete_cb(state, i);
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -278,11 +278,20 @@ atexit_unregister(PyObject module, PyObject func)`
`278`	`278`	`continue;`
`279`	`279`	`}`
`280`	`280`
	`281`	`+ /*`
	`282`	`+ * Increment refcounts of func and cb->func because equality check may`
	`283`	`+ * unregister one or both`
	`284`	`+ */`
	`285`	`+ PyObject *cb_func = Py_NewRef(cb->func);`
	`286`	`+ PyObject *cur_func = Py_NewRef(func);`
`281`	`287`	`int eq = PyObject_RichCompareBool(cb->func, func, Py_EQ);`
	`288`	`+ Py_DECREF(cb_func);`
	`289`	`+ Py_DECREF(cur_func);`
`282`	`290`	`if (eq < 0) {`
`283`	`291`	`return NULL;`
`284`	`292`	`}`
`285`		`- if (eq) {`
	`293`	`+ // Equality comparison might have already deleted this callback`
	`294`	`+ if (eq && state->callbacks[i] != NULL) {`
`286`	`295`	`atexit_delete_cb(state, i);`
`287`	`296`	`}`
`288`	`297`	`}`