[issue27462] NULL Pointer deref in binary_iop1 function
Changes by Emin Ghuliev <drmin...@gmail.com>: -- resolution: not a bug -> wont fix status: pending -> closed ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue27462> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27462] NULL Pointer deref in binary_iop1 function
Emin Ghuliev added the comment: Nope, invalid bytecode file generated by fuzzer for the purpose of bug researching. Just python doesn't determine whether a variable is empty or valid. -- ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue27462> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27462] NULL Pointer deref in binary_iop1 function
New submission from Emin Ghuliev:
Python VM parses "0x3b" opcode (INPLACE_MODULO) in the bytecode file.
Subsequently VM parses left and right arguments of the opcode (0x3b). If left
and right arguments doesn't exists in the bytecode file that causes a
segmentation fault. Which triggered by the binary_iop1 function.
PyEval_EvalFrameEx() at Python/ceval.c:1749
TARGET(INPLACE_MODULO) {
PyObject *right = POP();
PyObject *left = TOP();
PyObject *mod = PyNumber_InPlaceRemainder(left, right); < left = 0,
right = 0;
Then INPLACE_MODULO opcode is passed two arguments into
PyNumber_InPlaceRemainder. However, in order to call the binary_iop:
PyNumber_InPlaceRemainder at Objects/abstract.c:1102
PyNumber_InPlaceRemainder(PyObject *v, PyObject *w)
{
return binary_iop(v, w, NB_SLOT(nb_inplace_remainder),
NB_SLOT(nb_remainder), "%=");
}
Subsequently the binary_iop function is passed "v" argument into the
binary_iop1:
binary_iop at Objects/abstract.c:1005
static PyObject *
binary_iop(PyObject *v, PyObject *w, const int iop_slot, const int op_slot,
const char *op_name)
{
PyObject *result = binary_iop1(v, w, iop_slot, op_slot); # v = 0 and call
the binary_iop1 function
if (result == Py_NotImplemented) {
Py_DECREF(result);
return binop_type_error(v, w, op_name);
}
return result;
}
binary_iop1 at Objects/abstract.c:988
static PyObject *
binary_iop1(PyObject *v, PyObject *w, const int iop_slot, const int op_slot)
{
PyNumberMethods *mv = v->ob_type->tp_as_number; // dereference object < --
> v = 0x0
if (mv != NULL) {
binaryfunc slot = NB_BINOP(mv, iop_slot);
if (slot) {
PyObject *x = (slot)(v, w);
if (x != Py_NotImplemented) {
return x;
}
Py_DECREF(x);
}
}
return binary_op1(v, w, op_slot);
}
The binary_iop1 function doesn't check "v" field and dereference it.
<PyNumber_InPlaceRemainder+16> movrsi,QWORD PTR [rdi+0x8] = 0x8 byte ->
ob_type
$rdi register = 0x0
Program received signal SIGSEGV, Segmentation fault.
--
components: Interpreter Core
files: repro
messages: 269940
nosy: Emin Ghuliev
priority: normal
severity: normal
status: open
title: NULL Pointer deref in binary_iop1 function
versions: Python 3.6
Added file: http://bugs.python.org/file43654/repro
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue27462>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27254] UAF in Tkinter module
Changes by Emin Ghuliev <drmin...@gmail.com>: -- status: open -> closed ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue27254> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27254] UAF in Tkinter module
Changes by Emin Ghuliev <drmin...@gmail.com>: -- resolution: -> third party ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue27254> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27254] UAF in Tkinter module
Changes by Emin Ghuliev <drmin...@gmail.com>: -- title: heap overflow in Tkinter module -> UAF in Tkinter module ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue27254> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27254] heap overflow in Tkinter module
Emin Ghuliev added the comment:
psuedocode
<+16>: movsxd rdx,DWORD PTR [rbx+0x8]
<+20>: leaeax,[rdx+rbp*1]
