Message 289710 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	LCatro
Recipients	LCatro
Date	2017-03-16.08:47:56
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1489654077.04.0.544465484801.issue29825@psf.upfronthosting.co.za>
In-reply-to

Content
PyFunction_New() not validate code object ,so we can make a string object to fake code object This is Python ByteCode : LOAD_CONST 'CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC\x41\x41\x41\x41' MAKE_FUNCTION 0 in source code ,we can see that string object trace to variant v TARGET(MAKE_FUNCTION) { v = POP(); /* code object / <= now it is a string object x = PyFunction_New(v, f->f_globals); <= using in there and than ,we making a string object will taking into PyFunction_New() PyFunction_New(PyObject code, PyObject globals) { PyFunctionObject op = PyObject_GC_New(PyFunctionObject, &PyFunction_Type); static PyObject __name__ = 0; if (op != NULL) { <= there just check new alloc object point but not checking the argument code's python type (actually it is TYPE_CODE) .. PyObject doc; PyObject consts; PyObject module; op->func_weakreflist = NULL; Py_INCREF(code); op->func_code = code; Py_INCREF(globals); op->func_globals = globals; op->func_name = ((PyCodeObject )code)->co_name; Py_INCREF(op->func_name); <= it will make an arbitrary address inc by one .. Opcode MAKE_CLOSURE similar too .. TARGET(MAKE_CLOSURE) { v = POP(); / code object */ x = PyFunction_New(v, f->f_globals); poc and crash detail in update file

PyFunction_New() not validate code object ,so we can make a string object to fake code object

This is Python ByteCode :

  LOAD_CONST 'CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC\x41\x41\x41\x41'
  MAKE_FUNCTION 0

in source code ,we can see that string object trace to variant v

TARGET(MAKE_FUNCTION)
{
    v = POP(); /* code object */  <=  now it is a string object
    x = PyFunction_New(v, f->f_globals);  <=  using in there

and than ,we making a string object will taking into PyFunction_New()

PyFunction_New(PyObject *code, PyObject *globals)
{
    PyFunctionObject *op = PyObject_GC_New(PyFunctionObject,
                                        &PyFunction_Type);
    static PyObject *__name__ = 0;
    if (op != NULL) {  <=  there just check new alloc object point but not checking the argument code's python type (actually it is TYPE_CODE) ..
        PyObject *doc;
        PyObject *consts;
        PyObject *module;
        op->func_weakreflist = NULL;
        Py_INCREF(code);
        op->func_code = code;
        Py_INCREF(globals);
        op->func_globals = globals;
        op->func_name = ((PyCodeObject *)code)->co_name;
        Py_INCREF(op->func_name);  <=  it will make an arbitrary address inc by one ..

Opcode MAKE_CLOSURE similar too ..

TARGET(MAKE_CLOSURE)
{
    v = POP(); /* code object */
    x = PyFunction_New(v, f->f_globals);

poc and crash detail in update file

History
Date	User	Action	Args
2017-03-16 08:47:57	LCatro	set	recipients: + LCatro
2017-03-16 08:47:57	LCatro	set	messageid: <1489654077.04.0.544465484801.issue29825@psf.upfronthosting.co.za>
2017-03-16 08:47:56	LCatro	link	issue29825 messages
2017-03-16 08:47:56	LCatro	create