gh-143228: Fix UAF in perf trampoline during finalization by pablogsal · Pull Request #143233 · python/cpython

pablogsal · 2025-12-27T23:57:13Z

When toggling perf trampoline while threads are running, or during
interpreter finalization with daemon threads active, a use-after-free
occurs. The munmap call in free_code_arenas releases executable memory
while other threads may still be executing within trampolines or
unwinding through them, causing SIGSEGV or SystemError.

The fix uses reference counting with a code watcher. Each code object
that receives a trampoline increments a refcount. When code objects are
destroyed, the watcher decrements the refcount and frees arenas only
when it reaches zero. This ensures trampolines are never freed while
any code object could still reference them.

Issue: Race condition and UAF in perf_trampoline leading to SIGSEGV/SystemError #143228

Fidget-Spinner

Looks good, just one question

When toggling perf trampoline while threads are running, or during interpreter finalization with daemon threads active, a use-after-free occurs. The munmap call in free_code_arenas releases executable memory while other threads may still be executing within trampolines or unwinding through them, causing SIGSEGV or SystemError. The fix uses reference counting with a code watcher. Each code object that receives a trampoline increments a refcount. When code objects are destroyed, the watcher decrements the refcount and frees arenas only when it reaches zero. This ensures trampolines are never freed while any code object could still reference them.

miss-islington-app · 2025-12-28T13:50:26Z

Thanks @pablogsal for the PR 🌮🎉.. I'm working now to backport this PR to: 3.13, 3.14.
🐍🍒⛏🤖

miss-islington-app · 2025-12-28T13:50:30Z

Sorry, @pablogsal, I could not cleanly backport this to 3.14 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 3ccc76f036bfaabb5a4631783b966501fe64859a 3.14

miss-islington-app · 2025-12-28T13:50:34Z

Sorry, @pablogsal, I could not cleanly backport this to 3.13 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 3ccc76f036bfaabb5a4631783b966501fe64859a 3.13

bedevere-app · 2025-12-28T13:56:00Z

GH-143247 is a backport of this pull request to the 3.14 branch.

pythonGH-143233) (cherry picked from commit 3ccc76f) Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com>

bedevere-app · 2025-12-28T14:04:43Z

GH-143248 is a backport of this pull request to the 3.13 branch.

pythonGH-143233) (cherry picked from commit 3ccc76f) Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com>

…143233) (#143247)

…143233) (#143248)

gpshead · 2026-02-13T21:50:12Z

+Fix use-after-free in perf trampoline when toggling profiling while
+threads are running or during interpreter finalization with daemon threads
+active. The fix uses reference counting to ensure trampolines are not freed
+while any code object could still reference them. Pach by Pablo Galindo


Patch :) but I like your new word Pach, we should start using it.

…on#143233)

pablogsal requested review from ZeroIntensity and ericsnowcurrently as code owners December 27, 2025 23:57

bedevere-app Bot added the awaiting core review label Dec 27, 2025

bedevere-app Bot mentioned this pull request Dec 27, 2025

Race condition and UAF in perf_trampoline leading to SIGSEGV/SystemError #143228

Closed

pablogsal force-pushed the gh-143228 branch from 0dfe40c to 93e8468 Compare December 28, 2025 00:05

pablogsal added needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes labels Dec 28, 2025

pablogsal requested a review from Fidget-Spinner December 28, 2025 00:31

Fidget-Spinner reviewed Dec 28, 2025

View reviewed changes

Comment thread Python/perf_trampoline.c

pablogsal force-pushed the gh-143228 branch from 93e8468 to 075822f Compare December 28, 2025 13:22

Fidget-Spinner approved these changes Dec 28, 2025

View reviewed changes

bedevere-app Bot added awaiting merge and removed awaiting core review labels Dec 28, 2025

pablogsal merged commit 3ccc76f into python:main Dec 28, 2025
50 checks passed

pablogsal deleted the gh-143228 branch December 28, 2025 13:50

bedevere-app Bot removed the awaiting merge label Dec 28, 2025

miss-islington-app Bot assigned pablogsal Dec 28, 2025

bedevere-app Bot removed the needs backport to 3.14 bugs and security fixes label Dec 28, 2025

pablogsal added a commit to pablogsal/cpython that referenced this pull request Dec 28, 2025

[3.14] pythongh-143228: Fix UAF in perf trampoline during finalization (

21a543f

pythonGH-143233) (cherry picked from commit 3ccc76f) Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com>

pablogsal added a commit to pablogsal/cpython that referenced this pull request Dec 28, 2025

[3.14] pythongh-143228: Fix UAF in perf trampoline during finalization (

312d021

pythonGH-143233) (cherry picked from commit 3ccc76f) Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com>

bedevere-app Bot removed the needs backport to 3.13 bugs and security fixes label Dec 28, 2025

pablogsal added a commit to pablogsal/cpython that referenced this pull request Dec 28, 2025

[3.13] pythongh-143228: Fix UAF in perf trampoline during finalization (

7d8452a

pythonGH-143233) (cherry picked from commit 3ccc76f) Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com>

pablogsal added a commit that referenced this pull request Dec 28, 2025

[3.14] gh-143228: Fix UAF in perf trampoline during finalization (GH-…

892757f

…143233) (#143247)

pablogsal added a commit that referenced this pull request Dec 28, 2025

[3.13] gh-143228: Fix UAF in perf trampoline during finalization (GH-…

de34f6d

…143233) (#143248)

gpshead reviewed Feb 13, 2026

View reviewed changes

thunder-coding pushed a commit to thunder-coding/cpython that referenced this pull request Feb 15, 2026

pythongh-143228: Fix UAF in perf trampoline during finalization (pyth…

9e658d3

…on#143233)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

gh-143228: Fix UAF in perf trampoline during finalization#143233

gh-143228: Fix UAF in perf trampoline during finalization#143233
pablogsal merged 1 commit into
python:mainfrom
pablogsal:gh-143228

pablogsal commented Dec 27, 2025 •

edited by bedevere-app Bot

Loading

Uh oh!

Fidget-Spinner left a comment

Uh oh!

Uh oh!

Uh oh!

miss-islington-app Bot commented Dec 28, 2025

Uh oh!

miss-islington-app Bot commented Dec 28, 2025

Uh oh!

miss-islington-app Bot commented Dec 28, 2025

Uh oh!

bedevere-app Bot commented Dec 28, 2025

Uh oh!

bedevere-app Bot commented Dec 28, 2025

Uh oh!

gpshead Feb 13, 2026

Uh oh!

pablogsal Feb 13, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Uh oh!

Conversation

pablogsal commented Dec 27, 2025 • edited by bedevere-app Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Fidget-Spinner left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

miss-islington-app Bot commented Dec 28, 2025

Uh oh!

miss-islington-app Bot commented Dec 28, 2025

Uh oh!

miss-islington-app Bot commented Dec 28, 2025

Uh oh!

bedevere-app Bot commented Dec 28, 2025

Uh oh!

bedevere-app Bot commented Dec 28, 2025

Uh oh!

gpshead Feb 13, 2026

Choose a reason for hiding this comment

Uh oh!

pablogsal Feb 13, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

pablogsal commented Dec 27, 2025 •

edited by bedevere-app Bot

Loading