newSize = length ($rdx) + dsPtr->length ($rbp)
gdb > print /x $rbp
$5 = 0xf
gdb > print /x $rdx
$6 = 0x10
newsize = 0xf+0x10 = 0x1f
<Tcl_DStringAppend+23> cmpeax,DWORD PTR [rbx+0xc] ← $pc
<Tcl_DStringAppend+26> jl 0x76194e38 <Tcl_DStringAppend+104>
newSize ($eax) >= dsPtr->spaceAvl
gdb > print /x $eax
$7 = 0x1f
gdb > x/x $rbx+0xc
0x7fffd0cc: 0x001e
condition: 0x1f >= 0x001e = True
if (newSize >= dsPtr->spaceAvl) {
<Tcl_DStringAppend+31> leaesi,[rax+rax*1] ; magic compiler
optimization :) (newSize(0x1f)*2)
/* */
dsPtr->spaceAvl = newSize * 2;
gdb > print /x $rax
$4 = 0x1f
$esi = 0x1f+0x1f (newSize(0x1f)*2) = 0x3e
/* */
=> <+34>: learax,[rbx+0x10]
<+38>: movDWORD PTR [rbx+0xc],esi
<+41>: cmprdi,rax ; $rax = dsPtr->staticSpace and
$rdi = dsPtr->string
<+44>: je 0x76194e50 <Tcl_DStringAppend+128>
condition : dsPtr->string == dsPtr->staticSpace = False then
jump to '<Tcl_DStringAppend+46> call 0x760c2040 '
if (dsPtr->string == dsPtr->staticSpace) {
char *newString = ckalloc(dsPtr->spaceAvl);
memcpy(newString, dsPtr->string, (size_t)
dsPtr->length);
dsPtr->string = newString;
}
else {
<Tcl_DStringAppend+46> call 0x760c2040
$rsi = 0x3e
$rdi = 0x7333e020
dsPtr->string = ckrealloc(dsPtr->string =
0x7333e020, dsPtr->spaceAvl = 0x3e);
}
}
disassemble:
<Tcl_DStringAppend+58> leardi,[rax+rdx*1] ;
dsPtr->string + dsPtr->length
<Tcl_DStringAppend+62> movrsi,r12 ; bytes
<Tcl_DStringAppend+65> movsxd rdx,ebp ; length
<Tcl_DStringAppend+68> call 0x760a25c0 <memcpy@plt>
memcpy(dsPtr->string + dsPtr->length, bytes, length);
--
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue27254>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27254] heap overflow in Tkinter module
Emin Ghuliev added the comment: the appropriate size should be chosen I) -- ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue27254> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27254] heap overflow in Tkinter module
Emin Ghuliev added the comment: Yeah you're right but Python doesn't check the classname length. Therefore then heap overflow occurred in the Tcl. -- ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue27254> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue27254] heap overflow in Tkinter module
New submission from Emin Ghuliev:
/* This is used to get the application class for Tk 4.1 and up */
argv0 = (char*)attemptckalloc(strlen(className) + 1); //<=== classname
allocated
if (!argv0) {
PyErr_NoMemory();
Py_DECREF(v);
return NULL;
}
strcpy(argv0, className); < //classname copy to argv0
if (Py_ISUPPER(Py_CHARMASK(argv0[0])))
argv0[0] = Py_TOLOWER(Py_CHARMASK(argv0[0]));
Tcl_SetVar(v->interp, "argv0", argv0, TCL_GLOBAL_ONLY); // argv0 passed to
v->interp and freed;
ckfree(argv0);
then v->interp passed to the Tcl_AppInit function
if (Tcl_AppInit(v->interp) != TCL_OK)
in Tcl_AppInit call to (and passed the v->interp) the Tcl_DStringAppend.
allocates the specified byte Tcl_DStringAppend function then heap memory passed
to memcpy.
Realloc arguments
presentation in the native tcl allocator;
char *
Tcl_Realloc(ptr, size)
disassemble:
gdb> print /x $rdi
$4 = 0x703c8810
0x703c8814: 0x41414141 ...
gdb> print /x $rsi
$2 = 0x3e
0x73a07dfe <+46>:call 0x73935040
after return to the caller function. Performed memory copy operation.
0x73a07e0a <+58>:leardi,[rax+rdx*1] < === destination buffer
$rax = 0x7fffeffc5810 - $rdx = 0x10
$rax+$rdx = 0x700c5810
0x73a07e0e <+62>:movrsi,r12 < === source buffer
0x73a07e11 <+65>:movsxd rdx,ebp <=== 0xf
0x73a07e14 <+68>:call 0x739155c0 <memcpy@plt>
copy to $rdi bytes to $rsi buffer with 0xf byte;
ASAN report.
=
==27988==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f4e6ba64810
at pc 0x4665ea bp 0x7fff89a4ab80 sp 0x7fff89a4a340
READ of size 1048575 at 0x7f4e6ba64810 thread T0
==27988==WARNING: Trying to symbolize code, but external symbolizer is not
initialized!
