Message 29053 - Python tracker

Author	collinwinter
Recipients
Date	2006-07-05.17:33:57
SpamBayes Score
Marked as misclassified
Message-id
In-reply-to

Content
Similar to the bug in tuple() shown in the current (r47245) version of Lib/test/crashers/gc_inspection.py, filter() can be exploited in similar ways. Rather than the tricky generator used to exploit tuple(), the attached test case uses a subclass of tuple with a malicious __getitem__ method. The pattern being exploited is the same, however: a built-in function pre-allocates a tuple, then fills it using calls to user-defined code. gc_inspection.py.diff also expands the infrastructure in gc_inspection.py, allowing multiple test functions to run that could crash the interpreter. The second patch, fix_filter_crash.patch, is against Python/bltinmodule.c and adds _PyObject_GC_TRACK/UNTRACK macros around the call to the type's sq_item slot in filtertuple().

Similar to the bug in tuple() shown in the current
(r47245) version of Lib/test/crashers/gc_inspection.py,
filter() can be exploited in similar ways.

Rather than the tricky generator used to exploit
tuple(), the attached test case uses a subclass of
tuple with a malicious __getitem__ method. The pattern
being exploited is the same, however: a built-in
function pre-allocates a tuple, then fills it using
calls to user-defined code.

gc_inspection.py.diff also expands the infrastructure
in gc_inspection.py, allowing multiple test functions
to run that could crash the interpreter.

The second patch, fix_filter_crash.patch, is against
Python/bltinmodule.c and adds
_PyObject_GC_TRACK/UNTRACK macros around the call to
the type's sq_item slot in filtertuple().

History
Date	User	Action	Args
2007-08-23 14:41:07	admin	link	issue1517663 messages
2007-08-23 14:41:07	admin	create