[issue27537] Segfault Via Resource Exhaustion
New submission from pablo sacristan: The code is very simple: import sys sys.setrecursionlimit(1<<20) test=lambda test:test(test) test(test) It basically works by changing the recursion limit and then starting an infinite recursion, this quickly gives a segfault. This can be used to crash python. -- messages: 270611 nosy: pabstersac priority: normal severity: normal status: open title: Segfault Via Resource Exhaustion versions: Python 2.7 ___ Python tracker <http://bugs.python.org/issue27537> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27538] Segfault on error in code object checking
New submission from pablo sacristan: The code is also simple on this one: from types import CodeType as code exec code(0, 2, 3, 0, "lol lolol", (), (), (), "", "", 0, "") The interpreter isn't checking if the code object is correct, therefore it is possible to segfault by putting wrong opcodes and more. -- messages: 270612 nosy: pabstersac priority: normal severity: normal status: open title: Segfault on error in code object checking versions: Python 2.7 ___ Python tracker <http://bugs.python.org/issue27538> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27538] Segfault on error in code object checking
pablo sacristan added the comment: I can also reproduce on 3.5 and on 3.4. Thank you. -- versions: +Python 3.4, Python 3.5 ___ Python tracker <http://bugs.python.org/issue27538> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27538] Segfault on error in code object checking
pablo sacristan added the comment: I do agree it is not a very big problem, but it is still a problem. If a python program took user input (maybe HTTP server) took user input (POST values) and construct a code object with that input. It would be possible to crash it and that can be bad for the web application. Even though it is not the most important Python problem, it is still a problem which can cause moderate problems, and it can be exploited remotely if the HTTP server did what I said before. One vulnerable HTTP server is one too many ;) Hope it helps :) -- resolution: wont fix -> remind status: closed -> open ___ Python tracker <http://bugs.python.org/issue27538> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27538] Segfault on error in code object checking
pablo sacristan added the comment: Yes, but it is possible to blacklist some bytecode (it may be possible to blacklist all or almost all malicious bytecode) and even more if the attacker just wants to crash the target then the segfault would be an easy crash. It is still an attack scenario that is possible. Hope it helps :) -- ___ Python tracker <http://bugs.python.org/issue27538> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27547] Integer Overflow Crash On float(array.array())
New submission from pablo sacristan:
There is an integer overflow because python doesn't check the length as it does
with bytearray() and it still goes on, so by doing something like:
>>> import array
>>> float(array.array("L",b"a"*0xFFF+10**80))
It returns:
Python(2179,0x7fff7ad6a000) malloc: *** mach_vm_map(size=1152921504606851072)
failed (error code=3)
*** error: can't allocate region
*** set a breakpoint in malloc_error_break to debug
And then it just crashes
Or you can skip the error and just do:
>>> import array
>>> float(array.array("L",b"a"*0xFFF**100**8))
That will just make python freeze until you restart it, which is as good as
crashed.
The file would be:
import array
float(array.array("L",b"a"*0xFFF**100**8))
Hope it helps ;)
--
messages: 270700
nosy: pabstersac
priority: normal
severity: normal
status: open
title: Integer Overflow Crash On float(array.array())
versions: Python 3.5, Python 3.6
___
Python tracker
<http://bugs.python.org/issue27547>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27549] Integer Overflow Crash On bytearray()
New submission from pablo sacristan: There is an integer overflow because python doesn't check the length correctly on bytearray: bytearray(0xFFF**100**8) That will not return an overflow message, and even though my hex knowledge is very bad I do believe 0xFFF**100**8 is more than 0x which does return a overflow message. Hope it helps ;) -- messages: 270703 nosy: pabstersac priority: normal severity: normal status: open title: Integer Overflow Crash On bytearray() versions: Python 3.5, Python 3.6 ___ Python tracker <http://bugs.python.org/issue27549> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27548] Integer Overflow On bin()
New submission from pablo sacristan: There is an integer overflow in bin() because python incorrectly checks the length of the input in bin(). bin(0xFFF+10**80) That line will freeze python until you restart it, which basically is a crash because python stops working completely. Hope it helps ;) -- messages: 270702 nosy: pabstersac priority: normal severity: normal status: open title: Integer Overflow On bin() versions: Python 3.5, Python 3.6 ___ Python tracker <http://bugs.python.org/issue27548> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27551] Integer Overflow On print()
