New submission from William Bowling:
Similar to https://bugs.python.org/issue25388 the following causes a crash on
3.5.1 and the latest 3.5 branch:
./python -c 'with open("vuln.py", "wb") as f:
f.write(b"\x61\x73\x00\x0a\x79\x6e\x63\x5c\x0a\xef")'
./python vuln.py
Python 3.5.1+ (default, Jan 4 2016, 00:05:40)
=
==24400==ERROR: AddressSanitizer: heap-use-after-free on address 0xf270f100 at
pc 0x080ad09e bp 0xffef5ee8 sp 0xffef5ac0
READ of size 2 at 0xf270f100 thread T0
#0 0x80ad09d in strncpy (/home/will/python/cpython/python+0x80ad09d)
#1 0x8589b56 in parsetok /home/will/python/cpython/Parser/parsetok.c:235:13
#2 0x858b301 in PyParser_ParseFileObject
/home/will/python/cpython/Parser/parsetok.c:134:12
#3 0x8439e0b in PyParser_ASTFromFileObject
/home/will/python/cpython/Python/pythonrun.c:1150:15
#4 0x843aa37 in PyRun_FileExFlags
/home/will/python/cpython/Python/pythonrun.c:916:11
#5 0x8438a98 in PyRun_SimpleFileExFlags
/home/will/python/cpython/Python/pythonrun.c:396:13
#6 0x84382a6 in PyRun_AnyFileExFlags
/home/will/python/cpython/Python/pythonrun.c:80:16
#7 0x813f194 in run_file /home/will/python/cpython/Modules/main.c:318:11
#8 0x813f194 in Py_Main /home/will/python/cpython/Modules/main.c:768
#9 0x8138070 in main /home/will/python/cpython/./Programs/python.c:69:11
#10 0xf7558496 in __libc_start_main (/usr/lib32/libc.so.6+0x18496)
#11 0x80715b7 in _start (/home/will/python/cpython/python+0x80715b7)
0xf270f100 is located 0 bytes inside of 8194-byte region [0xf270f100,0xf2711102)
freed by thread T0 here:
#0 0x810c2a4 in __interceptor_cfree.localalias.1
(/home/will/python/cpython/python+0x810c2a4)
#1 0x8139560 in _PyMem_RawFree
/home/will/python/cpython/Objects/obmalloc.c:90:5
#2 0x813852b in PyMem_Free
/home/will/python/cpython/Objects/obmalloc.c:349:5
#3 0x8596b05 in error_ret /home/will/python/cpython/Parser/tokenizer.c:198:9
#4 0x8596b05 in decoding_fgets
/home/will/python/cpython/Parser/tokenizer.c:636
#5 0x8594df0 in tok_nextc
/home/will/python/cpython/Parser/tokenizer.c:1016:21
#6 0x858ebba in tok_get /home/will/python/cpython/Parser/tokenizer.c:1457:13
#7 0x858fc79 in tok_get /home/will/python/cpython/Parser/tokenizer.c:1524:34
#8 0x858e1da in PyTokenizer_Get
/home/will/python/cpython/Parser/tokenizer.c:1804:18
#9 0x85899a7 in parsetok /home/will/python/cpython/Parser/parsetok.c:208:16
#10 0x858b301 in PyParser_ParseFileObject
/home/will/python/cpython/Parser/parsetok.c:134:12
#11 0x8439e0b in PyParser_ASTFromFileObject
/home/will/python/cpython/Python/pythonrun.c:1150:15
#12 0x843aa37 in PyRun_FileExFlags
/home/will/python/cpython/Python/pythonrun.c:916:11
#13 0x8438a98 in PyRun_SimpleFileExFlags
/home/will/python/cpython/Python/pythonrun.c:396:13
#14 0x84382a6 in PyRun_AnyFileExFlags
/home/will/python/cpython/Python/pythonrun.c:80:16
#15 0x813f194 in run_file /home/will/python/cpython/Modules/main.c:318:11
#16 0x813f194 in Py_Main /home/will/python/cpython/Modules/main.c:768
#17 0x8138070 in main /home/will/python/cpython/./Programs/python.c:69:11
#18 0xf7558496 in __libc_start_main (/usr/lib32/libc.so.6+0x18496)
previously allocated by thread T0 here:
#0 0x810c784 in realloc (/home/will/python/cpython/python+0x810c784)
#1 0x8139541 in _PyMem_RawRealloc
/home/will/python/cpython/Objects/obmalloc.c:84:12
#2 0x8138506 in PyMem_Realloc
/home/will/python/cpython/Objects/obmalloc.c:343:12
#3 0x8594f1c in tok_nextc
/home/will/python/cpython/Parser/tokenizer.c:1058:31
#4 0x858e4c9 in tok_get /home/will/python/cpython/Parser/tokenizer.c:1354:17
#5 0x858e1da in PyTokenizer_Get
/home/will/python/cpython/Parser/tokenizer.c:1804:18
#6 0x85899a7 in parsetok /home/will/python/cpython/Parser/parsetok.c:208:16
#7 0x858b301 in PyParser_ParseFileObject
/home/will/python/cpython/Parser/parsetok.c:134:12
#8 0x8439e0b in PyParser_ASTFromFileObject
/home/will/python/cpython/Python/pythonrun.c:1150:15
#9 0x843aa37 in PyRun_FileExFlags
/home/will/python/cpython/Python/pythonrun.c:916:11
#10 0x8438a98 in PyRun_SimpleFileExFlags
/home/will/python/cpython/Python/pythonrun.c:396:13
#11 0x84382a6 in PyRun_AnyFileExFlags
/home/will/python/cpython/Python/pythonrun.c:80:16
#12 0x813f194 in run_file /home/will/python/cpython/Modules/main.c:318:11
#13 0x813f194 in Py_Main /home/will/python/cpython/Modules/main.c:768
#14 0x8138070 in main /home/will/python/cpython/./Programs/python.c:69:11
#15 0xf7558496 in __libc_start_main (/usr/lib32/libc.so.6+0x18496)
SUMMARY: AddressSanitizer: heap-use-after-free
(/home/will/python/cpython/python+0x80ad09d) in strncpy
Shadow bytes around the buggy address:
0x3e4e1dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e4e1de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa f