[issue27291] two heap corruption issue
New submission from Park Alex: Hello, I would like to report two heap corruption issue. Test environment: python ersion: python 2.7.11+ hg id: d858eadf2602 (2.7) compile: clang with ASAN OS: ubuntu x86_64 One is heap-buffer-overflow, the other is heap-user-after-free. All of samples are attached in this bug report. Thanks, -- Alex In detail, 1) heap-buffer-overflow bug could be triggerd at cpython/Python/ceval.c:1229 ASAN report is following: = ==26786==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x77ec56e8 at pc 0x5ec87f bp 0x7fffd2d0 sp 0x7fffd2c8 READ of size 8 at 0x77ec56e8 thread T0 #0 0x5ec87e in PyEval_EvalFrameEx /project/cpython/Python/ceval.c:1229 #1 0x5d3c6c in PyEval_EvalCodeEx /project/cpython/Python/ceval.c:3582 #2 0x5d2b11 in PyEval_EvalCode /project/cpython/Python/ceval.c:669 #3 0x6612d9 in run_pyc_file /project/cpython/Python/pythonrun.c:1406 #4 0x6612d9 in PyRun_SimpleFileExFlags /project/cpython/Python/pythonrun.c:946 #5 0x48e3dc in Py_Main /project/cpython/Modules/main.c:640 #6 0x76ce282f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291 #7 0x48c518 in _start (/project/cpython/python.asan+0x48c518) 0x77ec56e8 is located 280 bytes to the left of 196608-byte region [0x77ec5800,0x77ef5800) allocated by thread T0 here: #0 0x476429 in __interceptor_malloc /project/clang-3.4/llvm-3.4/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74 #1 0x50e969 in dictresize /project/cpython/Objects/dictobject.c:643 #2 0x537844 in PyString_InternInPlace /project/cpython/Objects/stringobject.c:4757 SUMMARY: AddressSanitizer: heap-buffer-overflow /project/cpython/Python/ceval.c:1229 PyEval_EvalFrameEx Shadow bytes around the buggy address: 0x10007efd0a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x10007efd0a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x10007efd0aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x10007efd0ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x10007efd0ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x10007efd0ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa 0x10007efd0ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x10007efd0af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x10007efd0b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007efd0b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007efd0b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone:fb Freed heap region: fd Stack left redzone:f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return:f5 Stack use after scope: f8 Global redzone:f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==26786==ABORTING 2) heap-user-after-free bug could be triggerd at cpython/Objects/dictobject.c:732 ASAN report is following: = ==26918==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f0ef98 at pc 0x50f5ac bp 0x7fffa1d0 sp 0x7fffa1c8 READ of size 8 at 0x60f0ef98 thread T0 #0 0x50f5ab in PyDict_GetItem /project/cpython/Objects/dictobject.c:732 #1 0x537792 in PyString_InternInPlace /project/cpython/Objects/stringobject.c:4750 #2 0x64fad5 in r_object /project/cpython/Python/marshal.c:822 #3 0x650d00 in r_object /project/cpython/Python/marshal.c:1037 #4 0x64edf6 in r_object /project/cpython/Python/marshal.c:886 #5 0x650c1b in r_object /project/cpython/Python/marshal.c:1019 #6 0x64e1b1 in PyMarshal_ReadObjectFromString /project/cpython/Python/marshal.c:1183 #7 0x64e1b1 in PyMarshal_ReadLastObjectFromFile /project/cpython/Python/marshal.c:1144 #8 0x6429c1 in read_compiled_module /project/cpython/Python/import.c:823 #9 0x6429c1 in load_source_module /project/cpython/Python/import.c:1094 #10 0x644cda in import_submodule /project/cpython/Python/import.c:2722 #11 0x643e81 in load_next /project/cpython/Python/import.c:2537 #12 0x63e061 in import_module_level /project/cpython/Python/import.c:2254 #13 0x63e061 in PyImport_ImportModuleLevel /project/cpython/Python/import.c:2310 #14 0x5c4e1a in builtin___import__ /project/cpython/Python/bltinmodule.c:49 #15 0x5e2535 in do_call /project/cpython/Python/ceval.c:4564 #16 0x5e2535 in call_function /project/cpython/Python/ceval.c:4372 #17 0x5e2535 in PyEval_EvalFrameEx /project/cpython/Python/ceval.c:2987 #18 0x5d3c6c in PyEval_EvalCodeEx /project/cpython/Python/ceval.c:3582 #19 0x7237f3 in function_call /project/cpython/Objects/funcobject.c:523
[issue27291] two heap corruption issue
Park Alex added the comment:
all of .pyc files had been altered by fuzzer.
original py code is following:
$ cat helloworld.py
def hello(s=0x4142434445464748):
print s
if type(s) == str:
print s.encode('hex')
print repr(s)
else:
s = str(s)
print len(s) << 8, len(s) ^ 8, len(s) | 8, len(s) & 8, len(s) == 8, len(s)
<= 8, len(s) >= 8
x = __import__("sys")
#for k, v in x.__dict__.items():
#if hasattr(v, '__subclasses__') == True:
#cmd = "Subclasses:",
(v.__class__.__base__.__subclasses__()[11].__init__.__str__())
return 0x5152535455565758 == max(s, abs(len(s)) % 0x1234)
H = 'A'*128
hello(H.encode('base64'))
hello()
plus, python compiled with ASAN generated .pyc code.
After that, fuzzer found a few crashes.
Here are some diff information between original pyc and fuzzed pyc.
file: poc_heap-buffer-overflow.pyc
cmp -bl helloworld.pyc poc_heap-buffer-overflow.pyc | gawk '{printf "%08X %02X
%02X\n", $1, strtonum(0$2), strtonum(0$4)}'
0010 00 03
0012 03 00
0026 01 00
0027 00 F7
006A 06 EE
006B 00 FF
006C 00 FF
006D 00 FF
0129 01 FE
012A 00 FF
012B 64 00
012C 04 00
01F0 6C DB
01FD 6C 49
file: poc_heap-use-after-free.pyc
cmp -bl helloworld.pyc poc_heap-use-after-free.pyc | gawk '{printf "%08X %02X
%02X\n", $1, strtonum(0$2), strtonum(0$4)}'
006A 06 D0
006B 00 FF
006C 00 FF
006D 00 FF
0129 01 EB
012A 00 FF
012B 64 00
012C 04 00
01F0 6C DB
01FD 6C 49
026F 6C 7D
Thanks,
-- Alex
--
___
Python tracker
<http://bugs.python.org/issue27291>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27291] two heap corruption issues when running modified pyc code.
Park Alex added the comment: I totally agreed with your opinion. So I hesitated before reporting the issue (I thought) It's kinda, we have different point of view. As far as I can tell, python could be corrupted with .pyc like heap-use-after-free, buffer overrun and so on. Again, I agreed with your comment below: "If you are able to execute untrusted .pyc, you can already execute arbitrary code, no?" If don't want to bother you guys, I respect python-dev as always. Thanks, -- Alex -- ___ Python tracker <http://bugs.python.org/issue27291> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27291] two heap corruption issues when running modified pyc code.
Park Alex added the comment: oops, I cannot modify reply even I wrote it, want to fix tiny typo. I don't want to bother you guys, I respect python-dev as always. Thanks, -- Alex -- ___ Python tracker <http://bugs.python.org/issue27291> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