New submission from pablo sacristan: There is an integer overflow because python doesn't check the length correctly on print() statements: print(0xFFF**100**8) That will overflow and python would stop working, so it would be as good as crashed :) Hope it helps ;) -- messages: 270705 nosy: pabstersac priority: normal severity: normal status: open title: Integer Overflow On print() versions: Python 3.5, Python 3.6 ___ Python tracker <http://bugs.python.org/issue27551> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27550] Integer Overflow Crash On Arithmetic Operations
New submission from pablo sacristan: There is an integer overflow because python doesn't check the length correctly on arithmetic operations: 0xFFF**100**8 Just that line will freeze python, no oveflow message appears, no memory error, and python basically crashes because it just stops working. Hope it helps ;) -- messages: 270704 nosy: pabstersac priority: normal severity: normal status: open title: Integer Overflow Crash On Arithmetic Operations versions: Python 3.5, Python 3.6 ___ Python tracker <http://bugs.python.org/issue27550> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27552] Integer Overflow On min()
New submission from pablo sacristan: There is an integer overflow on min() statements because python incorrectly checks the length to put the overflow message, so it is possible to overflow min() min(0xFFF+10**80) That line freezes python until you restart it, which is basically as if you were crashing it, the effect is the same, python stops working. Hope it helps ;) -- messages: 270706 nosy: pabstersac priority: normal severity: normal status: open title: Integer Overflow On min() versions: Python 3.5, Python 3.6 ___ Python tracker <http://bugs.python.org/issue27552> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27553] Integer Overflow On unicode()
New submission from pablo sacristan: There is an integer overflow in unicode() because python incorrectly checks the length of unicode(): unicode(0xFFF+10**80) That freezes python until you restart it which is basically the same effect as crashing python. Hope it helps ;) -- messages: 270707 nosy: pabstersac priority: normal severity: normal status: open title: Integer Overflow On unicode() versions: Python 3.5, Python 3.6 ___ Python tracker <http://bugs.python.org/issue27553> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27554] Integer Overflow On dir()
New submission from pablo sacristan: There is an integer overflow in dir(): dir(0xFFF+10**80) That line will freeze python until you restart it, which makes it have the same effect as a crash. Hope it helps ;) -- messages: 270708 nosy: pabstersac priority: normal severity: normal status: open title: Integer Overflow On dir() versions: Python 3.5, Python 3.6 ___ Python tracker <http://bugs.python.org/issue27554> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27555] Integer Overflow on oct()
New submission from pablo sacristan: There is an integer overflow on oct() because of incorrectly checking the length. oct(0xFFF+10**80) That line will freeze python until you restart it, which is as good as crashed. Hope it helps ;) -- messages: 270709 nosy: pabstersac priority: normal severity: normal status: open title: Integer Overflow on oct() versions: Python 3.5, Python 3.6 ___ Python tracker <http://bugs.python.org/issue27555> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27556] Integer overflow on hex()
New submission from pablo sacristan: There is an integer overflow on hex() because python incorrectly checks the length of the value to return overflow message if it were too big. hex(0xFFF+10**80) That line will freeze python until you restart it, which is the same thing as crashing python. Hope it helps ;) -- messages: 270710 nosy: pabstersac priority: normal severity: normal status: open title: Integer overflow on hex() ___ Python tracker <http://bugs.python.org/issue27556> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27557] Integer Overflow on int()
New submission from pablo sacristan: There is an integer overflow on int() because python incorrectly checks the length of the input. int(0xFFF+10**80) That line of code will freeze python until you restart it, which is as annoying as if python had crashed. Hope it helps ;) -- messages: 270711 nosy: pabstersac priority: normal severity: normal status: open title: Integer Overflow on int() versions: Python 3.5, Python 3.6 ___ Python tracker <http://bugs.python.org/issue27557> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27559] Crash On bytearray()
New submission from pablo sacristan: There is a crash on bytearray(), not really a crash but rather the process gets killed by the kernel, but that is a crash, and the keyboard interrupt stops working while bytearray is working, so you can either restart python or wait for python to get killed by the kernel. The biggest problem is that while bytearray() is trying to do something, you can't interrupt it just doesn't work for some reason. This should be enough for bytearray to crash : bytearray(0xFF) It crashes after some time with a Killed: 9 error. Hope it helps ;) -- messages: 270731 nosy: pabstersac priority: normal severity: normal status: open title: Crash On bytearray() versions: Python 3.5, Python 3.6 ___ Python tracker <http://bugs.python.org/issue27559> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27560] zlib.compress() crash and keyboard interrupt stops working
