[issue26000] Crash in Tokenizer - Heap-use-after-free

2018-09-23 Thread William Bowling 


William Bowling  added the comment:

> Is this still reproducible? On master (Python 3.8) with a debug build it 
> throws a SyntaxError. I don't have Python 3.5 installed to check this though

Looks like it's fixed in master and 3.6.6 but still happening in 3.5.6

--

___
Python tracker 
<https://bugs.python.org/issue26000>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue26000] Crash in Tokenizer - Heap-use-after-free

2016-01-03 Thread William Bowling 

William Bowling added the comment:

Also a very similar source causes a slightly different crash 
(heap-buffer-overflow instead of heap-use-after-free):

./python -c 'with open("vuln2.py", "wb") as f: 
f.write(b"\x61\x73\x00\x0a\x79\x6e\x63\x5c\x0a\x00\x0d\xdd")'
./python vuln2.py

Python 3.5.1+ (default, Jan  4 2016, 00:05:40)

Attached the asan report

--
Added file: http://bugs.python.org/file41487/asan2.txt

___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue26000>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue26000] Crash in Tokenizer - Heap-use-after-free

2016-01-03 Thread William Bowling 

New submission from William Bowling:

Similar to https://bugs.python.org/issue25388 the following causes a crash on 
3.5.1 and the latest 3.5 branch:

./python -c 'with open("vuln.py", "wb") as f: 
f.write(b"\x61\x73\x00\x0a\x79\x6e\x63\x5c\x0a\xef")'
./python vuln.py


Python 3.5.1+ (default, Jan  4 2016, 00:05:40) 
=
==24400==ERROR: AddressSanitizer: heap-use-after-free on address 0xf270f100 at 
pc 0x080ad09e bp 0xffef5ee8 sp 0xffef5ac0
READ of size 2 at 0xf270f100 thread T0
#0 0x80ad09d in strncpy (/home/will/python/cpython/python+0x80ad09d)
#1 0x8589b56 in parsetok /home/will/python/cpython/Parser/parsetok.c:235:13
#2 0x858b301 in PyParser_ParseFileObject 
/home/will/python/cpython/Parser/parsetok.c:134:12
#3 0x8439e0b in PyParser_ASTFromFileObject 
/home/will/python/cpython/Python/pythonrun.c:1150:15
#4 0x843aa37 in PyRun_FileExFlags 
/home/will/python/cpython/Python/pythonrun.c:916:11
#5 0x8438a98 in PyRun_SimpleFileExFlags 
/home/will/python/cpython/Python/pythonrun.c:396:13
#6 0x84382a6 in PyRun_AnyFileExFlags 
/home/will/python/cpython/Python/pythonrun.c:80:16
#7 0x813f194 in run_file /home/will/python/cpython/Modules/main.c:318:11
#8 0x813f194 in Py_Main /home/will/python/cpython/Modules/main.c:768
#9 0x8138070 in main /home/will/python/cpython/./Programs/python.c:69:11
#10 0xf7558496 in __libc_start_main (/usr/lib32/libc.so.6+0x18496)
#11 0x80715b7 in _start (/home/will/python/cpython/python+0x80715b7)

0xf270f100 is located 0 bytes inside of 8194-byte region [0xf270f100,0xf2711102)
freed by thread T0 here:
#0 0x810c2a4 in __interceptor_cfree.localalias.1 
(/home/will/python/cpython/python+0x810c2a4)
#1 0x8139560 in _PyMem_RawFree 
/home/will/python/cpython/Objects/obmalloc.c:90:5
#2 0x813852b in PyMem_Free 
/home/will/python/cpython/Objects/obmalloc.c:349:5
#3 0x8596b05 in error_ret /home/will/python/cpython/Parser/tokenizer.c:198:9
#4 0x8596b05 in decoding_fgets 
/home/will/python/cpython/Parser/tokenizer.c:636
#5 0x8594df0 in tok_nextc 
/home/will/python/cpython/Parser/tokenizer.c:1016:21
#6 0x858ebba in tok_get /home/will/python/cpython/Parser/tokenizer.c:1457:13
#7 0x858fc79 in tok_get /home/will/python/cpython/Parser/tokenizer.c:1524:34
#8 0x858e1da in PyTokenizer_Get 
/home/will/python/cpython/Parser/tokenizer.c:1804:18
#9 0x85899a7 in parsetok /home/will/python/cpython/Parser/parsetok.c:208:16
#10 0x858b301 in PyParser_ParseFileObject 
/home/will/python/cpython/Parser/parsetok.c:134:12
#11 0x8439e0b in PyParser_ASTFromFileObject 
/home/will/python/cpython/Python/pythonrun.c:1150:15
#12 0x843aa37 in PyRun_FileExFlags 
/home/will/python/cpython/Python/pythonrun.c:916:11
#13 0x8438a98 in PyRun_SimpleFileExFlags 
/home/will/python/cpython/Python/pythonrun.c:396:13
#14 0x84382a6 in PyRun_AnyFileExFlags 
/home/will/python/cpython/Python/pythonrun.c:80:16
#15 0x813f194 in run_file /home/will/python/cpython/Modules/main.c:318:11
#16 0x813f194 in Py_Main /home/will/python/cpython/Modules/main.c:768
#17 0x8138070 in main /home/will/python/cpython/./Programs/python.c:69:11
#18 0xf7558496 in __libc_start_main (/usr/lib32/libc.so.6+0x18496)

previously allocated by thread T0 here:
#0 0x810c784 in realloc (/home/will/python/cpython/python+0x810c784)
#1 0x8139541 in _PyMem_RawRealloc 
/home/will/python/cpython/Objects/obmalloc.c:84:12
#2 0x8138506 in PyMem_Realloc 
/home/will/python/cpython/Objects/obmalloc.c:343:12
#3 0x8594f1c in tok_nextc 
/home/will/python/cpython/Parser/tokenizer.c:1058:31
#4 0x858e4c9 in tok_get /home/will/python/cpython/Parser/tokenizer.c:1354:17
#5 0x858e1da in PyTokenizer_Get 
/home/will/python/cpython/Parser/tokenizer.c:1804:18
#6 0x85899a7 in parsetok /home/will/python/cpython/Parser/parsetok.c:208:16
#7 0x858b301 in PyParser_ParseFileObject 
/home/will/python/cpython/Parser/parsetok.c:134:12
#8 0x8439e0b in PyParser_ASTFromFileObject 
/home/will/python/cpython/Python/pythonrun.c:1150:15
#9 0x843aa37 in PyRun_FileExFlags 
/home/will/python/cpython/Python/pythonrun.c:916:11
#10 0x8438a98 in PyRun_SimpleFileExFlags 
/home/will/python/cpython/Python/pythonrun.c:396:13
#11 0x84382a6 in PyRun_AnyFileExFlags 
/home/will/python/cpython/Python/pythonrun.c:80:16
#12 0x813f194 in run_file /home/will/python/cpython/Modules/main.c:318:11
#13 0x813f194 in Py_Main /home/will/python/cpython/Modules/main.c:768
#14 0x8138070 in main /home/will/python/cpython/./Programs/python.c:69:11
#15 0xf7558496 in __libc_start_main (/usr/lib32/libc.so.6+0x18496)

SUMMARY: AddressSanitizer: heap-use-after-free 
(/home/will/python/cpython/python+0x80ad09d) in strncpy
Shadow bytes around the buggy address:
  0x3e4e1dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e4e1de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa f