New submission from zeroinside:
Hello
I found incorrect gc behavior in xxlimited module.
After an hour of investigation, I'm still not sure its security related problem.
I have a partial control on RBP register, depends of memory layout.
GDB:
Starting program: /usr/bin/python3.6
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Python 3.6.0 (default, Jan 16 2017, 12:12:55)
[GCC 6.3.1 20170109] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import xxlimited
>>> a=xxlimited.new()
>>> del a
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff73d612d in PyArena_Free () from /usr/lib/libpython3.6m.so.1.0
(gdb) info reg
rax 0x7ffff7457270 140737341911664
rbx 0x7ffff7f812b8 140737353618104
rcx 0x62aa00 6466048
rdx 0x7ffff7457270 140737341911664
rsi 0x1 1
rdi 0x7ffff7f81300 140737353618176
rbp 0x500000a29 0x500000a29
rsp 0x7fffffffe210 0x7fffffffe210
r8 0x7ffff7f81000 140737353617408
r9 0x1c 28
r10 0x1b 27
r11 0x12300 74496
r12 0x7ffff7f812b8 140737353618104
r13 0x6fafd0 7319504
r14 0x7ffff3e7b570 140737285436784
r15 0x7ffff3e7b5a0 140737285436832
rip 0x7ffff73d612d 0x7ffff73d612d <PyArena_Free+29>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
root@/home/zeroinside/python/pyburst3.6/crash $ /usr/local/bin/python3.6
xlimited_poc.py
ASAN:DEADLYSIGNAL
=================================================================
==5082==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc
0x000000557469 bp 0x0fe0603ea23d sp 0x7fff76e98c20 T0)
==5082==The signal is caused by a WRITE memory access.
==5082==Hint: address points to the zero page.
#0 0x557468 in PyObject_GC_UnTrack
/home/zeroinside/Downloads/Python-3.6.0/Modules/gcmodule.c:1699:9
#1 0x66d0af in subtype_dealloc
/home/zeroinside/Downloads/Python-3.6.0/Objects/typeobject.c:1133:5
#2 0x61e557 in _PyDict_DelItem_KnownHash
/home/zeroinside/Downloads/Python-3.6.0/Objects/dictobject.c:1641:5
#3 0x7970c0 in _PyEval_EvalFrameDefault
/home/zeroinside/Downloads/Python-3.6.0/Python/ceval.c:2187:19
#4 0x7aef44 in PyEval_EvalFrameEx
/home/zeroinside/Downloads/Python-3.6.0/Python/ceval.c:718:12
#5 0x7aef44 in _PyEval_EvalCodeWithName
/home/zeroinside/Downloads/Python-3.6.0/Python/ceval.c:4119
#6 0x79571c in PyEval_EvalCodeEx
/home/zeroinside/Downloads/Python-3.6.0/Python/ceval.c:4140:12
#7 0x79571c in PyEval_EvalCode
/home/zeroinside/Downloads/Python-3.6.0/Python/ceval.c:695
#8 0x5295e7 in run_mod
/home/zeroinside/Downloads/Python-3.6.0/Python/pythonrun.c:980:9
#9 0x5295e7 in PyRun_FileExFlags
/home/zeroinside/Downloads/Python-3.6.0/Python/pythonrun.c:933
#10 0x527e75 in PyRun_SimpleFileExFlags
/home/zeroinside/Downloads/Python-3.6.0/Python/pythonrun.c:396:13
#11 0x55340c in run_file
/home/zeroinside/Downloads/Python-3.6.0/Modules/main.c:320:11
#12 0x55340c in Py_Main
/home/zeroinside/Downloads/Python-3.6.0/Modules/main.c:780
#13 0x519776 in main
/home/zeroinside/Downloads/Python-3.6.0/./Programs/python.c:69:11
#14 0x7f0300e01290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
#15 0x432179 in _start (/usr/local/bin/python3.6+0x432179)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/home/zeroinside/Downloads/Python-3.6.0/Modules/gcmodule.c:1699:9 in
PyObject_GC_UnTrack
==5082==ABORTING
----------
components: Build
files: xlimited.py
messages: 286536
nosy: zeroinside
priority: normal
severity: normal
status: open
title: memory corruption in xxlimited
type: security
versions: Python 3.6
Added file: http://bugs.python.org/file46465/xlimited.py
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29398>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
