➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2017-01-31 14:56 by zeroinside, last changed 2022-04-11 14:58 by admin. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| xlimited.py | zeroinside, 2017-01-31 14:56 | |||
| Messages (5) | |||
|---|---|---|---|
| msg286536 - (view) | Author: zeroinside (zeroinside) | Date: 2017-01-31 14:56 | |
Hello
I found incorrect gc behavior in xxlimited module.
After an hour of investigation, I'm still not sure its security related problem.
I have a partial control on RBP register, depends of memory layout.
GDB:
Starting program: /usr/bin/python3.6
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Python 3.6.0 (default, Jan 16 2017, 12:12:55)
[GCC 6.3.1 20170109] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import xxlimited
>>> a=xxlimited.new()
>>> del a
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff73d612d in PyArena_Free () from /usr/lib/libpython3.6m.so.1.0
(gdb) info reg
rax 0x7ffff7457270 140737341911664
rbx 0x7ffff7f812b8 140737353618104
rcx 0x62aa00 6466048
rdx 0x7ffff7457270 140737341911664
rsi 0x1 1
rdi 0x7ffff7f81300 140737353618176
rbp 0x500000a29 0x500000a29
rsp 0x7fffffffe210 0x7fffffffe210
r8 0x7ffff7f81000 140737353617408
r9 0x1c 28
r10 0x1b 27
r11 0x12300 74496
r12 0x7ffff7f812b8 140737353618104
r13 0x6fafd0 7319504
r14 0x7ffff3e7b570 140737285436784
r15 0x7ffff3e7b5a0 140737285436832
rip 0x7ffff73d612d 0x7ffff73d612d <PyArena_Free+29>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
root@/home/zeroinside/python/pyburst3.6/crash $ /usr/local/bin/python3.6 xlimited_poc.py
ASAN:DEADLYSIGNAL
=================================================================
==5082==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x000000557469 bp 0x0fe0603ea23d sp 0x7fff76e98c20 T0)
==5082==The signal is caused by a WRITE memory access.
==5082==Hint: address points to the zero page.
#0 0x557468 in PyObject_GC_UnTrack /home/zeroinside/Downloads/Python-3.6.0/Modules/gcmodule.c:1699:9
#1 0x66d0af in subtype_dealloc /home/zeroinside/Downloads/Python-3.6.0/Objects/typeobject.c:1133:5
#2 0x61e557 in _PyDict_DelItem_KnownHash /home/zeroinside/Downloads/Python-3.6.0/Objects/dictobject.c:1641:5
#3 0x7970c0 in _PyEval_EvalFrameDefault /home/zeroinside/Downloads/Python-3.6.0/Python/ceval.c:2187:19
#4 0x7aef44 in PyEval_EvalFrameEx /home/zeroinside/Downloads/Python-3.6.0/Python/ceval.c:718:12
#5 0x7aef44 in _PyEval_EvalCodeWithName /home/zeroinside/Downloads/Python-3.6.0/Python/ceval.c:4119
#6 0x79571c in PyEval_EvalCodeEx /home/zeroinside/Downloads/Python-3.6.0/Python/ceval.c:4140:12
#7 0x79571c in PyEval_EvalCode /home/zeroinside/Downloads/Python-3.6.0/Python/ceval.c:695
#8 0x5295e7 in run_mod /home/zeroinside/Downloads/Python-3.6.0/Python/pythonrun.c:980:9
#9 0x5295e7 in PyRun_FileExFlags /home/zeroinside/Downloads/Python-3.6.0/Python/pythonrun.c:933
#10 0x527e75 in PyRun_SimpleFileExFlags /home/zeroinside/Downloads/Python-3.6.0/Python/pythonrun.c:396:13
#11 0x55340c in run_file /home/zeroinside/Downloads/Python-3.6.0/Modules/main.c:320:11
#12 0x55340c in Py_Main /home/zeroinside/Downloads/Python-3.6.0/Modules/main.c:780
#13 0x519776 in main /home/zeroinside/Downloads/Python-3.6.0/./Programs/python.c:69:11
#14 0x7f0300e01290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
#15 0x432179 in _start (/usr/local/bin/python3.6+0x432179)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/zeroinside/Downloads/Python-3.6.0/Modules/gcmodule.c:1699:9 in PyObject_GC_UnTrack
==5082==ABORTING
|
|||
| msg286593 - (view) | Author: Roundup Robot (python-dev)  |
Date: 2017-02-01 07:31 | |
New changeset 167beb21b527 by Benjamin Peterson in branch '3.5': gc types needs to be allocated as such (closes #29398) https://hg.python.org/cpython/rev/167beb21b527 New changeset b0463c5073fc by Benjamin Peterson in branch '3.6': merge 3.5 (#29398) https://hg.python.org/cpython/rev/b0463c5073fc New changeset 0e8c13da4f32 by Benjamin Peterson in branch 'default': merge 3.6 (#29398) https://hg.python.org/cpython/rev/0e8c13da4f32 |
|||
| msg286595 - (view) | Author: Roundup Robot (python-dev) |
Date: | |
New changeset 24bff360c2aa6d52f7a40ef35a5d7e5660d13402 by Benjamin Peterson in branch '3.6': gc types needs to be allocated as such (closes #29398) https://github.com/python/cpython/commit/24bff360c2aa6d52f7a40ef35a5d7e5660d13402 New changeset 9e499c39bc298b0803033b0ccbc79481cc60054c by Benjamin Peterson in branch '3.6': merge 3.5 (#29398) https://github.com/python/cpython/commit/9e499c39bc298b0803033b0ccbc79481cc60054c |
|||
| msg286596 - (view) | Author: Roundup Robot (python-dev) |
Date: | |
New changeset 24bff360c2aa6d52f7a40ef35a5d7e5660d13402 by Benjamin Peterson in branch '3.5': gc types needs to be allocated as such (closes #29398) https://github.com/python/cpython/commit/24bff360c2aa6d52f7a40ef35a5d7e5660d13402 |
|||
| msg286597 - (view) | Author: Roundup Robot (python-dev) |
Date: | |
New changeset 24bff360c2aa6d52f7a40ef35a5d7e5660d13402 by Benjamin Peterson in branch 'master': gc types needs to be allocated as such (closes #29398) https://github.com/python/cpython/commit/24bff360c2aa6d52f7a40ef35a5d7e5660d13402 New changeset 9e499c39bc298b0803033b0ccbc79481cc60054c by Benjamin Peterson in branch 'master': merge 3.5 (#29398) https://github.com/python/cpython/commit/9e499c39bc298b0803033b0ccbc79481cc60054c New changeset 123c453b3beb505a46d4708d811f7f52d1d5793c by Benjamin Peterson in branch 'master': merge 3.6 (#29398) https://github.com/python/cpython/commit/123c453b3beb505a46d4708d811f7f52d1d5793c |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:58:42 | admin | set | github: 73584 |
| 2017-02-01 08:00:29 | python-dev | set | messages: + msg286597 |
| 2017-02-01 08:00:27 | python-dev | set | messages: + msg286596 |
| 2017-02-01 08:00:25 | python-dev | set | messages: + msg286595 |
| 2017-02-01 07:31:32 | python-dev | set | status: open -> closed nosy: + python-dev messages: + msg286593 resolution: fixed stage: resolved |
| 2017-02-01 00:15:50 | osvdb | set | nosy:
+ osvdb |
| 2017-01-31 14:56:33 | zeroinside | create | |