[issue27462] NULL Pointer deref in binary_iop1 function
Changes by Emin Ghuliev <drmin...@gmail.com>: -- resolution: not a bug -> wont fix status: pending -> closed ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue27462> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27462] NULL Pointer deref in binary_iop1 function
Emin Ghuliev added the comment: Nope, invalid bytecode file generated by fuzzer for the purpose of bug researching. Just python doesn't determine whether a variable is empty or valid. -- ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue27462> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27462] NULL Pointer deref in binary_iop1 function
New submission from Emin Ghuliev: Python VM parses "0x3b" opcode (INPLACE_MODULO) in the bytecode file. Subsequently VM parses left and right arguments of the opcode (0x3b). If left and right arguments doesn't exists in the bytecode file that causes a segmentation fault. Which triggered by the binary_iop1 function. PyEval_EvalFrameEx() at Python/ceval.c:1749 TARGET(INPLACE_MODULO) { PyObject *right = POP(); PyObject *left = TOP(); PyObject *mod = PyNumber_InPlaceRemainder(left, right); < left = 0, right = 0; Then INPLACE_MODULO opcode is passed two arguments into PyNumber_InPlaceRemainder. However, in order to call the binary_iop: PyNumber_InPlaceRemainder at Objects/abstract.c:1102 PyNumber_InPlaceRemainder(PyObject *v, PyObject *w) { return binary_iop(v, w, NB_SLOT(nb_inplace_remainder), NB_SLOT(nb_remainder), "%="); } Subsequently the binary_iop function is passed "v" argument into the binary_iop1: binary_iop at Objects/abstract.c:1005 static PyObject * binary_iop(PyObject *v, PyObject *w, const int iop_slot, const int op_slot, const char *op_name) { PyObject *result = binary_iop1(v, w, iop_slot, op_slot); # v = 0 and call the binary_iop1 function if (result == Py_NotImplemented) { Py_DECREF(result); return binop_type_error(v, w, op_name); } return result; } binary_iop1 at Objects/abstract.c:988 static PyObject * binary_iop1(PyObject *v, PyObject *w, const int iop_slot, const int op_slot) { PyNumberMethods *mv = v->ob_type->tp_as_number; // dereference object < -- > v = 0x0 if (mv != NULL) { binaryfunc slot = NB_BINOP(mv, iop_slot); if (slot) { PyObject *x = (slot)(v, w); if (x != Py_NotImplemented) { return x; } Py_DECREF(x); } } return binary_op1(v, w, op_slot); } The binary_iop1 function doesn't check "v" field and dereference it. <PyNumber_InPlaceRemainder+16> movrsi,QWORD PTR [rdi+0x8] = 0x8 byte -> ob_type $rdi register = 0x0 Program received signal SIGSEGV, Segmentation fault. -- components: Interpreter Core files: repro messages: 269940 nosy: Emin Ghuliev priority: normal severity: normal status: open title: NULL Pointer deref in binary_iop1 function versions: Python 3.6 Added file: http://bugs.python.org/file43654/repro ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue27462> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27254] UAF in Tkinter module
Changes by Emin Ghuliev <drmin...@gmail.com>: -- status: open -> closed ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue27254> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27254] UAF in Tkinter module
Changes by Emin Ghuliev <drmin...@gmail.com>: -- resolution: -> third party ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue27254> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27254] UAF in Tkinter module
Changes by Emin Ghuliev <drmin...@gmail.com>: -- title: heap overflow in Tkinter module -> UAF in Tkinter module ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue27254> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27254] heap overflow in Tkinter module
Emin Ghuliev added the comment: psuedocode <+16>: movsxd rdx,DWORD PTR [rbx+0x8] <+20>: leaeax,[rdx+rbp*1] newSize = length ($rdx) + dsPtr->length ($rbp) gdb > print /x $rbp $5 = 0xf gdb > print /x $rdx $6 = 0x10 newsize = 0xf+0x10 = 0x1f <Tcl_DStringAppend+23> cmpeax,DWORD PTR [rbx+0xc] ← $pc <Tcl_DStringAppend+26> jl 0x76194e38 <Tcl_DStringAppend+104> newSize ($eax) >= dsPtr->spaceAvl gdb > print /x $eax $7 = 0x1f gdb > x/x $rbx+0xc 0x7fffd0cc: 0x001e condition: 0x1f >= 0x001e = True if (newSize >= dsPtr->spaceAvl) { <Tcl_DStringAppend+31> leaesi,[rax+rax*1] ; magic compiler optimization :) (newSize(0x1f)*2) /* */ dsPtr->spaceAvl = newSize * 2; gdb > print /x $rax $4 = 0x1f $esi = 0x1f+0x1f (newSize(0x1f)*2) = 0x3e /* */ => <+34>: learax,[rbx+0x10] <+38>: movDWORD PTR [rbx+0xc],esi <+41>: cmprdi,rax ; $rax = dsPtr->staticSpace and $rdi = dsPtr->string <+44>: je 0x76194e50 <Tcl_DStringAppend+128> condition : dsPtr->string == dsPtr->staticSpace = False then jump to '<Tcl_DStringAppend+46> call 0x760c2040 ' if (dsPtr->string == dsPtr->staticSpace) { char *newString = ckalloc(dsPtr->spaceAvl); memcpy(newString, dsPtr->string, (size_t) dsPtr->length); dsPtr->string = newString; } else { <Tcl_DStringAppend+46> call 0x760c2040 $rsi = 0x3e $rdi = 0x7333e020 dsPtr->string = ckrealloc(dsPtr->string = 0x7333e020, dsPtr->spaceAvl = 0x3e); } } disassemble: <Tcl_DStringAppend+58> leardi,[rax+rdx*1] ; dsPtr->string + dsPtr->length <Tcl_DStringAppend+62> movrsi,r12 ; bytes <Tcl_DStringAppend+65> movsxd rdx,ebp ; length <Tcl_DStringAppend+68> call 0x760a25c0 <memcpy@plt> memcpy(dsPtr->string + dsPtr->length, bytes, length); -- ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue27254> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27254] heap overflow in Tkinter module
Emin Ghuliev added the comment: the appropriate size should be chosen I) -- ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue27254> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27254] heap overflow in Tkinter module
Emin Ghuliev added the comment: Yeah you're right but Python doesn't check the classname length. Therefore then heap overflow occurred in the Tcl. -- ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue27254> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27254] heap overflow in Tkinter module
New submission from Emin Ghuliev: /* This is used to get the application class for Tk 4.1 and up */ argv0 = (char*)attemptckalloc(strlen(className) + 1); //<=== classname allocated if (!argv0) { PyErr_NoMemory(); Py_DECREF(v); return NULL; } strcpy(argv0, className); < //classname copy to argv0 if (Py_ISUPPER(Py_CHARMASK(argv0[0]))) argv0[0] = Py_TOLOWER(Py_CHARMASK(argv0[0])); Tcl_SetVar(v->interp, "argv0", argv0, TCL_GLOBAL_ONLY); // argv0 passed to v->interp and freed; ckfree(argv0); then v->interp passed to the Tcl_AppInit function if (Tcl_AppInit(v->interp) != TCL_OK) in Tcl_AppInit call to (and passed the v->interp) the Tcl_DStringAppend. allocates the specified byte Tcl_DStringAppend function then heap memory passed to memcpy. Realloc arguments presentation in the native tcl allocator; char * Tcl_Realloc(ptr, size) disassemble: gdb> print /x $rdi $4 = 0x703c8810 0x703c8814: 0x41414141 ... gdb> print /x $rsi $2 = 0x3e 0x73a07dfe <+46>:call 0x73935040 after return to the caller function. Performed memory copy operation. 0x73a07e0a <+58>:leardi,[rax+rdx*1] < === destination buffer $rax = 0x7fffeffc5810 - $rdx = 0x10 $rax+$rdx = 0x700c5810 0x73a07e0e <+62>:movrsi,r12 < === source buffer 0x73a07e11 <+65>:movsxd rdx,ebp <=== 0xf 0x73a07e14 <+68>:call 0x739155c0 <memcpy@plt> copy to $rdi bytes to $rsi buffer with 0xf byte; ASAN report. = ==27988==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f4e6ba64810 at pc 0x4665ea bp 0x7fff89a4ab80 sp 0x7fff89a4a340 READ of size 1048575 at 0x7f4e6ba64810 thread T0 ==27988==WARNING: Trying to symbolize code, but external symbolizer is not initialized! #0 0x4665e9 (/home/eminus/Downloads/Python-2.7.11/python+0x4665e9) #1 0x7f4e6f0a3e18 (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x116e18) #2 0x7f4e6f38744e (/usr/lib/x86_64-linux-gnu/libtk8.6.so+0x6244e) #3 0x7f4e6f6b6e4c (/home/eminus/Downloads/Python-2.7.11/build/lib.linux-x86_64-2.7/_tkinter.so+0x19e4c) #4 0x7f4e6f6a7fc5 (/home/eminus/Downloads/Python-2.7.11/build/lib.linux-x86_64-2.7/_tkinter.so+0xafc5) #5 0x5e1813 (/home/eminus/Downloads/Python-2.7.11/python+0x5e1813) #6 0x5d319c (/home/eminus/Downloads/Python-2.7.11/python+0x5d319c) #7 0x721353 (/home/eminus/Downloads/Python-2.7.11/python+0x721353) #8 0x4acb2a (/home/eminus/Downloads/Python-2.7.11/python+0x4acb2a) #9 0x4b6c62 (/home/eminus/Downloads/Python-2.7.11/python+0x4b6c62) #10 0x4acb2a (/home/eminus/Downloads/Python-2.7.11/python+0x4acb2a) #11 0x5f0823 (/home/eminus/Downloads/Python-2.7.11/python+0x5f0823) #12 0x4b0a08 (/home/eminus/Downloads/Python-2.7.11/python+0x4b0a08) #13 0x4acb2a (/home/eminus/Downloads/Python-2.7.11/python+0x4acb2a) #14 0x5e2d19 (/home/eminus/Downloads/Python-2.7.11/python+0x5e2d19) #15 0x5d319c (/home/eminus/Downloads/Python-2.7.11/python+0x5d319c) #16 0x5d2041 (/home/eminus/Downloads/Python-2.7.11/python+0x5d2041) #17 0x660980 (/home/eminus/Downloads/Python-2.7.11/python+0x660980) #18 0x65fc8a (/home/eminus/Downloads/Python-2.7.11/python+0x65fc8a) #19 0x48e46c (/home/eminus/Downloads/Python-2.7.11/python+0x48e46c) #20 0x7f4e72389ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) #21 0x48c5bc (/home/eminus/Downloads/Python-2.7.11/python+0x48c5bc) 0x7f4e6ba64810 is located 16 bytes inside of 2097166-byte region [0x7f4e6ba64800,0x7f4e6bc6480e) freed by thread T0 here: #0 0x4766d3 (/home/eminus/Downloads/Python-2.7.11/python+0x4766d3) #1 0x7f4e6f09b52d (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x10e52d) previously allocated by thread T0 here: #0 0x4764d9 (/home/eminus/Downloads/Python-2.7.11/python+0x4764d9) #1 0x7f4e6f09b0cc (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x10e0cc) SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ?? Shadow bytes around the buggy address: 0x0fea4d7448b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fea4d7448c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fea4d7448d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fea4d7448e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fea4d7448f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0fea4d744900: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0fea4d744910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0fea4d744920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0fea4d744930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0fea4d744940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0fea4d744950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 applicat
[issue26595] Segfault on Pointer operation
Changes by Emin Ghuliev <drmin...@gmail.com>: -- status: open -> closed ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue26595> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue26595] Segfault on Pointer operation
Changes by Emin Ghuliev <drmin...@gmail.com>: -- components: +ctypes type: -> crash versions: +Python 2.7 ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue26595> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue26595] Segfault on Pointer operation
New submission from Emin Ghuliev: I'm trying use a pointer on python script but when executing the following code getting error. (Segmentation fault) dmr@debian:~$ python test.py Segmentation fault self.mem = c_char_p(mem) pointer(self.binning())[0] = 0x41414141 output: [--registers---] EAX: 0x0 EBX: 0xb7aee000 --> 0x21e4c ECX: 0x1 EDX: 0x41414141 ('') ESI: 0x41414141 ('') EDI: 0x41414141 ('') EBP: 0xb7b0eb3c --> 0xc ('\x0c') ESP: 0xbfffeb74 --> 0x0 EIP: 0xb7dfc4b6 (<__strlen_sse2_bsf+22>:movdqu xmm1,XMMWORD PTR [edi]) EFLAGS: 0x10287 (CARRY PARITY adjust zero SIGN trap INTERRUPT direction overflow) [-code-] 0xb7dfc4ad <__strlen_sse2_bsf+13>: pxor xmm0,xmm0 0xb7dfc4b1 <__strlen_sse2_bsf+17>: cmpecx,0x30 0xb7dfc4b4 <__strlen_sse2_bsf+20>: ja 0xb7dfc4cd <__strlen_sse2_bsf+45> => 0xb7dfc4b6 <__strlen_sse2_bsf+22>: movdqu xmm1,XMMWORD PTR [edi] 0xb7dfc4ba <__strlen_sse2_bsf+26>: pcmpeqb xmm0,xmm1 0xb7dfc4be <__strlen_sse2_bsf+30>: pmovmskb edx,xmm0 0xb7dfc4c2 <__strlen_sse2_bsf+34>: test edx,edx 0xb7dfc4c4 <__strlen_sse2_bsf+36>: jne0xb7dfc539 <__strlen_sse2_bsf+153> [stack-] BUG on ctypes module .//source/cfield.c:1328 static PyObject * z_get(void *ptr, unsigned size) { /* XXX What about invalid pointers ??? */ if (*(void **)ptr) { #if defined(MS_WIN32) && !defined(_WIN32_WCE) if (IsBadStringPtrA(*(char **)ptr, -1)) { PyErr_Format(PyExc_ValueError, "invalid string pointer %p", *(char **)ptr); return NULL; } #endif return PyString_FromString(*(char **)ptr); < === passing pointer as argument } else { Py_INCREF(Py_None); return Py_None; } } ./Objects/stringobject.c: PyObject * PyString_FromString(const char *str = this value assigned to 0x41414141 address) { register size_t size; register PyStringObject *op; assert(str != NULL); size = strlen(str); < argument address 0x41414141 -- files: alloc.py messages: 262077 nosy: Emin Ghuliev priority: normal severity: normal status: open title: Segfault on Pointer operation Added file: http://bugs.python.org/file42224/alloc.py ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue26595> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com