Issue29398
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2017-01-31 14:56 by zeroinside, last changed 2022-04-11 14:58 by admin. This issue is now closed.
Files | ||||
---|---|---|---|---|
File name | Uploaded | Description | Edit | |
xlimited.py | zeroinside, 2017-01-31 14:56 |
Messages (5) | |||
---|---|---|---|
msg286536 - (view) | Author: zeroinside (zeroinside) | Date: 2017-01-31 14:56 | |
Hello I found incorrect gc behavior in xxlimited module. After an hour of investigation, I'm still not sure its security related problem. I have a partial control on RBP register, depends of memory layout. GDB: Starting program: /usr/bin/python3.6 [Thread debugging using libthread_db enabled] Using host libthread_db library "/usr/lib/libthread_db.so.1". Python 3.6.0 (default, Jan 16 2017, 12:12:55) [GCC 6.3.1 20170109] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import xxlimited >>> a=xxlimited.new() >>> del a Program received signal SIGSEGV, Segmentation fault. 0x00007ffff73d612d in PyArena_Free () from /usr/lib/libpython3.6m.so.1.0 (gdb) info reg rax 0x7ffff7457270 140737341911664 rbx 0x7ffff7f812b8 140737353618104 rcx 0x62aa00 6466048 rdx 0x7ffff7457270 140737341911664 rsi 0x1 1 rdi 0x7ffff7f81300 140737353618176 rbp 0x500000a29 0x500000a29 rsp 0x7fffffffe210 0x7fffffffe210 r8 0x7ffff7f81000 140737353617408 r9 0x1c 28 r10 0x1b 27 r11 0x12300 74496 r12 0x7ffff7f812b8 140737353618104 r13 0x6fafd0 7319504 r14 0x7ffff3e7b570 140737285436784 r15 0x7ffff3e7b5a0 140737285436832 rip 0x7ffff73d612d 0x7ffff73d612d <PyArena_Free+29> eflags 0x10202 [ IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 root@/home/zeroinside/python/pyburst3.6/crash $ /usr/local/bin/python3.6 xlimited_poc.py ASAN:DEADLYSIGNAL ================================================================= ==5082==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x000000557469 bp 0x0fe0603ea23d sp 0x7fff76e98c20 T0) ==5082==The signal is caused by a WRITE memory access. ==5082==Hint: address points to the zero page. #0 0x557468 in PyObject_GC_UnTrack /home/zeroinside/Downloads/Python-3.6.0/Modules/gcmodule.c:1699:9 #1 0x66d0af in subtype_dealloc /home/zeroinside/Downloads/Python-3.6.0/Objects/typeobject.c:1133:5 #2 0x61e557 in _PyDict_DelItem_KnownHash /home/zeroinside/Downloads/Python-3.6.0/Objects/dictobject.c:1641:5 #3 0x7970c0 in _PyEval_EvalFrameDefault /home/zeroinside/Downloads/Python-3.6.0/Python/ceval.c:2187:19 #4 0x7aef44 in PyEval_EvalFrameEx /home/zeroinside/Downloads/Python-3.6.0/Python/ceval.c:718:12 #5 0x7aef44 in _PyEval_EvalCodeWithName /home/zeroinside/Downloads/Python-3.6.0/Python/ceval.c:4119 #6 0x79571c in PyEval_EvalCodeEx /home/zeroinside/Downloads/Python-3.6.0/Python/ceval.c:4140:12 #7 0x79571c in PyEval_EvalCode /home/zeroinside/Downloads/Python-3.6.0/Python/ceval.c:695 #8 0x5295e7 in run_mod /home/zeroinside/Downloads/Python-3.6.0/Python/pythonrun.c:980:9 #9 0x5295e7 in PyRun_FileExFlags /home/zeroinside/Downloads/Python-3.6.0/Python/pythonrun.c:933 #10 0x527e75 in PyRun_SimpleFileExFlags /home/zeroinside/Downloads/Python-3.6.0/Python/pythonrun.c:396:13 #11 