Issue29483
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2017-02-08 14:40 by beginvuln, last changed 2022-04-11 14:58 by admin. This issue is now closed.
Files | ||||
---|---|---|---|---|
File name | Uploaded | Description | Edit | |
bytesobject_c_123 | beginvuln, 2017-02-08 14:40 | PoC |
Messages (2) | |||
---|---|---|---|
msg287317 - (view) | Author: BeginVuln (beginvuln) | Date: 2017-02-08 14:40 | |
OS Version : Ubuntu 16.04 LTS Python download link : https://www.python.org/ftp/python/3.6.0/Python-3.6.0.tar.xz Python version : 3.6.0 Normal build cmd : ./configure make Asan build cmd: export CC="/usr/bin/clang -fsanitize=address export CXX="/usr/bin/clang++ -fsanitize=address ./confiugre make GDB: ASAN: ================================================================= ==17856==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000e731 at pc 0x0000004bc3ad bp 0x7ffe8a4e7d10 sp 0x7ffe8a4e74c0 READ of size 11 at 0x60200000e731 thread T0 #0 0x4bc3ac in __asan_memcpy ??:? #1 0x4bc3ac in ?? ??:0 #2 0x58bbb7 in PyBytes_FromStringAndSize /home/test/check/PythonASAN/Objects/bytesobject.c:123 #3 0x58bbb7 in ?? ??:0 #4 0x79987c in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:1458 (discriminator 1) #5 0x79987c in ?? ??:0 #6 0x7ab4cb in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718 #7 0x7ab4cb in _PyFunction_FastCall /home/test/check/PythonASAN/Python/ceval.c:4870 #8 0x7ab4cb in fast_function /home/test/check/PythonASAN/Python/ceval.c:4905 #9 0x7ab4cb in ?? ??:0 #10 0x7a76f2 in call_function /home/test/check/PythonASAN/Python/ceval.c:4809 #11 0x7a76f2 in ?? ??:0 #12 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275 #13 0x7995cc in ?? ??:0 #14 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718 #15 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119 #16 0x7a9847 in ?? ??:0 #17 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021 #18 0x7ac2ea in ?? ??:0 #19 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295 #20 0x574668 in ?? ??:0 #21 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358 #22 0x5749fa in ?? ??:0 #23 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246 #24 0x573e9b in ?? ??:0 #25 0x793369 in do_call_core /home/test/check/PythonASAN/Python/ceval.c:5057 #26 0x793369 in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3357 #27 0x793369 in ?? ??:0 #28 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718 #29 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119 #30 0x7a9847 in ?? ??:0 #31 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021 #32 0x7ac2ea in ?? ??:0 #33 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295 #34 0x574668 in ?? ??:0 #35 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358 #36 0x5749fa in ?? ??:0 #37 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246 #38 0x573e9b in ?? ??:0 #39 0x66efe4 in slot_tp_call /home/test/check/PythonASAN/Objects/typeobject.c:6167 #40 0x66efe4 in ?? ??:0 #41 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316 #42 0x5745f0 in ?? ??:0 #43 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812 #44 0x7a7429 in ?? ??:0 #45 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275 #46 0x7995cc in ?? ??:0 #47 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718 #48 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119 #49 0x7a9847 in ?? ??:0 #50 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021 #51 0x7ac2ea in ?? ??:0 #52 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295 #53 0x574668 in ?? ??:0 #54 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358 #55 0x5749fa in ?? ??:0 #56 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246 #57 0x573e9b in ?? ??:0 #58 0x793369 in do_call_core /home/test/check/PythonASAN/Python/ceval.c:5057 #59 0x793369 in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3357 #60 0x793369 in ?? ??:0 #61 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718 #62 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119 #63 0x7a9847 in ?? ??:0 #64 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021 #65 0x7ac2ea in ?? ??:0 #66 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295 #67 0x574668 in ?? ??:0 #68 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358 #69 0x5749fa in ?? ??:0 #70 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246 #71 0x573e9b in ?? ??:0 #72 0x66efe4 in slot_tp_call /home/test/check/PythonASAN/Objects/typeobject.c:6167 #73 0x66efe4 in ?? ??:0 #74 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316 #75 0x5745f0 in ?? ??:0 #76 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812 #77 0x7a7429 in ?? ??:0 #78 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275 #79 0x7995cc in ?? ??:0 #80 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718 #81 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119 #82 0x7a9847 in ?? ??:0 #83 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021 #84 0x7ac2ea in ?? ??:0 #85 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295 #86 0x574668 in ?? ??:0 #87 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358 #88 0x5749fa in ?? ??:0 #89 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246 #90 0x573e9b in ?? ??:0 #91 0x793369 in do_call_core /home/test/check/PythonASAN/Python/ceval.c:5057 #92 0x793369 in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3357 #93 0x793369 in ?? ??:0 #94 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718 #95 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119 #96 0x7a9847 in ?? ??:0 #97 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021 #98 0x7ac2ea in ?? ??:0 #99 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295 #100 0x574668 in ?? ??:0 #101 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358 #102 0x5749fa in ?? ??:0 #103 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246 #104 0x573e9b in ?? ??:0 #105 0x66efe4 in slot_tp_call /home/test/check/PythonASAN/Objects/typeobject.c:6167 #106 0x66efe4 in ?? ??:0 #107 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316 #108 0x5745f0 in ?? ??:0 #109 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812 #110 0x7a7429 in ?? ??:0 #111 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275 #112 0x7995cc in ?? ??:0 #113 0x7ab4cb in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718 #114 0x7ab4cb in _PyFunction_FastCall /home/test/check/PythonASAN/Python/ceval.c:4870 #115 0x7ab4cb in fast_function /home/test/check/PythonASAN/Python/ceval.c:4905 #116 0x7ab4cb in ?? ??:0 #117 0x7a76f2 in call_function /home/test/check/PythonASAN/Python/ceval.c:4809 #118 0x7a76f2 in ?? ??:0 #119 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275 #120 0x7995cc in ?? ??:0 #121 0x7ab4cb in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718 #122 0x7ab4cb in _PyFunction_FastCall /home/test/check/PythonASAN/Python/ceval.c:4870 #123 0x7ab4cb in fast_function /home/test/check/PythonASAN/Python/ceval.c:4905 #124 0x7ab4cb in ?? ??:0 #125 0x7a76f2 in call_function /home/test/check/PythonASAN/Python/ceval.c:4809 #126 0x7a76f2 in ?? ??:0 #127 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275 #128 0x7995cc in ?? ??:0 #129 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718 #130 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119 #131 0x7a9847 in ?? ??:0 #132 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021 #133 0x7ac2ea in ?? ??:0 #134 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295 #135 0x574668 in ?? ??:0 #136 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358 #137 0x5749fa in ?? ??:0 #138 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246 #139 0x573e9b in ?? ??:0 #140 0x6713f8 in slot_tp_init /home/test/check/PythonASAN/Objects/typeobject.c:6380 #141 0x6713f8 in ?? ??:0 #142 0x666d8d in type_call /home/test/check/PythonASAN/Objects/typeobject.c:915 (discriminator 1) #143 0x666d8d in ?? ??:0 #144 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316 #145 0x5745f0 in ?? ??:0 #146 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812 #147 0x7a7429 in ?? ??:0 #148 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275 #149 0x7995cc in ?? ??:0 #150 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718 #151 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119 #152 0x7a9847 in ?? ??:0 #153 0x78e0df in PyEval_EvalCodeEx /home/test/check/PythonASAN/Python/ceval.c:4140 #154 0x78e0df in PyEval_EvalCode /home/test/check/PythonASAN/Python/ceval.c:695 #155 0x78e0df in ?? ??:0 #156 0x5142f5 in run_mod /home/test/check/PythonASAN/Python/pythonrun.c:980 #157 0x5142f5 in PyRun_FileExFlags /home/test/check/PythonASAN/Python/pythonrun.c:933 #158 0x5142f5 in ?? ??:0 #159 0x512afa in PyRun_SimpleFileExFlags /home/test/check/PythonASAN/Python/pythonrun.c:396 #160 0x512afa in ?? ??:0 #161 0x53eefd in run_file /home/test/check/PythonASAN/Modules/main.c:320 #162 0x53eefd in Py_Main /home/test/check/PythonASAN/Modules/main.c:780 #163 0x53eefd in ?? ??:0 #164 0x503d16 in main /home/test/check/PythonASAN/./Programs/python.c:69 #165 0x503d16 in ?? ??:0 #166 0x7f7d85d5e82f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291 #167 0x7f7d85d5e82f in ?? ??:0 #168 0x432548 in _start ??:? #169 0x432548 in ?? ??:0 0x60200000e731 is located 0 bytes to the right of 1-byte region [0x60200000e730,0x60200000e731) allocated by thread T0 here: #0 0x4d2678 in malloc ??:? #1 0x4d2678 in ?? ??:0 #2 0x7f7d81f8c964 in my_strdup /home/test/check/PythonASAN/Modules/_ctypes/_ctypes_test.c:169 (discriminator 2) #3 0x7f7d81f8c964 in ?? ??:0 #2 0x7ffe8a4e797f (<unknown module>) SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/test/check/PythonASAN/python+0x4bc3ac) Shadow bytes around the buggy address: 0x0c047fff9c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c047fff9ce0: fa fa fa fa fa fa[01]fa fa fa fd fa fa fa fd fa 0x0c047fff9cf0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff9d00: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff9d10: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff9d20: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff9d30: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==17856==ABORTING |
|||
msg287325 - (view) | Author: Christian Heimes (christian.heimes) * | Date: 2017-02-08 14:47 | |
_ctypes_test is an internal test helper module. It's not designed to be used outside of tests. The module contains quick and dirty C code for tests. Any bug in _ctypes_test is not a security bug. Feel free to contribute better code, though. |
History | |||
---|---|---|---|
Date | User | Action | Args |
2022-04-11 14:58:42 | admin | set | github: 73669 |
2017-02-08 14:57:17 | matrixise | set | status: open -> closed stage: resolved |
2017-02-08 14:55:44 | christian.heimes | set | type: security -> behavior |
2017-02-08 14:47:25 | christian.heimes | set | priority: normal -> low nosy: + christian.heimes messages: + msg287325 components: + Tests, - Interpreter Core |
2017-02-08 14:40:29 | beginvuln | create |