This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: AddressSanitizer: heap-buffer-overflow on address 0x60200000e731
Type: behavior Stage: resolved
Components: Tests Versions: Python 3.6
process
Status: closed Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: beginvuln, christian.heimes
Priority: low Keywords:

Created on 2017-02-08 14:40 by beginvuln, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Files
File name Uploaded Description Edit
bytesobject_c_123 beginvuln, 2017-02-08 14:40 PoC
Messages (2)
msg287317 - (view) Author: BeginVuln (beginvuln) Date: 2017-02-08 14:40
OS Version : Ubuntu 16.04 LTS
Python download link : https://www.python.org/ftp/python/3.6.0/Python-3.6.0.tar.xz

Python version : 3.6.0

Normal build cmd : 
./configure 
make

Asan build cmd:
export CC="/usr/bin/clang -fsanitize=address
export CXX="/usr/bin/clang++ -fsanitize=address
./confiugre
make

GDB:

ASAN:
=================================================================
==17856==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000e731 at pc 0x0000004bc3ad bp 0x7ffe8a4e7d10 sp 0x7ffe8a4e74c0
READ of size 11 at 0x60200000e731 thread T0
    #0 0x4bc3ac in __asan_memcpy ??:?
    #1 0x4bc3ac in ?? ??:0
    #2 0x58bbb7 in PyBytes_FromStringAndSize /home/test/check/PythonASAN/Objects/bytesobject.c:123
    #3 0x58bbb7 in ?? ??:0
    #4 0x79987c in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:1458 (discriminator 1)
    #5 0x79987c in ?? ??:0
    #6 0x7ab4cb in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #7 0x7ab4cb in _PyFunction_FastCall /home/test/check/PythonASAN/Python/ceval.c:4870
    #8 0x7ab4cb in fast_function /home/test/check/PythonASAN/Python/ceval.c:4905
    #9 0x7ab4cb in ?? ??:0
    #10 0x7a76f2 in call_function /home/test/check/PythonASAN/Python/ceval.c:4809
    #11 0x7a76f2 in ?? ??:0
    #12 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #13 0x7995cc in ?? ??:0
    #14 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #15 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #16 0x7a9847 in ?? ??:0
    #17 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #18 0x7ac2ea in ?? ??:0
    #19 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #20 0x574668 in ?? ??:0
    #21 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #22 0x5749fa in ?? ??:0
    #23 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #24 0x573e9b in ?? ??:0
    #25 0x793369 in do_call_core /home/test/check/PythonASAN/Python/ceval.c:5057
    #26 0x793369 in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3357
    #27 0x793369 in ?? ??:0
    #28 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #29 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #30 0x7a9847 in ?? ??:0
    #31 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #32 0x7ac2ea in ?? ??:0
    #33 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #34 0x574668 in ?? ??:0
    #35 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #36 0x5749fa in ?? ??:0
    #37 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #38 0x573e9b in ?? ??:0
    #39 0x66efe4 in slot_tp_call /home/test/check/PythonASAN/Objects/typeobject.c:6167
    #40 0x66efe4 in ?? ??:0
    #41 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316
    #42 0x5745f0 in ?? ??:0
    #43 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812
    #44 0x7a7429 in ?? ??:0
    #45 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #46 0x7995cc in ?? ??:0
    #47 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #48 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #49 0x7a9847 in ?? ??:0
    #50 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #51 0x7ac2ea in ?? ??:0
    #52 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #53 0x574668 in ?? ??:0
    #54 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #55 0x5749fa in ?? ??:0
    #56 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #57 0x573e9b in ?? ??:0
    #58 0x793369 in do_call_core /home/test/check/PythonASAN/Python/ceval.c:5057
    #59 0x793369 in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3357
    #60 0x793369 in ?? ??:0
    #61 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #62 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #63 0x7a9847 in ?? ??:0
    #64 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #65 0x7ac2ea in ?? ??:0
    #66 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #67 0x574668 in ?? ??:0
    #68 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #69 0x5749fa in ?? ??:0
    #70 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #71 0x573e9b in ?? ??:0
    #72 0x66efe4 in slot_tp_call /home/test/check/PythonASAN/Objects/typeobject.c:6167
    #73 0x66efe4 in ?? ??:0
    #74 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316
    #75 0x5745f0 in ?? ??:0
    #76 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812
    #77 0x7a7429 in ?? ??:0
    #78 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #79 0x7995cc in ?? ??:0
    #80 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #81 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #82 0x7a9847 in ?? ??:0
    #83 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #84 0x7ac2ea in ?? ??:0
    #85 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #86 0x574668 in ?? ??:0
    #87 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #88 0x5749fa in ?? ??:0
    #89 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #90 0x573e9b in ?? ??:0
    #91 0x793369 in do_call_core /home/test/check/PythonASAN/Python/ceval.c:5057
    #92 0x793369 in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3357
    #93 0x793369 in ?? ??:0
    #94 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #95 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #96 0x7a9847 in ?? ??:0
    #97 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #98 0x7ac2ea in ?? ??:0
    #99 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #100 0x574668 in ?? ??:0
    #101 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #102 0x5749fa in ?? ??:0
    #103 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #104 0x573e9b in ?? ??:0
    #105 0x66efe4 in slot_tp_call /home/test/check/PythonASAN/Objects/typeobject.c:6167
    #106 0x66efe4 in ?? ??:0
    #107 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316
    #108 0x5745f0 in ?? ??:0
    #109 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812
    #110 0x7a7429 in ?? ??:0
    #111 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #112 0x7995cc in ?? ??:0
    #113 0x7ab4cb in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #114 0x7ab4cb in _PyFunction_FastCall /home/test/check/PythonASAN/Python/ceval.c:4870
    #115 0x7ab4cb in fast_function /home/test/check/PythonASAN/Python/ceval.c:4905
    #116 0x7ab4cb in ?? ??:0
    #117 0x7a76f2 in call_function /home/test/check/PythonASAN/Python/ceval.c:4809
    #118 0x7a76f2 in ?? ??:0
    #119 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #120 0x7995cc in ?? ??:0
    #121 0x7ab4cb in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #122 0x7ab4cb in _PyFunction_FastCall /home/test/check/PythonASAN/Python/ceval.c:4870
    #123 0x7ab4cb in fast_function /home/test/check/PythonASAN/Python/ceval.c:4905
    #124 0x7ab4cb in ?? ??:0
    #125 0x7a76f2 in call_function /home/test/check/PythonASAN/Python/ceval.c:4809
    #126 0x7a76f2 in ?? ??:0
    #127 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #128 0x7995cc in ?? ??:0
    #129 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #130 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #131 0x7a9847 in ?? ??:0
    #132 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #133 0x7ac2ea in ?? ??:0
    #134 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #135 0x574668 in ?? ??:0
    #136 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #137 0x5749fa in ?? ??:0
    #138 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #139 0x573e9b in ?? ??:0
    #140 0x6713f8 in slot_tp_init /home/test/check/PythonASAN/Objects/typeobject.c:6380
    #141 0x6713f8 in ?? ??:0
    #142 0x666d8d in type_call /home/test/check/PythonASAN/Objects/typeobject.c:915 (discriminator 1)
    #143 0x666d8d in ?? ??:0
    #144 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316
    #145 0x5745f0 in ?? ??:0
    #146 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812
    #147 0x7a7429 in ?? ??:0
    #148 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #149 0x7995cc in ?? ??:0
    #150 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #151 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #152 0x7a9847 in ?? ??:0
    #153 0x78e0df in PyEval_EvalCodeEx /home/test/check/PythonASAN/Python/ceval.c:4140
    #154 0x78e0df in PyEval_EvalCode /home/test/check/PythonASAN/Python/ceval.c:695
    #155 0x78e0df in ?? ??:0
    #156 0x5142f5 in run_mod /home/test/check/PythonASAN/Python/pythonrun.c:980
    #157 0x5142f5 in PyRun_FileExFlags /home/test/check/PythonASAN/Python/pythonrun.c:933
    #158 0x5142f5 in ?? ??:0
    #159 0x512afa in PyRun_SimpleFileExFlags /home/test/check/PythonASAN/Python/pythonrun.c:396
    #160 0x512afa in ?? ??:0
    #161 0x53eefd in run_file /home/test/check/PythonASAN/Modules/main.c:320
    #162 0x53eefd in Py_Main /home/test/check/PythonASAN/Modules/main.c:780
    #163 0x53eefd in ?? ??:0
    #164 0x503d16 in main /home/test/check/PythonASAN/./Programs/python.c:69
    #165 0x503d16 in ?? ??:0
    #166 0x7f7d85d5e82f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #167 0x7f7d85d5e82f in ?? ??:0
    #168 0x432548 in _start ??:?
    #169 0x432548 in ?? ??:0

