New submission from BeginVuln:
OS Version : Ubuntu 16.04 LTS
Python download link :
https://www.python.org/ftp/python/3.6.0/Python-3.6.0.tar.xz
Python version : 3.6.0
Normal build cmd :
./configure
make
Asan build cmd:
export CC="/usr/bin/clang -fsanitize=address
export CXX="/usr/bin/clang++ -fsanitize=address
./confiugre
make
GDB with exploitable:
To enable execution of this file add
add-auto-load-safe-path /home/test/check/PythonGDB/python-gdb.py
line to your configuration file "/home/test/.gdbinit".
To completely disable this security protection add
set auto-load safe-path /
line to your configuration file "/home/test/.gdbinit".
For more information about this security protection see the
"Auto-loading safe path" section in the GDB manual. E.g., run from the shell:
info "(gdb)Auto-loading safe path"
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x000000000043d563 in PyObject_GC_UnTrack (op=0x7ffff3810400) at
Modules/gcmodule.c:1699
1699 _PyObject_GC_UNTRACK(op);
Description: Access violation on destination operand
Short description: DestAv (8/22)
Hash: a30125899c34aa234161214a7afc7066.d78488ccad0508b81b411140385e7113
Exploitability Classification: EXPLOITABLE
Explanation: The target crashed on an access violation at an address matching
the destination operand of the instruction. This likely indicates a write
access violation, which means the attacker may control the write address and/or
value.
Other tags: AccessViolation (21/22)
ASAN:
EsFASAN:DEADLYSIGNAL
=================================================================
==18094==ERROR: AddressSanitizer: SEGV on unknown address 0x000cffff800d (pc
0x000000543039 bp 0x0fec572c0c81 sp 0x7ffc421b9cf0 T0)
#0 0x543038 in PyObject_GC_UnTrack
/home/test/check/PythonASAN/Modules/gcmodule.c:1699 (discriminator 4)
#1 0x543038 in ?? ??:0
#2 0x65ca2f in subtype_dealloc
/home/test/check/PythonASAN/Objects/typeobject.c:1133
#3 0x65ca2f in ?? ??:0
#4 0x5d10da in frame_dealloc
/home/test/check/PythonASAN/Objects/frameobject.c:423 (discriminator 5)
#5 0x5d10da in ?? ??:0
#6 0x5304c4 in tb_dealloc /home/test/check/PythonASAN/Python/traceback.c:55
(discriminator 5)
#7 0x5304c4 in ?? ??:0
#8 0x530456 in tb_dealloc /home/test/check/PythonASAN/Python/traceback.c:54
(discriminator 5)
#9 0x530456 in ?? ??:0
#10 0x530456 in tb_dealloc
/home/test/check/PythonASAN/Python/traceback.c:54 (discriminator 5)
#11 0x530456 in ?? ??:0
#12 0x5b3b49 in BaseException_clear
/home/test/check/PythonASAN/Objects/exceptions.c:76 (discriminator 5)
#13 0x5b3b49 in ?? ??:0
#14 0x5b3742 in BaseException_dealloc
/home/test/check/PythonASAN/Objects/exceptions.c:86
#15 0x5b3742 in ?? ??:0
#16 0x656df9 in tupledealloc
/home/test/check/PythonASAN/Objects/tupleobject.c:243 (discriminator 5)
#17 0x656df9 in ?? ??:0
#18 0x656df9 in tupledealloc
/home/test/check/PythonASAN/Objects/tupleobject.c:243 (discriminator 5)
#19 0x656df9 in ?? ??:0
#20 0x5e5c19 in list_clear
/home/test/check/PythonASAN/Objects/listobject.c:562 (discriminator 5)
#21 0x5e5c19 in listclear
/home/test/check/PythonASAN/Objects/listobject.c:763 (discriminator 5)
#22 0x5e5c19 in ?? ??:0
#23 0x632208 in _PyCFunction_FastCallDict
/home/test/check/PythonASAN/Objects/methodobject.c:192
#24 0x632208 in ?? ??:0
#25 0x7a7751 in call_function
