[issue27254] heap overflow in Tkinter module

2016-06-08 Thread Emin Ghuliev 

Emin Ghuliev added the comment:

psuedocode

<+16>:  movsxd rdx,DWORD PTR [rbx+0x8]
<+20>:  leaeax,[rdx+rbp*1]

newSize = length ($rdx) + dsPtr->length ($rbp)
gdb > print /x $rbp
$5 = 0xf
gdb > print /x $rdx
$6 = 0x10

newsize = 0xf+0x10 = 0x1f

  cmpeax,DWORD PTR [rbx+0xc]   ← $pc
  jl 0x76194e38 

newSize ($eax) >= dsPtr->spaceAvl

gdb > print /x $eax
$7 = 0x1f

gdb > x/x $rbx+0xc
0x7fffd0cc: 0x001e

condition: 0x1f >= 0x001e = True

if (newSize >= dsPtr->spaceAvl) {
  leaesi,[rax+rax*1] ; magic compiler 
optimization :) (newSize(0x1f)*2)
/*  */
dsPtr->spaceAvl = newSize * 2;
gdb > print /x $rax
$4 = 0x1f
$esi = 0x1f+0x1f (newSize(0x1f)*2) = 0x3e
/*  */

=> <+34>:   learax,[rbx+0x10]
   <+38>:   movDWORD PTR [rbx+0xc],esi
   <+41>:   cmprdi,rax ; $rax = dsPtr->staticSpace and 
$rdi = dsPtr->string
   <+44>:   je 0x76194e50 

condition : dsPtr->string == dsPtr->staticSpace = False then 
jump to '  call   0x760c2040 '

if (dsPtr->string == dsPtr->staticSpace) {
char *newString = ckalloc(dsPtr->spaceAvl);
memcpy(newString, dsPtr->string, (size_t) 
dsPtr->length);
dsPtr->string = newString;
} 
else {
  call   0x760c2040 

$rsi = 0x3e
$rdi = 0x7333e020
dsPtr->string = ckrealloc(dsPtr->string = 
0x7333e020, dsPtr->spaceAvl = 0x3e);
}
}


disassemble: 
   leardi,[rax+rdx*1] ; 
dsPtr->string + dsPtr->length
   movrsi,r12 ; bytes
   movsxd rdx,ebp ; length
   call   0x760a25c0 
 memcpy(dsPtr->string + dsPtr->length, bytes, length);

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27254] heap overflow in Tkinter module

2016-06-08 Thread Emin Ghuliev 

Emin Ghuliev added the comment:

the appropriate size should be chosen I)

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27254] heap overflow in Tkinter module

2016-06-08 Thread Serhiy Storchaka 

Serhiy Storchaka added the comment:

What size is safe for className?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27254] heap overflow in Tkinter module

2016-06-08 Thread Emin Ghuliev 

Emin Ghuliev added the comment:

Yeah you're right but Python doesn't check the classname length.  Therefore 
then heap overflow occurred in the Tcl.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27254] heap overflow in Tkinter module

2016-06-07 Thread Serhiy Storchaka 

Serhiy Storchaka added the comment:

Minimal reproducer:

from tkinter import Tk
Tk(className='A'*0xf)

This looks as Tcl/Tk problem.

--
nosy: +serhiy.storchaka
type: security -> crash
versions: +Python 3.5, Python 3.6 -Python 3.3, Python 3.4

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27254] heap overflow in Tkinter module

2016-06-07 Thread Emin Ghuliev 

New submission from Emin Ghuliev:

/* This is used to get the application class for Tk 4.1 and up */
argv0 = (char*)attemptckalloc(strlen(className) + 1); //<=== classname 
allocated
if (!argv0) {
PyErr_NoMemory();
Py_DECREF(v);
return NULL;
}

strcpy(argv0, className); < //classname copy to argv0
if (Py_ISUPPER(Py_CHARMASK(argv0[0])))
argv0[0] = Py_TOLOWER(Py_CHARMASK(argv0[0]));
Tcl_SetVar(v->interp, "argv0", argv0, TCL_GLOBAL_ONLY); // argv0 passed to 
v->interp and freed;
ckfree(argv0);

then v->interp passed to the Tcl_AppInit function
if (Tcl_AppInit(v->interp) != TCL_OK)

in Tcl_AppInit call to (and passed the v->interp) the Tcl_DStringAppend. 
allocates the specified byte Tcl_DStringAppend function then heap memory passed 
to memcpy.

