This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: heap-buffer-overflow on address 0x6250000078ff
Type: crash Stage: patch review
Components: Interpreter Core Versions: Python 3.7, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: serhiy.storchaka Nosy List: beginvuln, benjamin.peterson, berker.peksag, duaneg, franciscouzo, serhiy.storchaka
Priority: normal Keywords: patch

Created on 2016-07-11 14:21 by beginvuln, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Files
File name Uploaded Description Edit
python-heap-buffer-overflow-e6f-581-e5d.py beginvuln, 2016-07-11 14:21
0001-Issue-27482-handle-nul-characters-while-reading-inpu.patch duaneg, 2016-09-14 03:13
Messages (5)
msg270181 - (view) Author: BeginVuln (beginvuln) Date: 2016-07-11 14:21 
PoC is attached.
Version: 2.7.12

=================================================================
==4461==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6250000078ff at pc 0x000000508e70 bp 0x7ffe3e88db60 sp 0x7ffe3e88db58
READ of size 1 at 0x6250000078ff thread T0
    #0 0x508e6f in tok_nextc /home/mtowalski/tmp/python/Python-2.7.12/Parser/tokenizer.c:954:28
    #1 0x4ff581 in tok_get /home/mtowalski/tmp/python/Python-2.7.12/Parser/tokenizer.c:1232:17
    #2 0x4ff581 in PyTokenizer_Get /home/mtowalski/tmp/python/Python-2.7.12/Parser/tokenizer.c:1681:0
    #3 0x4fae5d in parsetok /home/mtowalski/tmp/python/Python-2.7.12/Parser/parsetok.c:159:16
    #4 0x7c9a92 in PyParser_ASTFromFile /home/mtowalski/tmp/python/Python-2.7.12/Python/pythonrun.c:1499:15
    #5 0x7c9e49 in PyRun_FileExFlags /home/mtowalski/tmp/python/Python-2.7.12/Python/pythonrun.c:1354:11
    #6 0x7c8a7e in PyRun_SimpleFileExFlags /home/mtowalski/tmp/python/Python-2.7.12/Python/pythonrun.c:948:13
    #7 0x4f80b9 in Py_Main /home/mtowalski/tmp/python/Python-2.7.12/Modules/main.c:640:23
    #8 0x7feaeb493f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287:0
    #9 0x42adc5 in _start ??:?

0x6250000078ff is located 1 bytes to the left of 8192-byte region [0x625000007900,0x625000009900)
allocated by thread T0 here:
    #0 0x4c8d3c in malloc ??:?
    #1 0x4fe75d in PyTokenizer_FromFile /home/mtowalski/tmp/python/Python-2.7.12/Parser/tokenizer.c:759:29

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/mtowalski/tmp/python/Python-2.7.12/python+0x508e6f)
Shadow bytes around the buggy address:
  0x0c4a7fff8ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a7fff8f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c4a7fff8f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4461==ABORTING
msg276370 - (view) Author: Duane Griffin (duaneg) * Date: 2016-09-14 03:13 
There are a couple of places where the tokenizer code is not correctly handling \0 characters occurring at the start of the buffer. Patch attached.
msg276547 - (view) Author: Francisco Couzo (franciscouzo) * Date: 2016-09-15 10:49 
I can confirm this bug is also present in 3.7
msg276963 - (view) Author: Berker Peksag (berker.peksag) * (Python committer) Date: 2016-09-19 09:19 
I think the problem described in msg270181 is now fixed in issue 24022. Adding Benjamin to nosy list for the other case.
msg277006 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2016-09-20 05:05 
ASan is quiet on the POC now.
History
Date User Action Args
2022-04-11 14:58:33adminsetgithub: 71669
2016-09-20 05:05:24benjamin.petersonsetstatus: open -> closed
resolution: fixed
messages: + msg277006
2016-09-19 09:19:35berker.peksagsetnosy: + berker.peksag, benjamin.peterson
messages: + msg276963
2016-09-15 10:49:42franciscouzosetnosy: + franciscouzo

messages: + msg276547
versions: + Python 3.7
2016-09-14 05:45:32serhiy.storchakasetassignee: serhiy.storchaka

nosy: + serhiy.storchaka
stage: patch review
2016-09-14 03:13:10duanegsetfiles: + 0001-Issue-27482-handle-nul-characters-while-reading-inpu.patch

nosy: + duaneg
messages: + msg276370

keywords: + patch
2016-07-11 14:21:45beginvulncreate