subject:"\[issue24913\] newblock\(\) Uninitialized Variable"

[issue24913] newblock() Uninitialized Variable

2015-08-25 Thread Raymond Hettinger


Changes by Raymond Hettinger :


Added file: http://bugs.python.org/file40258/fix_deque_overrun.diff

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24913] newblock() Uninitialized Variable

2015-08-25 Thread Stefan Krah


Stefan Krah added the comment:

I guess that in the test case the stop parameter is set to 4 in
deque_index(), but it should be clamped to 3.

--
nosy: +skrah

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24913] newblock() Uninitialized Variable

2015-08-25 Thread John Leitch


John Leitch added the comment:

The "exception analysis" is output from the WinDbg !analyze command run on a 
crash where access to the uninitialized memory ultimately corrupted the 
instruction pointer, leading to a data execution prevention crash. That's why 
the disassembly is junk--the IP is not pointing to valid instructions. This 
crash was provided as an example because it demonstrates that the issue is 
likely exploitable, and can probably be used to achieve code execution.

Here is an example of a crash where execution halts immediately upon attempted 
to dereference a corrupted pointer. Note that the pointer is 0xC0C0C0C0--a fill 
pattern indicative of uninitialized memory. 

0:000> r
eax=02a2 ebx=551160a8 ecx=c0c0c0c0 edx=07e538e0 esi=07e538e0 edi=c0c0c0c0
eip=54f25a55 esp=004cf6e4 ebp=004cf6f4 iopl=0 nv up ei ng nz na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b efl=00010287
python35!do_richcompare+0x15:
54f25a55 8b4704  mov eax,dword ptr [edi+4] ds:002b:c0c0c0c4=
0:000> k
ChildEBP RetAddr  
004cf6f4 54f25be3 python35!do_richcompare+0x15 
[c:\build\cpython\objects\object.c @ 659]
004cf700 54e453fc python35!PyObject_RichCompare+0x53 
[c:\build\cpython\objects\object.c @ 718]
(Inline)  python35!PyObject_RichCompareBool+0x14 
[c:\build\cpython\objects\object.c @ 739]
004cf738 54f232d3 python35!deque_index+0xac 
[c:\build\cpython\modules\_collectionsmodule.c @ 933]
004cf754 54f8442f python35!PyCFunction_Call+0x113 
[c:\build\cpython\objects\methodobject.c @ 109]
004cf788 54f818ec python35!call_function+0x2ff [c:\build\cpython\python\ceval.c 
@ 4651]
004cf800 54f8339f python35!PyEval_EvalFrameEx+0x232c 
[c:\build\cpython\python\ceval.c @ 3184]
004cf84c 54fba0b2 python35!_PyEval_EvalCodeWithName+0x82f 
[c:\build\cpython\python\ceval.c @ 3962]
(Inline)  python35!PyEval_EvalCodeEx+0x21 
[c:\build\cpython\python\ceval.c @ 3983]
(Inline)  python35!PyEval_EvalCode+0x21 
[c:\build\cpython\python\ceval.c @ 777]
004cf888 54fb9f45 python35!run_mod+0x42 [c:\build\cpython\python\pythonrun.c @ 
970]
004cf8b4 54fb8fba python35!PyRun_FileExFlags+0x85 
[c:\build\cpython\python\pythonrun.c @ 923]
004cf8f8 54e8f1f7 python35!PyRun_SimpleFileExFlags+0x20a 
[c:\build\cpython\python\pythonrun.c @ 396]
(Inline)  python35!PyRun_AnyFileExFlags+0x4e 
[c:\build\cpython\python\pythonrun.c @ 80]
004cf924 54e8fb33 python35!run_file+0xe7 [c:\build\cpython\modules\main.c @ 318]
004cf9c8 1cd4143f python35!Py_Main+0x913 [c:\build\cpython\modules\main.c @ 768]
(Inline)  python!invoke_main+0x1d 
[f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 89]
004cfa14 75463744 python!__scrt_common_main_seh+0xff 
[f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 264]
004cfa28 76f0a064 KERNEL32!BaseThreadInitThunk+0x24
004cfa70 76f0a02f ntdll!__RtlUserThreadStart+0x2f
004cfa80  ntdll!_RtlUserThreadStart+0x1b
0:000> !analyze -v -nodb
***
* *
*Exception Analysis   *
* *
***


FAULTING_IP: 
python35!do_richcompare+15 [c:\build\cpython\objects\object.c @ 659]
54f25a55 8b4704  mov eax,dword ptr [edi+4]

