pycares has a Use-After-Free Vulnerability

Summary pycares is vulnerable to a use-after-free condition that occurs when a Channel object is garbage collected while DNS queries are still pending. This results in a fatal Python error and interpreter crash. Details Root Cause The vulnerability stems from improper handling of callback references when the Channel object is destroyed: When a DNS query is initiated, pycares stores a callback reference using ffi.new_handle() If the Channel object is garbage collected while queries are pending, the callback references become invalid When c-ares attempts to invoke the callback, it accesses freed memory, causing a fatal error This issue was much more likely to occur when using event_thread=True but could happen without it under the right circumstances. Technical Details The core issue is a race condition between Python's garbage collector and c-ares's callback execution: When __del__ is called from within a c-ares callback context, we cannot immediately call ares_destroy() because c-ares is still executing code after the callback returns c-ares needs to execute cleanup code after our Python callback returns (specifically at lines 1422-1429 in ares_process.c) If we destroy the channel too quickly, c-ares accesses freed memory Impact Applications using pycares can be crashed remotely by triggering DNS queries that result in Channel objects being garbage collected before query completion. This is particularly problematic in scenarios where: Channel objects are created…Read More