➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2016-09-18 21:23 by geeknik, last changed 2022-04-11 14:58 by admin. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| test00.gz | geeknik, 2016-09-18 21:23 | 1 null byte | ||
| Messages (2) | |||
|---|---|---|---|
| msg276917 - (view) | Author: geeknik (geeknik) | Date: 2016-09-18 21:23 | |
As per the security team, I'm submitting this here as it doesn't appear exploitable.
Fuzzing Python 2.7.12 with AFL, ASAN and libdislocator.so on Debian 8.5 x64. (This might also affect Python 3.5) The attached 1-byte testcase triggers a heap-buffer-overflow: ~/python/Parser/tokenizer.c:954:28 in tok_nextc:
==9855==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6250000028ff at pc 0x00000050fd06 bp 0x7ffdbb810a30 sp 0x7ffdbb810a28
READ of size 1 at 0x6250000028ff thread T0
#0 0x50fd05 in tok_nextc /root/python/Parser/tokenizer.c:954:28
#1 0x505c49 in tok_get /root/python/Parser/tokenizer.c:1232:17
#2 0x505c49 in PyTokenizer_Get /root/python/Parser/tokenizer.c:1681
#3 0x5012b4 in parsetok /root/python/Parser/parsetok.c:159:16
#4 0x502e7f in PyParser_ParseFileFlagsEx /root/python/Parser/parsetok.c:106:12
#5 0x7fe4a9 in PyParser_ASTFromFile /root/python/Python/pythonrun.c:1499:15
#6 0x7fe887 in PyRun_FileExFlags /root/python/Python/pythonrun.c:1354:11
#7 0x7fd3fc in PyRun_SimpleFileExFlags /root/python/Python/pythonrun.c:948:13
#8 0x7fc36b in PyRun_AnyFileExFlags /root/python/Python/pythonrun.c:752:16
#9 0x4fe9c4 in Py_Main /root/python/Modules/main.c:640:23
#10 0x7fb6e24b282f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
#11 0x42a898 in _start (/root/python/python+0x42a898)
0x6250000028ff is located 1 bytes to the left of 8192-byte region [0x625000002900,0x625000004900)
allocated by thread T0 here:
#0 0x4ca9c8 in malloc (/root/python/python+0x4ca9c8)
#1 0x504ed5 in PyTokenizer_FromFile /root/python/Parser/tokenizer.c:759:29
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/python/Parser/tokenizer.c:954:28 in tok_nextc
Shadow bytes around the buggy address:
0x0c4a7fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff84d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff84e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a7fff8510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x0c4a7fff8520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==9855==ABORTING
|
|||
| msg276961 - (view) | Author: Berker Peksag (berker.peksag) *  |
Date: 2016-09-19 09:09 | |
Thanks for the report. This looks like a duplicate of issue 24022. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:58:37 | admin | set | github: 72385 |
| 2016-09-19 09:09:05 | berker.peksag | set | status: open -> closed superseder: Python heap corruption issue nosy: + berker.peksag messages: + msg276961 resolution: duplicate stage: resolved |
| 2016-09-18 22:08:05 | serhiy.storchaka | set | nosy:
+ serhiy.storchaka |
| 2016-09-18 21:23:34 | geeknik | create | |