/home/test/check/PythonASAN/Python/ceval.c:4788 (discriminator 17)
#26 0x7a7751 in ?? ??:0
#27 0x7995cc in _PyEval_EvalFrameDefault
/home/test/check/PythonASAN/Python/ceval.c:3275
#28 0x7995cc in ?? ??:0
#29 0x7a9847 in PyEval_EvalFrameEx
/home/test/check/PythonASAN/Python/ceval.c:718
#30 0x7a9847 in _PyEval_EvalCodeWithName
/home/test/check/PythonASAN/Python/ceval.c:4119
#31 0x7a9847 in ?? ??:0
#32 0x7ac2ea in _PyFunction_FastCallDict
/home/test/check/PythonASAN/Python/ceval.c:5021
#33 0x7ac2ea in ?? ??:0
#34 0x574668 in _PyObject_FastCallDict
/home/test/check/PythonASAN/Objects/abstract.c:2295
#35 0x574668 in ?? ??:0
#36 0x5749fa in _PyObject_Call_Prepend
/home/test/check/PythonASAN/Objects/abstract.c:2358
#37 0x5749fa in ?? ??:0
#38 0x573e9b in PyObject_Call
/home/test/check/PythonASAN/Objects/abstract.c:2246
#39 0x573e9b in ?? ??:0
#40 0x793369 in do_call_core /home/test/check/PythonASAN/Python/ceval.c:5057
#41 0x793369 in _PyEval_EvalFrameDefault
/home/test/check/PythonASAN/Python/ceval.c:3357
#42 0x793369 in ?? ??:0
#43 0x7a9847 in PyEval_EvalFrameEx
/home/test/check/PythonASAN/Python/ceval.c:718
#44 0x7a9847 in _PyEval_EvalCodeWithName
/home/test/check/PythonASAN/Python/ceval.c:4119
#45 0x7a9847 in ?? ??:0
#46 0x7ac2ea in _PyFunction_FastCallDict
/home/test/check/PythonASAN/Python/ceval.c:5021
#47 0x7ac2ea in ?? ??:0
#48 0x574668 in _PyObject_FastCallDict
/home/test/check/PythonASAN/Objects/abstract.c:2295
#49 0x574668 in ?? ??:0
#50 0x5749fa in _PyObject_Call_Prepend
/home/test/check/PythonASAN/Objects/abstract.c:2358
#51 0x5749fa in ?? ??:0
#52 0x573e9b in PyObject_Call
/home/test/check/PythonASAN/Objects/abstract.c:2246
#53 0x573e9b in ?? ??:0
#54 0x66efe4 in slot_tp_call
/home/test/check/PythonASAN/Objects/typeobject.c:6167
#55 0x66efe4 in ?? ??:0
#56 0x5745f0 in _PyObject_FastCallDict
/home/test/check/PythonASAN/Objects/abstract.c:2316
#57 0x5745f0 in ?? ??:0
#58 0x7a7429 in call_function
/home/test/check/PythonASAN/Python/ceval.c:4812
#59 0x7a7429 in ?? ??:0
#60 0x7995cc in _PyEval_EvalFrameDefault
/home/test/check/PythonASAN/Python/ceval.c:3275
#61 0x7995cc in ?? ??:0
#62 0x7a9847 in PyEval_EvalFrameEx
/home/test/check/PythonASAN/Python/ceval.c:718
#63 0x7a9847 in _PyEval_EvalCodeWithName
/home/test/check/PythonASAN/Python/ceval.c:4119
#64 0x7a9847 in ?? ??:0
#65 0x7ac2ea in _PyFunction_FastCallDict
/home/test/check/PythonASAN/Python/ceval.c:5021
#66 0x7ac2ea in ?? ??:0
#67 0x574668 in _PyObject_FastCallDict
/home/test/check/PythonASAN/Objects/abstract.c:2295
#68 0x574668 in ?? ??:0
#69 0x5749fa in _PyObject_Call_Prepend
/home/test/check/PythonASAN/Objects/abstract.c:2358
#70 0x5749fa in ?? ??:0
#71 0x573e9b in PyObject_Call
/home/test/check/PythonASAN/Objects/abstract.c:2246
#72 0x573e9b in ?? ??:0
#73 0x793369 in do_call_core /home/test/check/PythonASAN/Python/ceval.c:5057
#74 0x793369 in _PyEval_EvalFrameDefault
/home/test/check/PythonASAN/Python/ceval.c:3357
#75 0x793369 in ?? ??:0
#76 0x7a9847 in PyEval_EvalFrameEx
/home/test/check/PythonASAN/Python/ceval.c:718
#77 0x7a9847 in _PyEval_EvalCodeWithName
/home/test/check/PythonASAN/Python/ceval.c:4119
#78 0x7a9847 in ?? ??:0
#79 0x7ac2ea in _PyFunction_FastCallDict
/home/test/check/PythonASAN/Python/ceval.c:5021
#80 0x7ac2ea in ?? ??:0
#81 0x574668 in _PyObject_FastCallDict
