[issue38033] Use After Free: PyObject_Free
New submission from Chiaki Ishikawa : Hi, I am new to Python bug tracker, so my setting of the fields may be inadequate. If so, apologies in advance. I think Use After Free bug is a potential security issue and so wanted to report ASAP. First my environment: I am using Debian GNU/Linux, and its kernel version is: uname -a output, SMP Debian 4.19.37-6 (2019-07-18) x86_64 GNU/Linux Python version is: # python3 --version Python 3.7.4 mozilla thunderbird mail client testing framework uses python as a test driver, and when I was checking the local build of thunderbird under a test suite invoked from |make mozmill| under valgrind (a memory usage checker), the first thing I noticed is the following message from valgrind. PyObject_Free seems to access a memory location (4 octets) in an already freed block. This happened many times during the test. I have not bothered to look into the source code of python, but a seasoned developer should be able to figure out where such reference is made. >From valgrind log: ==30354== Invalid read of size 4 ==30354==at 0x5A29FE: PyObject_Free (in /usr/bin/python3.7) ==30354==by 0x5B7337: ??? (in /usr/bin/python3.7) ==30354==by 0x5BBBFF: PyDict_SetItem (in /usr/bin/python3.7) ==30354==by 0x58DE19: PyType_Ready (in /usr/bin/python3.7) ==30354==by 0x6482A0: _Py_ReadyTypes (in /usr/bin/python3.7) ==30354==by 0x63551A: _Py_InitializeCore_impl (in /usr/bin/python3.7) ==30354==by 0x6357AA: _Py_InitializeCore (in /usr/bin/python3.7) ==30354==by 0x5E17EC: ??? (in /usr/bin/python3.7) ==30354==by 0x653D88: ??? (in /usr/bin/python3.7) ==30354==by 0x65424D: _Py_UnixMain (in /usr/bin/python3.7) ==30354==by 0x4ACB09A: (below main) (libc-start.c:308) ==30354== Address 0x4c8b020 is 16 bytes after a block of size 576 free'd ==30354==at 0x4833FC0: free (vg_replace_malloc.c:538) ==30354==by 0x5B7337: ??? (in /usr/bin/python3.7) ==30354==by 0x5BBBFF: PyDict_SetItem (in /usr/bin/python3.7) ==30354==by 0x58DE19: PyType_Ready (in /usr/bin/python3.7) ==30354==by 0x6482A0: _Py_ReadyTypes (in /usr/bin/python3.7) ==30354==by 0x63551A: _Py_InitializeCore_impl (in /usr/bin/python3.7) ==30354==by 0x6357AA: _Py_InitializeCore (in /usr/bin/python3.7) ==30354==by 0x5E17EC: ??? (in /usr/bin/python3.7) ==30354==by 0x653D88: ??? (in /usr/bin/python3.7) ==30354==by 0x65424D: _Py_UnixMain (in /usr/bin/python3.7) ==30354==by 0x4ACB09A: (below main) (libc-start.c:308) ==30354== Block was alloc'd at ==30354==at 0x4832E13: malloc (vg_replace_malloc.c:307) ==30354==by 0x5A4B16: PyObject_Malloc (in /usr/bin/python3.7) ==30354==by 0x5B72BD: ??? (in /usr/bin/python3.7) ==30354==by 0x5BBBFF: PyDict_SetItem (in /usr/bin/python3.7) ==30354==by 0x58DE19: PyType_Ready (in /usr/bin/python3.7) ==30354==by 0x6482A0: _Py_ReadyTypes (in /usr/bin/python3.7) ==30354==by 0x63551A: _Py_InitializeCore_impl (in /usr/bin/python3.7) ==30354==by 0x6357AA: _Py_InitializeCore (in /usr/bin/python3.7) ==30354==by 0x5E17EC: ??? (in /usr/bin/python3.7) ==30354==by 0x653D88: ??? (in /usr/bin/python3.7) ==30354==by 0x65424D: _Py_UnixMain (in /usr/bin/python3.7) ==30354==by 0x4ACB09A: (below main) (libc-start.c:308) ==30354== TIA -- components: Library (Lib) messages: 351154 nosy: zephyrus00jp priority: normal severity: normal status: open title: Use After Free: PyObject_Free type: security versions: Python 3.7 ___ Python tracker <https://bugs.python.org/issue38033> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue38033] Use After Free: PyObject_Free