#0 0x4665e9 (/home/eminus/Downloads/Python-2.7.11/python+0x4665e9)
#1 0x7f4e6f0a3e18 (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x116e18)
#2 0x7f4e6f38744e (/usr/lib/x86_64-linux-gnu/libtk8.6.so+0x6244e)
#3 0x7f4e6f6b6e4c
(/home/eminus/Downloads/Python-2.7.11/build/lib.linux-x86_64-2.7/_tkinter.so+0x19e4c)
#4 0x7f4e6f6a7fc5
(/home/eminus/Downloads/Python-2.7.11/build/lib.linux-x86_64-2.7/_tkinter.so+0xafc5)
#5 0x5e1813 (/home/eminus/Downloads/Python-2.7.11/python+0x5e1813)
#6 0x5d319c (/home/eminus/Downloads/Python-2.7.11/python+0x5d319c)
#7 0x721353 (/home/eminus/Downloads/Python-2.7.11/python+0x721353)
#8 0x4acb2a (/home/eminus/Downloads/Python-2.7.11/python+0x4acb2a)
#9 0x4b6c62 (/home/eminus/Downloads/Python-2.7.11/python+0x4b6c62)
#10 0x4acb2a (/home/eminus/Downloads/Python-2.7.11/python+0x4acb2a)
#11 0x5f0823 (/home/eminus/Downloads/Python-2.7.11/python+0x5f0823)
#12 0x4b0a08 (/home/eminus/Downloads/Python-2.7.11/python+0x4b0a08)
#13 0x4acb2a (/home/eminus/Downloads/Python-2.7.11/python+0x4acb2a)
#14 0x5e2d19 (/home/eminus/Downloads/Python-2.7.11/python+0x5e2d19)
#15 0x5d319c (/home/eminus/Downloads/Python-2.7.11/python+0x5d319c)
#16 0x5d2041 (/home/eminus/Downloads/Python-2.7.11/python+0x5d2041)
#17 0x660980 (/home/eminus/Downloads/Python-2.7.11/python+0x660980)
#18 0x65fc8a (/home/eminus/Downloads/Python-2.7.11/python+0x65fc8a)
#19 0x48e46c (/home/eminus/Downloads/Python-2.7.11/python+0x48e46c)
#20 0x7f4e72389ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#21 0x48c5bc (/home/eminus/Downloads/Python-2.7.11/python+0x48c5bc)
0x7f4e6ba64810 is located 16 bytes inside of 2097166-byte region
[0x7f4e6ba64800,0x7f4e6bc6480e)
freed by thread T0 here:
#0 0x4766d3 (/home/eminus/Downloads/Python-2.7.11/python+0x4766d3)
#1 0x7f4e6f09b52d (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x10e52d)
previously allocated by thread T0 here:
#0 0x4764d9 (/home/eminus/Downloads/Python-2.7.11/python+0x4764d9)
#1 0x7f4e6f09b0cc (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x10e0cc)
SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
Shadow bytes around the buggy address:
0x0fea4d7448b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fea4d7448c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fea4d7448d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fea4d7448e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fea4d7448f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0fea4d744900: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fea4d744910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fea4d744920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fea4d744930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fea4d744940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fea4d744950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 applicat
[issue26595] Segfault on Pointer operation
Changes by Emin Ghuliev <drmin...@gmail.com>: -- status: open -> closed ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue26595> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue26595] Segfault on Pointer operation
Changes by Emin Ghuliev <drmin...@gmail.com>: -- components: +ctypes type: -> crash versions: +Python 2.7 ___ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue26595> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue26595] Segfault on Pointer operation
New submission from Emin Ghuliev:
I'm trying use a pointer on python script but when executing the following code
getting error. (Segmentation fault)
dmr@debian:~$ python test.py
Segmentation fault
self.mem = c_char_p(mem)
pointer(self.binning())[0] = 0x41414141
output:
[--registers---]
EAX: 0x0
EBX: 0xb7aee000 --> 0x21e4c
ECX: 0x1
EDX: 0x41414141 ('')
ESI: 0x41414141 ('')
EDI: 0x41414141 ('')
EBP: 0xb7b0eb3c --> 0xc ('\x0c')
ESP: 0xbfffeb74 --> 0x0
EIP: 0xb7dfc4b6 (<__strlen_sse2_bsf+22>:movdqu xmm1,XMMWORD PTR [edi])
EFLAGS: 0x10287 (CARRY PARITY adjust zero SIGN trap INTERRUPT direction
overflow)
[-code-]
0xb7dfc4ad <__strlen_sse2_bsf+13>: pxor xmm0,xmm0
0xb7dfc4b1 <__strlen_sse2_bsf+17>: cmpecx,0x30
0xb7dfc4b4 <__strlen_sse2_bsf+20>: ja 0xb7dfc4cd <__strlen_sse2_bsf+45>
=> 0xb7dfc4b6 <__strlen_sse2_bsf+22>: movdqu xmm1,XMMWORD PTR [edi]
0xb7dfc4ba <__strlen_sse2_bsf+26>: pcmpeqb xmm0,xmm1
0xb7dfc4be <__strlen_sse2_bsf+30>: pmovmskb edx,xmm0
0xb7dfc4c2 <__strlen_sse2_bsf+34>: test edx,edx
0xb7dfc4c4 <__strlen_sse2_bsf+36>: jne0xb7dfc539
<__strlen_sse2_bsf+153>
[stack-]
BUG on ctypes module
.//source/cfield.c:1328
static PyObject *
z_get(void *ptr, unsigned size)
{
/* XXX What about invalid pointers ??? */
if (*(void **)ptr) {
#if defined(MS_WIN32) && !defined(_WIN32_WCE)
if (IsBadStringPtrA(*(char **)ptr, -1)) {
PyErr_Format(PyExc_ValueError,
"invalid string pointer %p",
*(char **)ptr);
return NULL;
}
#endif
return PyString_FromString(*(char **)ptr); < === passing
pointer as argument
} else {
Py_INCREF(Py_None);
return Py_None;
}
}
./Objects/stringobject.c:
PyObject *
PyString_FromString(const char *str = this value assigned to 0x41414141 address)
{
register size_t size;
register PyStringObject *op;
assert(str != NULL);
size = strlen(str); < argument address 0x41414141
--
files: alloc.py
messages: 262077
nosy: Emin Ghuliev
priority: normal
severity: normal
status: open
title: Segfault on Pointer operation
Added file: http://bugs.python.org/file42224/alloc.py
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue26595>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
