From a47eaacc166e6b1381ce7b8ae013a0bb5ea8f21c Mon Sep 17 00:00:00 2001
From: Maxwell Bernstein <tekknolagi@gmail.com>
Date: Thu, 27 Jan 2022 23:03:53 -0800
Subject: [PATCH 1/2] Ensure operands to __get__ survive the call

Callees can assume their parameters survive for the entire call. This
violates that assumption and can cause a use-after-free.

This is not an issue in CPython right now because later on in the
interpreter __get__ fastcall path, the whole vector of arguments get
INCREFed. However, if a program provides a different entrypoint for a
vectorcall, it may crash.
---
 Objects/typeobject.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/Objects/typeobject.c b/Objects/typeobject.c
index 621ad9745d8448..e9e8e09df87fab 100644
--- a/Objects/typeobject.c
+++ b/Objects/typeobject.c
@@ -1613,8 +1613,12 @@ _PyObject_LookupSpecial(PyObject *self, _Py_Identifier *attrid)
         descrgetfunc f;
         if ((f = Py_TYPE(res)->tp_descr_get) == NULL)
             Py_INCREF(res);
-        else
-            res = f(res, self, (PyObject *)(Py_TYPE(self)));
+        else {
+            PyObject* descr = res;
+            Py_INCREF(descr);
+            res = f(descr, self, (PyObject *)(Py_TYPE(self)));
+            Py_DECREF(descr);
+        }
     }
     return res;
 }
@@ -1639,7 +1643,10 @@ lookup_maybe_method(PyObject *self, _Py_Identifier *attrid, int *unbound)
             Py_INCREF(res);
         }
         else {
+            PyObject* descr = res;
+            Py_INCREF(descr);
             res = f(res, self, (PyObject *)(Py_TYPE(self)));
+            Py_DECREF(descr);
         }
     }
     return res;

From a86fdcc34cd73f909a09ae9f53bf93ac64eb23bc Mon Sep 17 00:00:00 2001
From: "blurb-it[bot]" <43283697+blurb-it[bot]@users.noreply.github.com>
Date: Fri, 28 Jan 2022 07:10:43 +0000
Subject: [PATCH 2/2] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20blu?=
 =?UTF-8?q?rb=5Fit.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../Core and Builtins/2022-01-28-07-10-41.bpo-46561.y3KHGB.rst   | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 Misc/NEWS.d/next/Core and Builtins/2022-01-28-07-10-41.bpo-46561.y3KHGB.rst

diff --git a/Misc/NEWS.d/next/Core and Builtins/2022-01-28-07-10-41.bpo-46561.y3KHGB.rst b/Misc/NEWS.d/next/Core and Builtins/2022-01-28-07-10-41.bpo-46561.y3KHGB.rst
new file mode 100644
index 00000000000000..2f069f61dbc7e1
--- /dev/null
+++ b/Misc/NEWS.d/next/Core and Builtins/2022-01-28-07-10-41.bpo-46561.y3KHGB.rst	
@@ -0,0 +1 @@
+Make sure arguments to __get__ are owned
\ No newline at end of file