[issue24100] Use after free in siftdown (2)

Fri, 01 May 2015 07:13:10 -0700 

New submission from paul:

# _siftdown(PyListObject *heap, Py_ssize_t startpos, Py_ssize_t pos)
#     ...
#     while (pos > startpos){
#         parentpos = (pos - 1) >> 1;
#         parent = PyList_GET_ITEM(heap, parentpos);
# 1       cmp = PyObject_RichCompareBool(newitem, parent, Py_LT);
#         ...
# 2       if (size != PyList_GET_SIZE(heap)) {
#             Py_DECREF(newitem);
#             PyErr_SetString(PyExc_RuntimeError,
#                             "list changed size during iteration");
#             return -1;
#         }
#         if (cmp == 0)
# 3           break;
#         ...
#     }
# 4   Py_DECREF(PyList_GET_ITEM(heap, pos));
# 5   PyList_SET_ITEM(heap, pos, newitem);
# 
# 1. custom compare function replaces object at index "pos" with a fresh 
#    instance with refcnt==1
# 2. check is ineffective, since mutation was done without altering size
# 3. break out of the loop
# 4. refcnt drops to 0 and __del__ method is called. Destructed clears the heap
# 5. SET_ITEM doesn't do any bounds checking and does a wild write. 
#
# "pos" is under our control and is restricted only by the amount of free 
# memory. pos==X requires heap of size X-1.
# 
# gX global var is necessary. Without it, python crashes in debug checks inside
# Py_ForgetReference. Seems like clearing L puts objects in a bad state.
#
# GDB
# ---
# Program received signal SIGSEGV, Segmentation fault.
# 0x4002ed73 in _siftdown (heap=0x4058edfc, startpos=0, pos=112233) at 
/home/p/Python-3.4.1/Modules/_heapqmodule.c:58
# 58          PyList_SET_ITEM(heap, pos, newitem);
# (gdb) print *heap
# $1 = {ob_base = {ob_base = {_ob_next = 0x405913f4, _ob_prev = 0x4058ee6c, 
ob_refcnt = 2, ob_type = 0x830e1c0 <PyList_Type>}, 
#       ob_size = 0}, ob_item = 0x0, allocated = 0}
# (gdb) print pos
# $2 = 112233

----------
files: poc_siftdown2.py
messages: 242317
nosy: pkt
priority: normal
severity: normal
status: open
title: Use after free in siftdown (2)
type: crash
versions: Python 3.4
Added file: http://bugs.python.org/file39251/poc_siftdown2.py

_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue24100>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to