New submission from pablo sacristan: zlib.compress crashes when you put a lot of stuff into it and even when you try keyboard interrupts it doesn't work for some reason, and Python gets killed because trying to compress so much data gets the Python process get killed by the kernel. If you put a large amount of data in it will get killed quicker. A problem is that keyboard interrupts stop working while the program is running, which is usually around 5 - 15 seconds during which python stops working (including interrupts) until it gets killed by the kernel. This may be used to crash python remotely if a server takes user input and runs it through zlib.compress(b'variable' * 2**32) which is not very likely. You probably should set a limit for what you compress and how much it is. The output is: Killed: 9 Even though you try doing keyboard interrupt it doesn't work. -- files: crash.py messages: 270732 nosy: pabstersac priority: normal severity: normal status: open title: zlib.compress() crash and keyboard interrupt stops working Added file: http://bugs.python.org/file43774/crash.py ___ Python tracker <http://bugs.python.org/issue27560> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27559] Crash On bytearray()
pablo sacristan added the comment: I know, but then shouldn't you try limiting the amount of data it allocates? Or maybe allow for keyboard interrupts to be used while the it is going on, because keyboard interrupts weren't working while it was working. -- resolution: not a bug -> remind ___ Python tracker <http://bugs.python.org/issue27559> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27560] zlib.compress() crash and keyboard interrupt stops working
pablo sacristan added the comment: I'd like to but I don't have enough memory either, sorry. -- versions: +Python 3.5, Python 3.6 ___ Python tracker <http://bugs.python.org/issue27560> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue26508] Infinite crash leading to DoS
New submission from pablo sacristan:
import ctypes, struct, sys, os
while 1:
os.system('python /Users/pabstersac/Desktop/Python\ Files/crash.py')
#Change to your full path to the file
inner = ()
outer = (inner,)
c_outer = (ctypes.c_char * sys.getsizeof(outer)).from_address(id(outer))
inner_index = c_outer[:].find(struct.pack('P', id(inner)))
c_outer[inner_index:inner_index+struct.calcsize('P')] = struct.pack('P',
id(outer))
print outer
#construct and print a self-referencing tuple
run it and wait around 10 sec for it to happen, but once it starts you will be
forced to force it to shut because it will keep on crashing infinitely which is
extremely annoying, and even while it says it crashed it still runs and keeps
on running infinitely, which if you do on an unexpecting victim, they will
probably shut down the computer directly.
There are basically two problems here, the way you construct and then print a
self-referencing tuple, and the way you handle when it is put in an infinite
loop with itself calling its own file (which if you wait long enough will see
the effect goes quicker every second, it goes up exponentially) and you don't
stop it correctly.
--
files: crash.py
messages: 261319
nosy: pabstersac
priority: normal
severity: normal
status: open
title: Infinite crash leading to DoS
type: security
Added file: http://bugs.python.org/file42088/crash.py
___
Python tracker
<http://bugs.python.org/issue26508>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue26508] Infinite crash leading to DoS
pablo sacristan added the comment: Then it is no bug that it crashes python? You don't have to put it in a loop, but by looping it I am adding the part that makes it take more time but will keep on crashing infinitely, take away the while loop but not what it has inside and then also delete the os.system() and you get python to crash once. Is a crash not a bug? -- resolution: not a bug -> works for me ___ Python tracker <http://bugs.python.org/issue26508> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue26508] Infinite crash leading to DoS
pablo sacristan added the comment:
New content for crash.py:
import ctypes, struct, sys, os
inner = ()
outer = (inner,)
c_outer = (ctypes.c_char * sys.getsizeof(outer)).from_address(id(outer))
inner_index = c_outer[:].find(struct.pack('P', id(inner)))
c_outer[inner_index:inner_index+struct.calcsize('P')] = struct.pack('P',
id(outer))
print outer
--
___
Python tracker
<http://bugs.python.org/issue26508>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue26508] Infinite crash leading to DoS
Changes by pablo sacristan : -- status: closed -> open ___ Python tracker <http://bugs.python.org/issue26508> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
