subject:"\[issue24630\] null pointer dereference in `load_newobj

[issue24630] null pointer dereference in `load_newobj_ex`

2015-07-16 Thread Serhiy Storchaka


Changes by Serhiy Storchaka :


--
resolution:  -> out of date
stage:  -> resolved
status: pending -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24630] null pointer dereference in `load_newobj_ex`

2015-07-16 Thread Brad Larsen


Brad Larsen added the comment:

Yeah, this appears to be fixed along with #24552.

--
status: open -> pending

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24630] null pointer dereference in `load_newobj_ex`

2015-07-14 Thread Serhiy Storchaka


Serhiy Storchaka added the comment:

Likely this crash was fixed by issue24552 patch.

--
nosy: +benjamin.peterson

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24630] null pointer dereference in `load_newobj_ex`

2015-07-14 Thread Brad Larsen


Brad Larsen added the comment:

Both test cases cause segfaults for me:
(1) on 64-bit Python 3.4.3 built from source on Mac OS X
(2) on the system 64-bit Python 3.4.3 from Debian "Jessie"

I do not see the segfaults with a 64-bit build of the latest sources (cpython 
`default` branch at 231bf0840f8f).  Instead, I see an unhandled 
`_pickle.UnpicklingError`.

--
status: pending -> open

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24630] null pointer dereference in `load_newobj_ex`

2015-07-13 Thread Serhiy Storchaka


Serhiy Storchaka added the comment:

Can't reproduce the crash with current sources. In both examples the result is 
an exception:

_pickle.UnpicklingError: NEWOBJ_EX class argument must be a type, not float

How an ob_type field of cls can be set to 0?

--
nosy: +alexandre.vassalotti, pitrou, serhiy.storchaka
status: open -> pending

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24630] null pointer dereference in `load_newobj_ex`

2015-07-13 Thread Brad Larsen


Brad Larsen added the comment:

Also, it appears that the `ob_type` field of `cls` need not be NULL; it can be 
an arbitrary value treated as a memory location.

Attached another POC that triggers this case.

--
Added file: http://bugs.python.org/file39922/bug-nonnull.py

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24630] null pointer dereference in `load_newobj_ex`

2015-07-13 Thread Brad Larsen


Brad Larsen added the comment:

Seems to be similar to #24552, but not the same problem.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24630] null pointer dereference in `load_newobj_ex`

2015-07-13 Thread Brad Larsen


New submission from Brad Larsen:

`load_newobj_ex` in can crash with a null pointer dereference.


File Modules/_pickle.c:

static int
load_newobj_ex(UnpicklerObject *self)
{
PyObject *cls, *args, *kwargs;
PyObject *obj;
PickleState *st = _Pickle_GetGlobalState();

// ...

PDATA_POP(self->stack, cls);  // *** 1 ***
if (cls == NULL) {
Py_DECREF(kwargs);
Py_DECREF(args);
return -1;
}

if (!PyType_Check(cls)) { // *** 2 ***
Py_DECREF(kwargs);
Py_DECREF(args);
Py_DECREF(cls);
PyErr_Format(st->UnpicklingError,
 "NEWOBJ_EX class argument must be a type, not %.200s",
 Py_TYPE(cls)->tp_name);  // *** 3 ***
return -1;
}

// ...
}

1. `cls` is successfully unpickled, but has an ob_type field set to 0
2. `cls` is determined not to be a `PyType` object
3. `Py_TYPE(cls)` gives a null pointer that is dereferenced via `->tp_name`


Environment:

$ python3.4 --version
Python 3.4.2

$ uname -a
Linux debian-8-amd64 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt9-3~deb8u1 
(2015-04-24) x86_64 GNU/Linux


POC:

from io import BytesIO
from pickle import load

payload = 
b']\x8f\x8f\x8f\x8f\x8f\x8f\x8f\x8fGGbG\x10GGG?GGG:gB(GRUGGhZGGGJGTGCgGG7GB(GRvG\xff\xff\x00\x00GGJGTGhttp://bugs.python.org/file39921/bug.py

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24630] null pointer dereference in `load_newobj_ex`

[issue24630] null pointer dereference in `load_newobj_ex`

[issue24630] null pointer dereference in `load_newobj_ex`

[issue24630] null pointer dereference in `load_newobj_ex`

[issue24630] null pointer dereference in `load_newobj_ex`

[issue24630] null pointer dereference in `load_newobj_ex`

[issue24630] null pointer dereference in `load_newobj_ex`

[issue24630] null pointer dereference in `load_newobj_ex`

8 matches

Site Navigation

Mail list logo

Footer information