EXCEPTION_RECORD:   -- (.exr 0x)
ExceptionAddress: 54f25a55 (python35!do_richcompare+0x0015)
   ExceptionCode: c005 (Access violation)
  ExceptionFlags: 
NumberParameters: 2
   Parameter[0]: 
   Parameter[1]: c0c0c0c4
Attempt to read from address c0c0c0c4

CONTEXT:   -- (.cxr 0x0;r)
eax=02a2 ebx=551160a8 ecx=c0c0c0c0 edx=07e538e0 esi=07e538e0 edi=c0c0c0c0
eip=54f25a55 esp=004cf6e4 ebp=004cf6f4 iopl=0 nv up ei ng nz na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b efl=00010287
python35!do_richcompare+0x15:
54f25a55 8b4704  mov eax,dword ptr [edi+4] ds:002b:c0c0c0c4=

FAULTING_THREAD:  4a48

DEFAULT_BUCKET_ID:  INVALID_POINTER_READ

PROCESS_NAME:  python.exe

ERROR_CODE: (NTSTATUS) 0xc005 - The instruction at 0x%p referenced memory 
at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc005 - The instruction at 0x%p referenced 
memory at 0x%p. The memory could not be %s.

EXCEPTION_PARAMETER1:  

EXCEPTION_PARAMETER2:  c0c0c0c4

READ_ADDRESS:  c0c0c0c4 

FOLLOWUP_IP: 
python35!do_richcompare+15 [c:\build\cpython\objects\object.c @ 659]
54f25a55 8b4704  mov eax,dword ptr [edi+4]

NTGLOBALFLAG:  200

APPLICATION_VERIFIER_FLAGS:  0

APP:  python.exe

ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) x86fre

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_READ

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_R

[issue24913] newblock() Uninitialized Variable

2015-08-25 Thread Raymond Hettinger


Raymond Hettinger added the comment:

I'm find the "exception analysis" to be unreadable.  Have you found any place 
in the deque code where the uninitialized memory actually gets accessed?

--
priority: normal -> low

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24913] newblock() Uninitialized Variable

2015-08-25 Thread Raymond Hettinger


Changes by Raymond Hettinger :


--
assignee:  -> rhettinger

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24913] newblock() Uninitialized Variable

2015-08-23 Thread Bryce Darling


Changes by Bryce Darling :


--
nosy: +brycedarling

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24913] newblock() Uninitialized Variable

2015-08-21 Thread R. David Murray


Changes by R. David Murray :


--
nosy: +rhettinger

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24913] newblock() Uninitialized Variable

2015-08-21 Thread John Leitch


Changes by John Leitch :


Added file: http://bugs.python.org/file40225/newblock_Uninitialized_variable.py

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24913] newblock() Uninitialized Variable

2015-08-21 Thread John Leitch


New submission from John Leitch:

Python 3.5 suffers from a vulnerability caused by the behavior of the 
newblock() function used by the collections.deque module. When called, 
newblock() allocates memory using PyMem_Malloc() and does not initialize it:

static block *
newblock(Py_ssize_t len) {
block *b;
if (len >= MAX_DEQUE_LEN) {
PyErr_SetString(PyExc_OverflowError,
"cannot add more blocks to the deque");
return NULL;
}
if (numfreeblocks) {
numfreeblocks--;
return freeblocks[numfreeblocks];
}
b = PyMem_Malloc(sizeof(block));  Memory allocation.
if (b != NULL) {
return b;  Buffer returned without initialization.
}
PyErr_NoMemory();
return NULL;
}

Because PyMem_Malloc does not initialize the memory, the block may contain 
garbage data. In some cases, this can lead to memory corruption which could be 
exploitable to achieve code execution. The following exception analysis is an 
example of EIP corruption:

 ***
* *
*Exception Analysis   *
* *
***

*** The OS name list needs to be updated! Unknown Windows version: 10.0 ***

FAULTING_IP:
python35!PyUnicode_Type+0
696f60d8 a800testal,0

EXCEPTION_RECORD:   -- (.exr 0x)
ExceptionAddress: 696f60d8 (python35!PyUnicode_Type)
   ExceptionCode: c005 (Access violation)
  ExceptionFlags: 
NumberParameters: 2
   Parameter[0]: 0008
   Parameter[1]: 696f60d8
Attempt to execute non-executable address 696f60d8

CONTEXT:   -- (.cxr 0x0;r)
eax=696f60d8 ebx=0002 ecx=00d9492c edx=0002 esi=019b4e58 edi=0337b970
eip=696f60d8 esp=00bcf7dc ebp=00bcf7fc iopl=0 nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b efl=00010206
python35!PyUnicode_Type:
696f60d8 a800testal,0

PROCESS_NAME:  pythonw.exe

ERROR_CODE: (NTSTATUS) 0xc005 - The instruction at 0x%p referenced memory 
at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc005 - The instruction at 0x%p referenced 
memory at 0x%p. The memory could not be %s.

