Issue 29494: AddressSanitizer: SEGV on unknown address 0x00009fff8001

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/73680

classification

Title:	AddressSanitizer: SEGV on unknown address 0x00009fff8001
Type:	behavior	Stage:	resolved
Components:	Extension Modules	Versions:	Python 3.6

process

Status:	closed	Resolution:
Dependencies:		Superseder:
Assigned To:		Nosy List:	beginvuln
Priority:	low	Keywords:

Created on 2017-02-08 14:51 by beginvuln, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Files
File name	Uploaded	Description	Edit
gcmodule_374	beginvuln, 2017-02-08 14:51	PoC

Messages (1)
msg287331 - (view)	Author: BeginVuln (beginvuln)	Date: 2017-02-08 14:51
OS Version : Ubuntu 16.04 LTS Python download link : https://www.python.org/ftp/python/3.6.0/Python-3.6.0.tar.xz Python version : 3.6.0 Normal build cmd : ./configure make Asan build cmd: export CC="/usr/bin/clang -fsanitize=address export CXX="/usr/bin/clang++ -fsanitize=address ./confiugre make GDB with exploitable: To enable execution of this file add add-auto-load-safe-path /home/test/check/PythonGDB/python-gdb.py line to your configuration file "/home/test/.gdbinit". To completely disable this security protection add set auto-load safe-path / line to your configuration file "/home/test/.gdbinit". For more information about this security protection see the "Auto-loading safe path" section in the GDB manual. E.g., run from the shell: info "(gdb)Auto-loading safe path" [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. visit_decref (op=0x100000000, data=0x0) at Modules/gcmodule.c:374 374 if (PyObject_IS_GC(op)) { Description: Access violation on source operand Short description: SourceAv (19/22) Hash: 5ae0cf182ca6c91339ba4d86e35281e3.974794321b75f348830f6ff316f662f4 Exploitability Classification: UNKNOWN Explanation: The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation. Other tags: AccessViolation (21/22) ASAN: ASAN:DEADLYSIGNAL ================================================================= ==18468==ERROR: AddressSanitizer: SEGV on unknown address 0x00009fff8001 (pc 0x000000544b5f bp 0x7ffeeb051e90 sp 0x7ffeeb051c30 T0) #0 0x544b5e in visit_decref /home/test/check/PythonASAN/Modules/gcmodule.c:374 #1 0x544b5e in ?? ??:0 #2 0x5d7035 in func_traverse /home/test/check/PythonASAN/Objects/funcobject.c:558 (discriminator 8) #3 0x5d7035 in ?? ??:0 #4 0x540ca1 in subtract_refs /home/test/check/PythonASAN/Modules/gcmodule.c:399 #5 0x540ca1 in collect /home/test/check/PythonASAN/Modules/gcmodule.c:956 #6 0x540ca1 in ?? ??:0 #7 0x5406ed in collect_with_callback /home/test/check/PythonASAN/Modules/gcmodule.c:1128 #8 0x5406ed in PyGC_Collect /home/test/check/PythonASAN/Modules/gcmodule.c:1592 #9 0x5406ed in _PyGC_CollectIfEnabled /home/test/check/PythonASAN/Modules/gcmodule.c:1605 #10 0x5406ed in ?? ??:0 #11 0x50d31a in Py_FinalizeEx /home/test/check/PythonASAN/Python/pylifecycle.c:603 #12 0x50d31a in ?? ??:0 #13 0x50e127 in Py_Exit /home/test/check/PythonASAN/Python/pylifecycle.c:1537 #14 0x50e127 in ?? ??:0 #15 0x51537b in handle_system_exit /home/test/check/PythonASAN/Python/pythonrun.c:602 #16 0x51537b in ?? ??:0 #17 0x5146b0 in PyErr_PrintEx /home/test/check/PythonASAN/Python/pythonrun.c:612 #18 0x5146b0 in ?? ??:0 #19 0x512c87 in PyErr_Print /home/test/check/PythonASAN/Python/pythonrun.c:508 #20 0x512c87 in PyRun_SimpleFileExFlags /home/test/check/PythonASAN/Python/pythonrun.c:401 #21 0x512c87 in ?? ??:0 #22 0x53eefd in run_file /home/test/check/PythonASAN/Modules/main.c:320 #23 0x53eefd in Py_Main /home/test/check/PythonASAN/Modules/main.c:780 #24 0x53eefd in ?? ??:0 #25 0x503d16 in main /home/test/check/PythonASAN/./Programs/python.c:69 #26 0x503d16 in ?? ??:0 #27 0x7fcae111d82f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291 #28 0x7fcae111d82f in ?? ??:0 #29 0x432548 in _start ??:? #30 0x432548 in ?? ??:0 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/home/test/check/PythonASAN/python+0x544b5e) ==18468==ABORTING

msg287331 - (view)