/home/test/check/PythonASAN/Objects/abstract.c:2295
#82 0x574668 in ?? ??:0
#83 0x5749fa in _PyObject_Call_Prepend
/home/test/check/PythonASAN/Objects/abstract.c:2358
#84 0x5749fa in ?? ??:0
#85 0x573e9b in PyObject_Call
/home/test/check/PythonASAN/Objects/abstract.c:2246
#86 0x573e9b in ?? ??:0
#87 0x66efe4 in slot_tp_call
/home/test/check/PythonASAN/Objects/typeobject.c:6167
#88 0x66efe4 in ?? ??:0
#89 0x5745f0 in _PyObject_FastCallDict
/home/test/check/PythonASAN/Objects/abstract.c:2316
#90 0x5745f0 in ?? ??:0
#91 0x7a7429 in call_function
/home/test/check/PythonASAN/Python/ceval.c:4812
#92 0x7a7429 in ?? ??:0
#93 0x7995cc in _PyEval_EvalFrameDefault
/home/test/check/PythonASAN/Python/ceval.c:3275
#94 0x7995cc in ?? ??:0
#95 0x7a9847 in PyEval_EvalFrameEx
/home/test/check/PythonASAN/Python/ceval.c:718
#96 0x7a9847 in _PyEval_EvalCodeWithName
/home/test/check/PythonASAN/Python/ceval.c:4119
#97 0x7a9847 in ?? ??:0
#98 0x7ac2ea in _PyFunction_FastCallDict
/home/test/check/PythonASAN/Python/ceval.c:5021
#99 0x7ac2ea in ?? ??:0
#100 0x574668 in _PyObject_FastCallDict
/home/test/check/PythonASAN/Objects/abstract.c:2295
#101 0x574668 in ?? ??:0
#102 0x5749fa in _PyObject_Call_Prepend
/home/test/check/PythonASAN/Objects/abstract.c:2358
#103 0x5749fa in ?? ??:0
#104 0x573e9b in PyObject_Call
/home/test/check/PythonASAN/Objects/abstract.c:2246
#105 0x573e9b in ?? ??:0
#106 0x793369 in do_call_core
/home/test/check/PythonASAN/Python/ceval.c:5057
#107 0x793369 in _PyEval_EvalFrameDefault
/home/test/check/PythonASAN/Python/ceval.c:3357
#108 0x793369 in ?? ??:0
#109 0x7a9847 in PyEval_EvalFrameEx
/home/test/check/PythonASAN/Python/ceval.c:718
#110 0x7a9847 in _PyEval_EvalCodeWithName
/home/test/check/PythonASAN/Python/ceval.c:4119
#111 0x7a9847 in ?? ??:0
#112 0x7ac2ea in _PyFunction_FastCallDict
/home/test/check/PythonASAN/Python/ceval.c:5021
#113 0x7ac2ea in ?? ??:0
#114 0x574668 in _PyObject_FastCallDict
/home/test/check/PythonASAN/Objects/abstract.c:2295
#115 0x574668 in ?? ??:0
#116 0x5749fa in _PyObject_Call_Prepend
/home/test/check/PythonASAN/Objects/abstract.c:2358
#117 0x5749fa in ?? ??:0
#118 0x573e9b in PyObject_Call
/home/test/check/PythonASAN/Objects/abstract.c:2246
#119 0x573e9b in ?? ??:0
#120 0x66efe4 in slot_tp_call
/home/test/check/PythonASAN/Objects/typeobject.c:6167
#121 0x66efe4 in ?? ??:0
#122 0x5745f0 in _PyObject_FastCallDict
/home/test/check/PythonASAN/Objects/abstract.c:2316
#123 0x5745f0 in ?? ??:0
#124 0x7a7429 in call_function
/home/test/check/PythonASAN/Python/ceval.c:4812
#125 0x7a7429 in ?? ??:0
#126 0x7995cc in _PyEval_EvalFrameDefault
/home/test/check/PythonASAN/Python/ceval.c:3275
#127 0x7995cc in ?? ??:0
#128 0x7ab4cb in PyEval_EvalFrameEx
/home/test/check/PythonASAN/Python/ceval.c:718
#129 0x7ab4cb in _PyFunction_FastCall
/home/test/check/PythonASAN/Python/ceval.c:4870
#130 0x7ab4cb in fast_function
/home/test/check/PythonASAN/Python/ceval.c:4905
#131 0x7ab4cb in ?? ??:0
#132 0x7a76f2 in call_function
/home/test/check/PythonASAN/Python/ceval.c:4809
#133 0x7a76f2 in ?? ??:0
#134 0x7995cc in _PyEval_EvalFrameDefault
/home/test/check/PythonASAN/Python/ceval.c:3275
#135 0x7995cc in ?? ??:0
#136 0x7ab4cb in PyEval_EvalFrameEx
/home/test/check/PythonASAN/Python/ceval.c:718
#137 0x7ab4cb in _PyFunction_FastCall
