[issue40294] Use-after-free crash if multiple interpreters import asyncio module

[Jeffrey Quesnelle]

New submission from Jeffrey Quesnelle :

Starting with Python 3.8 (GH-16598), the `_asyncio` module's C initialization 
is guarded behind a static variable. If the module is initialized a second time 
and this variable is set, the resources from the first initialization are used. 
However, when the module is freed and the corresponding resources released, the 
static variable is not cleared. If the module is subsequently initialized 
again, it will incorrectly believe it has already been initialized and use the 
previously freed resources, resulting in a crash.

This scenario is actually fairly easy to encounter in the presence of multiple 
interpreters whose lifetime is shorter than that of the whole program. 
Essentially, if any interpreter loads `asyncio` and then is freed with 
`Py_EndInterpreter`, any new interpreter that loads `asyncio` will crash. Since 
`asyncio` is a built-in module, it is loaded as a consequence of a wide variety 
of libraries.

I ran into this in my project because I use multiple interpreters to isolate 
user scripts, and I started to encounter crashes when switching to Python 3.8.

I've attached a simple reproduction program. I've personally tested that this 
runs without crashing in 3.6 and 3.7 (but I suspect it works down to 3.4 when 
`asyncio` was introduced).

--
components: C API
files: main.c
messages: 366531
nosy: jquesnelle
priority: normal
severity: normal
status: open
title: Use-after-free crash if multiple interpreters import asyncio module
type: crash
versions: Python 3.8, Python 3.9
Added file: https://bugs.python.org/file49064/main.c

___
Python tracker 
<https://bugs.python.org/issue40294>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue40294] Use-after-free crash if multiple interpreters import asyncio module

[Jeffrey Quesnelle]

Change by Jeffrey Quesnelle :


--
keywords: +patch
pull_requests: +18890
stage:  -> patch review
pull_request: https://github.com/python/cpython/pull/19542

___
Python tracker 
<https://bugs.python.org/issue40294>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue40294] Use-after-free crash if multiple interpreters import asyncio module

[Jeffrey Quesnelle]

Jeffrey Quesnelle  added the comment:

Would the simple fix (clearing the flag in `module_free`) be a candidate for a 
backport to 3.8? This seems to be a regression from the previous stable version 
that also limits the usability of subinterpreters -- `asyncio` is loaded by a 
wide variety of libraries and so in general it's not easy to know that a 
particular subinterpreter hasn't loaded `asyncio`.   However, I concede that 
subinterpreters with variable lifetimes isn't a common use case.

--

___
Python tracker 
<https://bugs.python.org/issue40294>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue40294] Use-after-free crash if multiple interpreters import asyncio module

[Jeffrey Quesnelle]

Jeffrey Quesnelle  added the comment:

> Is Python 3.7 affected as well?

Nope, this was introduced in 3.8

--

___
Python tracker 
<https://bugs.python.org/issue40294>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com