Author: BeginVuln (beginvuln)

Date: 2017-02-08 14:51

OS Version : Ubuntu 16.04 LTS
Python download link : https://www.python.org/ftp/python/3.6.0/Python-3.6.0.tar.xz

Python version : 3.6.0

Normal build cmd : 
./configure 
make

Asan build cmd:
export CC="/usr/bin/clang -fsanitize=address
export CXX="/usr/bin/clang++ -fsanitize=address
./confiugre
make

GDB with exploitable:

To enable execution of this file add
	add-auto-load-safe-path /home/test/check/PythonGDB/python-gdb.py
line to your configuration file "/home/test/.gdbinit".
To completely disable this security protection add
	set auto-load safe-path /
line to your configuration file "/home/test/.gdbinit".
For more information about this security protection see the
"Auto-loading safe path" section in the GDB manual.  E.g., run from the shell:
	info "(gdb)Auto-loading safe path"
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
visit_decref (op=0x100000000, data=0x0) at Modules/gcmodule.c:374
374	    if (PyObject_IS_GC(op)) {
Description: Access violation on source operand
Short description: SourceAv (19/22)
Hash: 5ae0cf182ca6c91339ba4d86e35281e3.974794321b75f348830f6ff316f662f4
Exploitability Classification: UNKNOWN
Explanation: The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation.
Other tags: AccessViolation (21/22)


ASAN:

ASAN:DEADLYSIGNAL
=================================================================
==18468==ERROR: AddressSanitizer: SEGV on unknown address 0x00009fff8001 (pc 0x000000544b5f bp 0x7ffeeb051e90 sp 0x7ffeeb051c30 T0)
    #0 0x544b5e in visit_decref /home/test/check/PythonASAN/Modules/gcmodule.c:374
    #1 0x544b5e in ?? ??:0
    #2 0x5d7035 in func_traverse /home/test/check/PythonASAN/Objects/funcobject.c:558 (discriminator 8)
    #3 0x5d7035 in ?? ??:0
    #4 0x540ca1 in subtract_refs /home/test/check/PythonASAN/Modules/gcmodule.c:399
    #5 0x540ca1 in collect /home/test/check/PythonASAN/Modules/gcmodule.c:956
    #6 0x540ca1 in ?? ??:0
    #7 0x5406ed in collect_with_callback /home/test/check/PythonASAN/Modules/gcmodule.c:1128
    #8 0x5406ed in PyGC_Collect /home/test/check/PythonASAN/Modules/gcmodule.c:1592
    #9 0x5406ed in _PyGC_CollectIfEnabled /home/test/check/PythonASAN/Modules/gcmodule.c:1605
    #10 0x5406ed in ?? ??:0
    #11 0x50d31a in Py_FinalizeEx /home/test/check/PythonASAN/Python/pylifecycle.c:603
    #12 0x50d31a in ?? ??:0
    #13 0x50e127 in Py_Exit /home/test/check/PythonASAN/Python/pylifecycle.c:1537
    #14 0x50e127 in ?? ??:0
    #15 0x51537b in handle_system_exit /home/test/check/PythonASAN/Python/pythonrun.c:602
    #16 0x51537b in ?? ??:0
    #17 0x5146b0 in PyErr_PrintEx /home/test/check/PythonASAN/Python/pythonrun.c:612
    #18 0x5146b0 in ?? ??:0
    #19 0x512c87 in PyErr_Print /home/test/check/PythonASAN/Python/pythonrun.c:508
    #20 0x512c87 in PyRun_SimpleFileExFlags /home/test/check/PythonASAN/Python/pythonrun.c:401
    #21 0x512c87 in ?? ??:0
    #22 0x53eefd in run_file /home/test/check/PythonASAN/Modules/main.c:320
    #23 0x53eefd in Py_Main /home/test/check/PythonASAN/Modules/main.c:780
    #24 0x53eefd in ?? ??:0
    #25 0x503d16 in main /home/test/check/PythonASAN/./Programs/python.c:69
    #26 0x503d16 in ?? ??:0
    #27 0x7fcae111d82f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #28 0x7fcae111d82f in ?? ??:0
    #29 0x432548 in _start ??:?
    #30 0x432548 in ?? ??:0

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/test/check/PythonASAN/python+0x544b5e)
==18468==ABORTING

History
Date	User	Action	Args
2022-04-11 14:58:42	admin	set	github: 73680
2017-02-08 14:59:42	matrixise	set	status: open -> closed stage: resolved
2017-02-08 14:56:24	christian.heimes	set	priority: normal -> low type: security -> behavior components: + Extension Modules, - Interpreter Core
2017-02-08 14:51:44	beginvuln	create