EXCEPTION_PARAMETER1:  0008

EXCEPTION_PARAMETER2:  696f60d8

WRITE_ADDRESS:  696f60d8

FOLLOWUP_IP:
python35!PyUnicode_Type+0
696f60d8 a800testal,0

FAILED_INSTRUCTION_ADDRESS:
python35!PyUnicode_Type+0
696f60d8 a800testal,0

APP:  pythonw.exe

ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) x86fre

FAULTING_THREAD:  09dc

DEFAULT_BUCKET_ID:  SOFTWARE_NX_FAULT_CODE

PRIMARY_PROBLEM_CLASS:  SOFTWARE_NX_FAULT_CODE

BUGCHECK_STR:  
APPLICATION_FAULT_SOFTWARE_NX_FAULT_CODE_SOFTWARE_NX_FAULT_FALSE_POSITIVE

LAST_CONTROL_TRANSFER:  from 69505ad3 to 696f60d8

STACK_TEXT:
00bcf7fc 69505ad3 0002 00bcf840 694253fc python35!PyUnicode_Type
00bcf808 694253fc 0337b970 019b4e58 0002 python35!PyObject_RichCompare+0x53
00bcf840 695031c3 03a1a8f0 03a21878 00f83340 python35!deque_index+0xac
00bcf85c 69564433 03a21120 03a21878  python35!PyCFunction_Call+0x113
00bcf890 695618d8 00e23a08  0040 python35!call_function+0x303
00bcf908 6956339f 00e23a08  00f83000 python35!PyEval_EvalFrameEx+0x2318
00bcf954 6959a142 00e40f58   
python35!_PyEval_EvalCodeWithName+0x82f
00bcf990 69599fd5 00e40f58 00e40f58 00bcfa5c python35!run_mod+0x42
00bcf9bc 6959904a 00f801f0 00e366f0 0101 python35!PyRun_FileExFlags+0x85
00bcfa00 6946f037 00f801f0 00e366f0 0001 
python35!PyRun_SimpleFileExFlags+0x20a
00bcfa2c 6946f973 00bcfa5c  6ecb2100 python35!run_file+0xe7
00bcfad4 1ce31279 0002 00f79eb0 1ce3c588 python35!Py_Main+0x913
00bcfae4 1ce3145f 1ce3  00f71c68 pythonw!wWinMain+0x19
00bcfb30 74ed3744 7f174000 74ed3720 5c8b59d2 pythonw!__scrt_common_main_seh+0xfd
00bcfb44 775aa064 7f174000 a81800d2  kernel32!BaseThreadInitThunk+0x24
00bcfb8c 775aa02f  775cd7c3  ntdll!__RtlUserThreadStart+0x2f
00bcfb9c  1ce3150a 7f174000  ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  ~0s; .ecxr ; kb

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  python35!PyUnicode_Type+0

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: python35

IMAGE_NAME:  python35.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  5598ccc2

FAILURE_BUCKET_ID:  SOFTWARE_NX_FAULT_CODE_c005_python35.dll!PyUnicode_Type

BUCKET_ID:  
APPLICATION_FAULT_SOFTWARE_NX_FAULT_CODE_SOFTWARE_NX_FAULT_FALSE_POSITIVE_BAD_IP_python35!PyUnicode_Type+0

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  
um:software_nx_fault_code_c005_python35.dll!pyunicode_type

FAILURE_ID_HASH:  {aa94d074-8f9b-b618-df4f-eaad15f84370}

Foll

[issue24913] newblock() Uninitialized Variable

[issue24913] newblock() Uninitialized Variable

[issue24913] newblock() Uninitialized Variable

[issue24913] newblock() Uninitialized Variable

[issue24913] newblock() Uninitialized Variable

[issue24913] newblock() Uninitialized Variable

[issue24913] newblock() Uninitialized Variable

[issue24913] newblock() Uninitialized Variable

[issue24913] newblock() Uninitialized Variable

9 matches

Site Navigation

Mail list logo

Footer information