Realloc arguments
presentation in the native tcl allocator; 
char * 
Tcl_Realloc(ptr, size) 

disassemble:
gdb>  print /x $rdi
$4 = 0x703c8810
0x703c8814: 0x41414141 ...
gdb>  print /x $rsi
$2 = 0x3e
   0x73a07dfe <+46>:call   0x73935040 
after return to the caller function. Performed memory copy operation.

   0x73a07e0a <+58>:leardi,[rax+rdx*1] < === destination buffer

   $rax = 0x7fffeffc5810 - $rdx = 0x10
   $rax+$rdx = 0x700c5810



   0x73a07e0e <+62>:movrsi,r12 < === source buffer
   0x73a07e11 <+65>:movsxd rdx,ebp <=== 0xf
   0x73a07e14 <+68>:call   0x739155c0 

copy to $rdi bytes to $rsi buffer with 0xf byte;

ASAN report.

=
==27988==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f4e6ba64810 
at pc 0x4665ea bp 0x7fff89a4ab80 sp 0x7fff89a4a340
READ of size 1048575 at 0x7f4e6ba64810 thread T0
==27988==WARNING: Trying to symbolize code, but external symbolizer is not 
initialized!
#0 0x4665e9 (/home/eminus/Downloads/Python-2.7.11/python+0x4665e9)
#1 0x7f4e6f0a3e18 (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x116e18)
#2 0x7f4e6f38744e (/usr/lib/x86_64-linux-gnu/libtk8.6.so+0x6244e)
#3 0x7f4e6f6b6e4c 
(/home/eminus/Downloads/Python-2.7.11/build/lib.linux-x86_64-2.7/_tkinter.so+0x19e4c)
#4 0x7f4e6f6a7fc5 
(/home/eminus/Downloads/Python-2.7.11/build/lib.linux-x86_64-2.7/_tkinter.so+0xafc5)
#5 0x5e1813 (/home/eminus/Downloads/Python-2.7.11/python+0x5e1813)
#6 0x5d319c (/home/eminus/Downloads/Python-2.7.11/python+0x5d319c)
#7 0x721353 (/home/eminus/Downloads/Python-2.7.11/python+0x721353)
#8 0x4acb2a (/home/eminus/Downloads/Python-2.7.11/python+0x4acb2a)
#9 0x4b6c62 (/home/eminus/Downloads/Python-2.7.11/python+0x4b6c62)
#10 0x4acb2a (/home/eminus/Downloads/Python-2.7.11/python+0x4acb2a)
#11 0x5f0823 (/home/eminus/Downloads/Python-2.7.11/python+0x5f0823)
#12 0x4b0a08 (/home/eminus/Downloads/Python-2.7.11/python+0x4b0a08)
#13 0x4acb2a (/home/eminus/Downloads/Python-2.7.11/python+0x4acb2a)
#14 0x5e2d19 (/home/eminus/Downloads/Python-2.7.11/python+0x5e2d19)
#15 0x5d319c (/home/eminus/Downloads/Python-2.7.11/python+0x5d319c)
#16 0x5d2041 (/home/eminus/Downloads/Python-2.7.11/python+0x5d2041)
#17 0x660980 (/home/eminus/Downloads/Python-2.7.11/python+0x660980)
#18 0x65fc8a (/home/eminus/Downloads/Python-2.7.11/python+0x65fc8a)
#19 0x48e46c (/home/eminus/Downloads/Python-2.7.11/python+0x48e46c)
#20 0x7f4e72389ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#21 0x48c5bc (/home/eminus/Downloads/Python-2.7.11/python+0x48c5bc)

0x7f4e6ba64810 is located 16 bytes inside of 2097166-byte region 
[0x7f4e6ba64800,0x7f4e6bc6480e)
freed by thread T0 here:
#0 0x4766d3 (/home/eminus/Downloads/Python-2.7.11/python+0x4766d3)
#1 0x7f4e6f09b52d (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x10e52d)

previously allocated by thread T0 here:
#0 0x4764d9 (/home/eminus/Downloads/Python-2.7.11/python+0x4764d9)
#1 0x7f4e6f09b0cc (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x10e0cc)

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
Shadow bytes around the buggy address:
  0x0fea4d7448b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fea4d7448c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fea4d7448d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fea4d7448e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fea4d7448f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0fea4d744900: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fea4d744910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fea4d744920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fea4d744930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fea4d744940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fea4d744950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:   00
  Partially addressable: 01 02 03 04 05 06 07