Chiaki Ishikawa added the comment: Addtion: PyObject_Realloc also has the issue of Use After Free: this may be more serious. ==31128== Invalid read of size 4 ==31128==at 0x5A48CA: PyObject_Realloc (in /usr/bin/python3.7) ==31128==by 0x5DD8FB: _PyBytes_Resize (in /usr/bin/python3.7) ==31128==by 0x4F53BC: ??? (in /usr/bin/python3.7) ==31128==by 0x5D9A22: _PyMethodDef_RawFastCallKeywords (in /usr/bin/python3.7) ==31128==by 0x54C75F: ??? (in /usr/bin/python3.7) ==31128==by 0x5537DA: _PyEval_EvalFrameDefault (in /usr/bin/python3.7) ==31128==by 0x5DA3EB: _PyFunction_FastCallKeywords (in /usr/bin/python3.7) ==31128==by 0x54FA9B: _PyEval_EvalFrameDefault (in /usr/bin/python3.7) ==31128==by 0x54D0A1: _PyEval_EvalCodeWithName (in /usr/bin/python3.7) ==31128==by 0x5DA6E1: _PyFunction_FastCallKeywords (in /usr/bin/python3.7) ==31128==by 0x54FA9B: _PyEval_EvalFrameDefault (in /usr/bin/python3.7) ==31128==by 0x5DA3EB: _PyFunction_FastCallKeywords (in /usr/bin/python3.7) ==31128==by 0x54F8FB: _PyEval_EvalFrameDefault (in /usr/bin/python3.7) ==31128==by 0x54D0A1: _PyEval_EvalCodeWithName (in /usr/bin/python3.7) ==31128==by 0x5DA6E1: _PyFunction_FastCallKeywords (in /usr/bin/python3.7) ==31128==by 0x54F8FB: _PyEval_EvalFrameDefault (in /usr/bin/python3.7) ==31128==by 0x5DA3EB: _PyFunction_FastCallKeywords (in /usr/bin/python3.7) ==31128==by 0x54F8FB: _PyEval_EvalFrameDefault (in /usr/bin/python3.7) ==31128==by 0x5DA3EB: _PyFunction_FastCallKeywords (in /usr/bin/python3.7) ==31128==by 0x54C61F: ??? (in /usr/bin/python3.7) ==31128==by 0x5537DA: _PyEval_EvalFrameDefault (in /usr/bin/python3.7) ==31128==by 0x5DA3EB: _PyFunction_FastCallKeywords (in /usr/bin/python3.7) ==31128==by 0x54F8FB: _PyEval_EvalFrameDefault (in /usr/bin/python3.7) ==31128==by 0x54D0A1: _PyEval_EvalCodeWithName (in /usr/bin/python3.7) ==31128==by 0x54F3F2: PyEval_EvalCode (in /usr/bin/python3.7) ==31128==by 0x6313D1: ??? (in /usr/bin/python3.7) ==31128==by 0x631486: PyRun_FileExFlags (in /usr/bin/python3.7) ==31128==by 0x6320EE: PyRun_SimpleFileExFlags (in /usr/bin/python3.7) ==31128==by 0x653EED: ??? (in /usr/bin/python3.7) ==31128==by 0x65424D: _Py_UnixMain (in /usr/bin/python3.7) ==31128==by 0x4ACB09A: (below main) (libc-start.c:308) ==31128== Address 0x5b21020 is 32,208 bytes inside a block of size 32,801 free'd ==31128==at 0x4835259: realloc (vg_replace_malloc.c:834) ==31128==by 0x5A49AB: PyObject_Realloc (in /usr/bin/python3.7) ==31128==by 0x5DD8FB: _PyBytes_Resize (in /usr/bin/python3.7) ==31128==by 0x4F53BC: ??? (in /usr/bin/python3.7) ==31128==by 0x5D9A22: _PyMethodDef_RawFastCallKeywords (in /usr/bin/python3.7) ==31128==by 0x54C75F: ??? (in /usr/bin/python3.7) ==31128==by 0x5537DA: _PyEval_EvalFrameDefault (in /usr/bin/python3.7) ==31128==by 0x5DA3EB: _PyFunction_FastCallKeywords (in /usr/bin/python3.7) ==31128==by 0x54FA9B: _PyEval_EvalFrameDefault (in /usr/bin/python3.7) ==31128==by 0x54D0A1: _PyEval_EvalCodeWithName (in /usr/bin/python3.7) ==31128==by 0x5DA6E1: _PyFunction_FastCallKeywords (in /usr/bin/python3.7) ==31128==by 0x54FA9B: _PyEval_EvalFrameDefault (in /usr/bin/python3.7) ==31128==by 0x5DA3EB: _PyFunction_FastCallKeywords (in /usr/bin/python3.7) ==31128==by 0x54F8FB: _PyEval_EvalFrameDefault (in /usr/bin/python3.7) ==31128==by 0x54D0A1: _PyEval_EvalCodeWithName (in /usr/bin/python3.7) ==31128==by 0x5DA6E1: _PyFunction_FastCallKeywords (in /usr/bin/python3.7) ==31128==by 0x54F8FB: _PyEval_EvalFrameDefault (in /usr/bin/python3.7) ==31128==by 0x5DA3EB: _PyFunction_FastCallKeywords (in /usr/bin/python3.7) ==31128==by 0x54F8FB: _PyEval_EvalFrameDefault (in /usr/bin/python3.7) ==31128==by 0x5DA3EB: _PyFunction_FastCallKeywords (in /usr/bin/python3.7) ==31128==by 0x54C61F: ??? (in /usr/bin/python3.7) ==31128==by 0x5537DA: _PyEval_EvalFrameDefault (in /usr/bin/python3.7) ==31128==by 0x5DA3EB: _PyFunction_FastCallKeywords (in /usr/bin/python3.7) ==31128==by 0x54F8FB: _PyEval_EvalFrameDefault (in /usr/bin/python3.7) ==31128==by 0x54D0A1: _PyEval_EvalCodeWithName (in /usr/bin/python3.7) ==31128==by 0x54F3F2: PyEval_EvalCode (in /usr/bin/python3.7) ==31128==by 0x6313D1: ??? (in /usr/bin/python3.7) ==31128==by 0x631486: PyRun_FileExFlags (in /usr/bin/python3.7) ==31128==by 0x6320EE: PyRun_SimpleFileExFlags (in /usr/bin/python3.7) ==31128==by 0x653EED: ??? (in /usr/bin/python3.7) ==31128==by 0x65424D: _Py_UnixMain (in /usr/bin/python3.7) ==31128==by 0x4ACB09A: (below main) (libc-start.c:308) ==31128== Block was alloc'd at ==31128==at 0x4832E13: malloc (vg_replace_malloc.c:307) ==31128==by 0x5DE3AA: PyBytes_FromStringAndSize (in /usr/bin/python3.7) ==31128==by 0x4F5375: ??? (in /usr/bin/python3.7) ==31128==by 0x5D9A22: _PyMethodDef_RawFastCallKeywords (in
[issue38033] Use After Free: PyObject_Free
Chiaki Ishikawa added the comment: PyMem_Free and PyMem_Realloc also suffer from similar "Use After Free" issue. The standard version of Python3.7 interpreter does not seem to have debug symbol and so I installed a debug version of it. Now it seems to have a shadow symbol of inlined function so that we can now learn the line numbers of functions where the problem occurs in more detail. I am attaching the valgrind log excerpts for PyObj_Free, PyObj_Realloc, PyMem_Free, PyMem_Realloc, etc. Sorry for piecemeal reporting. The earlier messages swamp the log very verbosely and so I had to disable the reporting one by one. PS: There seem to be cases where the result of reading uninitialized value is used for conditional testing, too. -- Added file: https://bugs.python.org/file48593/PyMem_Free.txt ___ Python tracker <https://bugs.python.org/issue38033> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue38033] Use After Free: PyObject_Free
Chiaki Ishikawa added the comment: I found that the inlined functions are used by other functions and resulted in similar issues. Once obmalloc.c is fixed, I think such problems are automatically fixed. -- ___ Python tracker <https://bugs.python.org/issue38033> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