0x55340c in run_file /home/zeroinside/Downloads/Python-3.6.0/Modules/main.c:320:11 #12 0x55340c in Py_Main /home/zeroinside/Downloads/Python-3.6.0/Modules/main.c:780 #13 0x519776 in main /home/zeroinside/Downloads/Python-3.6.0/./Programs/python.c:69:11 #14 0x7f0300e01290 in __libc_start_main (/usr/lib/libc.so.6+0x20290) #15 0x432179 in _start (/usr/local/bin/python3.6+0x432179) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/zeroinside/Downloads/Python-3.6.0/Modules/gcmodule.c:1699:9 in PyObject_GC_UnTrack ==5082==ABORTING |
|||
msg286593 - (view) | Author: Roundup Robot (python-dev) | Date: 2017-02-01 07:31 | |
New changeset 167beb21b527 by Benjamin Peterson in branch '3.5': gc types needs to be allocated as such (closes #29398) https://hg.python.org/cpython/rev/167beb21b527 New changeset b0463c5073fc by Benjamin Peterson in branch '3.6': merge 3.5 (#29398) https://hg.python.org/cpython/rev/b0463c5073fc New changeset 0e8c13da4f32 by Benjamin Peterson in branch 'default': merge 3.6 (#29398) https://hg.python.org/cpython/rev/0e8c13da4f32 |
|||
msg286595 - (view) | Author: Roundup Robot (python-dev) | Date: | |
New changeset 24bff360c2aa6d52f7a40ef35a5d7e5660d13402 by Benjamin Peterson in branch '3.6': gc types needs to be allocated as such (closes #29398) https://github.com/python/cpython/commit/24bff360c2aa6d52f7a40ef35a5d7e5660d13402 New changeset 9e499c39bc298b0803033b0ccbc79481cc60054c by Benjamin Peterson in branch '3.6': merge 3.5 (#29398) https://github.com/python/cpython/commit/9e499c39bc298b0803033b0ccbc79481cc60054c |
|||
msg286596 - (view) | Author: Roundup Robot (python-dev) | Date: | |
New changeset 24bff360c2aa6d52f7a40ef35a5d7e5660d13402 by Benjamin Peterson in branch '3.5': gc types needs to be allocated as such (closes #29398) https://github.com/python/cpython/commit/24bff360c2aa6d52f7a40ef35a5d7e5660d13402 |
|||
msg286597 - (view) | Author: Roundup Robot (python-dev) | Date: | |
New changeset 24bff360c2aa6d52f7a40ef35a5d7e5660d13402 by Benjamin Peterson in branch 'master': gc types needs to be allocated as such (closes #29398) https://github.com/python/cpython/commit/24bff360c2aa6d52f7a40ef35a5d7e5660d13402 New changeset 9e499c39bc298b0803033b0ccbc79481cc60054c by Benjamin Peterson in branch 'master': merge 3.5 (#29398) https://github.com/python/cpython/commit/9e499c39bc298b0803033b0ccbc79481cc60054c New changeset 123c453b3beb505a46d4708d811f7f52d1d5793c by Benjamin Peterson in branch 'master': merge 3.6 (#29398) https://github.com/python/cpython/commit/123c453b3beb505a46d4708d811f7f52d1d5793c |
History | |||
---|---|---|---|
Date | User | Action | Args |
2022-04-11 14:58:42 | admin | set | github: 73584 |
2017-02-01 08:00:29 | python-dev | set | messages: + msg286597 |
2017-02-01 08:00:27 | python-dev | set | messages: + msg286596 |
2017-02-01 08:00:25 | python-dev | set | messages: + msg286595 |
2017-02-01 07:31:32 | python-dev | set | status: open -> closed nosy: + python-dev messages: + msg286593 resolution: fixed stage: resolved |
2017-02-01 00:15:50 | osvdb | set | nosy:
+ osvdb |
2017-01-31 14:56:33 | zeroinside | create |