/home/test/check/PythonASAN/Python/ceval.c:4870
#138 0x7ab4cb in fast_function
/home/test/check/PythonASAN/Python/ceval.c:4905
#139 0x7ab4cb in ?? ??:0
#140 0x7a76f2 in call_function
/home/test/check/PythonASAN/Python/ceval.c:4809
#141 0x7a76f2 in ?? ??:0
#142 0x7995cc in _PyEval_EvalFrameDefault
/home/test/check/PythonASAN/Python/ceval.c:3275
#143 0x7995cc in ?? ??:0
#144 0x7a9847 in PyEval_EvalFrameEx
/home/test/check/PythonASAN/Python/ceval.c:718
#145 0x7a9847 in _PyEval_EvalCodeWithName
/home/test/check/PythonASAN/Python/ceval.c:4119
#146 0x7a9847 in ?? ??:0
#147 0x7ac2ea in _PyFunction_FastCallDict
/home/test/check/PythonASAN/Python/ceval.c:5021
#148 0x7ac2ea in ?? ??:0
#149 0x574668 in _PyObject_FastCallDict
/home/test/check/PythonASAN/Objects/abstract.c:2295
#150 0x574668 in ?? ??:0
#151 0x5749fa in _PyObject_Call_Prepend
/home/test/check/PythonASAN/Objects/abstract.c:2358
#152 0x5749fa in ?? ??:0
#153 0x573e9b in PyObject_Call
/home/test/check/PythonASAN/Objects/abstract.c:2246
#154 0x573e9b in ?? ??:0
#155 0x6713f8 in slot_tp_init
/home/test/check/PythonASAN/Objects/typeobject.c:6380
#156 0x6713f8 in ?? ??:0
#157 0x666d8d in type_call
/home/test/check/PythonASAN/Objects/typeobject.c:915 (discriminator 1)
#158 0x666d8d in ?? ??:0
#159 0x5745f0 in _PyObject_FastCallDict
/home/test/check/PythonASAN/Objects/abstract.c:2316
#160 0x5745f0 in ?? ??:0
#161 0x7a7429 in call_function
/home/test/check/PythonASAN/Python/ceval.c:4812
#162 0x7a7429 in ?? ??:0
#163 0x7995cc in _PyEval_EvalFrameDefault
/home/test/check/PythonASAN/Python/ceval.c:3275
#164 0x7995cc in ?? ??:0
#165 0x7a9847 in PyEval_EvalFrameEx
/home/test/check/PythonASAN/Python/ceval.c:718
#166 0x7a9847 in _PyEval_EvalCodeWithName
/home/test/check/PythonASAN/Python/ceval.c:4119
#167 0x7a9847 in ?? ??:0
#168 0x78e0df in PyEval_EvalCodeEx
/home/test/check/PythonASAN/Python/ceval.c:4140
#169 0x78e0df in PyEval_EvalCode
/home/test/check/PythonASAN/Python/ceval.c:695
#170 0x78e0df in ?? ??:0
#171 0x5142f5 in run_mod /home/test/check/PythonASAN/Python/pythonrun.c:980
#172 0x5142f5 in PyRun_FileExFlags
/home/test/check/PythonASAN/Python/pythonrun.c:933
#173 0x5142f5 in ?? ??:0
#174 0x512afa in PyRun_SimpleFileExFlags
/home/test/check/PythonASAN/Python/pythonrun.c:396
#175 0x512afa in ?? ??:0
#176 0x53eefd in run_file /home/test/check/PythonASAN/Modules/main.c:320
#177 0x53eefd in Py_Main /home/test/check/PythonASAN/Modules/main.c:780
#178 0x53eefd in ?? ??:0
#179 0x503d16 in main /home/test/check/PythonASAN/./Programs/python.c:69
#180 0x503d16 in ?? ??:0
#181 0x7f62bf5d482f in __libc_start_main
/build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
#182 0x7f62bf5d482f in ?? ??:0
#183 0x432548 in _start ??:?
#184 0x432548 in ?? ??:0
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/test/check/PythonASAN/python+0x543038)
==18094==ABORTING
----------
components: Interpreter Core
files: gcmodule_1699
messages: 287330
nosy: beginvuln
priority: normal
severity: normal
status: open
title: AddressSanitizer: SEGV on unknown address 0x000cffff800d
type: security
versions: Python 3.6
Added file: http://bugs.python.org/file46588/gcmodule_1699
_______________________________________
Python tracker <[email protected]>
<http://bugs.python.org/issue29493>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