0x60200000e731 is located 0 bytes to the right of 1-byte region [0x60200000e730,0x60200000e731)
allocated by thread T0 here:
    #0 0x4d2678 in malloc ??:?
    #1 0x4d2678 in ?? ??:0
    #2 0x7f7d81f8c964 in my_strdup /home/test/check/PythonASAN/Modules/_ctypes/_ctypes_test.c:169 (discriminator 2)
    #3 0x7f7d81f8c964 in ?? ??:0
    #2 0x7ffe8a4e797f  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/test/check/PythonASAN/python+0x4bc3ac)
Shadow bytes around the buggy address:
  0x0c047fff9c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9ce0: fa fa fa fa fa fa[01]fa fa fa fd fa fa fa fd fa
  0x0c047fff9cf0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff9d00: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff9d10: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff9d20: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff9d30: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==17856==ABORTING
msg287325 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-02-08 14:47
_ctypes_test is an internal test helper module. It's not designed to be used outside of tests. The module contains quick and dirty C code for tests. Any bug in _ctypes_test is not a security bug.

Feel free to contribute better code, though.
History
Date User Action Args
2022-04-11 14:58:42adminsetgithub: 73669
2017-02-08 14:57:17matrixisesetstatus: open -> closed
stage: resolved
2017-02-08 14:55:44christian.heimessettype: security -> behavior
2017-02-08 14:47:25christian.heimessetpriority: normal -> low

nosy: + christian.heimes
messages: + msg287325

components: + Tests, - Interpreter Core
2017-02-08 14:40:29beginvulncreate