Message289710
PyFunction_New() not validate code object ,so we can make a string object to fake code object
This is Python ByteCode :
LOAD_CONST 'CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC\x41\x41\x41\x41'
MAKE_FUNCTION 0
in source code ,we can see that string object trace to variant v
TARGET(MAKE_FUNCTION)
{
v = POP(); /* code object */ <= now it is a string object
x = PyFunction_New(v, f->f_globals); <= using in there
and than ,we making a string object will taking into PyFunction_New()
PyFunction_New(PyObject *code, PyObject *globals)
{
PyFunctionObject *op = PyObject_GC_New(PyFunctionObject,
&PyFunction_Type);
static PyObject *__name__ = 0;
if (op != NULL) { <= there just check new alloc object point but not checking the argument code's python type (actually it is TYPE_CODE) ..
PyObject *doc;
PyObject *consts;
PyObject *module;
op->func_weakreflist = NULL;
Py_INCREF(code);
op->func_code = code;
Py_INCREF(globals);
op->func_globals = globals;
op->func_name = ((PyCodeObject *)code)->co_name;
Py_INCREF(op->func_name); <= it will make an arbitrary address inc by one ..
Opcode MAKE_CLOSURE similar too ..
TARGET(MAKE_CLOSURE)
{
v = POP(); /* code object */
x = PyFunction_New(v, f->f_globals);
poc and crash detail in update file |
|
Date |
User |
Action |
Args |
2017-03-16 08:47:57 | LCatro | set | recipients:
+ LCatro |
2017-03-16 08:47:57 | LCatro | set | messageid: <1489654077.04.0.544465484801.issue29825@psf.upfronthosting.co.za> |
2017-03-16 08:47:56 | LCatro | link | issue29825 messages |
2017-03-16 08:47:56 | LCatro | create | |
|