New submission from zeroinside: Hello I found incorrect gc behavior in xxlimited module. After an hour of investigation, I'm still not sure its security related problem. I have a partial control on RBP register, depends of memory layout.
GDB: Starting program: /usr/bin/python3.6 [Thread debugging using libthread_db enabled] Using host libthread_db library "/usr/lib/libthread_db.so.1". Python 3.6.0 (default, Jan 16 2017, 12:12:55) [GCC 6.3.1 20170109] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import xxlimited >>> a=xxlimited.new() >>> del a Program received signal SIGSEGV, Segmentation fault. 0x00007ffff73d612d in PyArena_Free () from /usr/lib/libpython3.6m.so.1.0 (gdb) info reg rax 0x7ffff7457270 140737341911664 rbx 0x7ffff7f812b8 140737353618104 rcx 0x62aa00 6466048 rdx 0x7ffff7457270 140737341911664 rsi 0x1 1 rdi 0x7ffff7f81300 140737353618176 rbp 0x500000a29 0x500000a29 rsp 0x7fffffffe210 0x7fffffffe210 r8 0x7ffff7f81000 140737353617408 r9 0x1c 28 r10 0x1b 27 r11 0x12300 74496 r12 0x7ffff7f812b8 140737353618104 r13 0x6fafd0 7319504 r14 0x7ffff3e7b570 140737285436784 r15 0x7ffff3e7b5a0 140737285436832 rip 0x7ffff73d612d 0x7ffff73d612d <PyArena_Free+29> eflags 0x10202 [ IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 root@/home/zeroinside/python/pyburst3.6/crash $ /usr/local/bin/python3.6 xlimited_poc.py ASAN:DEADLYSIGNAL ================================================================= ==5082==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x000000557469 bp 0x0fe0603ea23d sp 0x7fff76e98c20 T0) ==5082==The signal is caused by a WRITE memory access. ==5082==Hint: address points to the zero page. #0 0x557468 in PyObject_GC_UnTrack /home/zeroinside/Downloads/Python-3.6.0/Modules/gcmodule.c:1699:9 #1 0x66d0af in subtype_dealloc /home/zeroinside/Downloads/Python-3.6.0/Objects/typeobject.c:1133:5 #2 0x61e557 in _PyDict_DelItem_KnownHash /home/zeroinside/Downloads/Python-3.6.0/Objects/dictobject.c:1641:5 #3 0x7970c0 in _PyEval_EvalFrameDefault /home/zeroinside/Downloads/Python-3.6.0/Python/ceval.c:2187:19 #4 0x7aef44 in PyEval_EvalFrameEx /home/zeroinside/Downloads/Python-3.6.0/Python/ceval.c:718:12 #5 0x7aef44 in _PyEval_EvalCodeWithName /home/zeroinside/Downloads/Python-3.6.0/Python/ceval.c:4119 #6 0x79571c in PyEval_EvalCodeEx /home/zeroinside/Downloads/Python-3.6.0/Python/ceval.c:4140:12 #7 0x79571c in PyEval_EvalCode /home/zeroinside/Downloads/Python-3.6.0/Python/ceval.c:695 #8 0x5295e7 in run_mod /home/zeroinside/Downloads/Python-3.6.0/Python/pythonrun.c:980:9 #9 0x5295e7 in PyRun_FileExFlags /home/zeroinside/Downloads/Python-3.6.0/Python/pythonrun.c:933 #10 0x527e75 in PyRun_SimpleFileExFlags /home/zeroinside/Downloads/Python-3.6.0/Python/pythonrun.c:396:13 #11 0x55340c in run_file /home/zeroinside/Downloads/Python-3.6.0/Modules/main.c:320:11 #12 0x55340c in Py_Main /home/zeroinside/Downloads/Python-3.6.0/Modules/main.c:780 #13 0x519776 in main /home/zeroinside/Downloads/Python-3.6.0/./Programs/python.c:69:11 #14 0x7f0300e01290 in __libc_start_main (/usr/lib/libc.so.6+0x20290) #15 0x432179 in _start (/usr/local/bin/python3.6+0x432179) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/zeroinside/Downloads/Python-3.6.0/Modules/gcmodule.c:1699:9 in PyObject_GC_UnTrack ==5082==ABORTING ---------- components: Build files: xlimited.py messages: 286536 nosy: zeroinside priority: normal severity: normal status: open title: memory corruption in xxlimited type: security versions: Python 3.6 Added file: http://bugs.python.org/file46465/xlimited.py _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue29398> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com