➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2016-08-16 05:00 by benjamin.peterson, last changed 2022-04-11 14:58 by admin. This issue is now closed.
| Messages (2) | |||
|---|---|---|---|
| msg272831 - (view) | Author: Benjamin Peterson (benjamin.peterson) *  |
Date: 2016-08-16 05:00 | |
Thomas E Hybel reports:
This vulnerability exists in the function _sre_SRE_Match_groupdict_impl which
resides in the /Modules/_sre.c file.
The problem is that the code calls Py_DECREF(key); without having done a
corresponding Py_INCREF on the key.
Here's the relevant code:
static PyObject *
_sre_SRE_Match_groupdict_impl(MatchObject *self, PyObject *default_value)
{
...
for (index = 0; index < PyList_GET_SIZE(keys); index++) {
...
PyObject* key;
...
key = PyList_GET_ITEM(keys, index);
...
value = match_getslice(self, key, default_value);
if (!value) {
Py_DECREF(key);
goto failed;
}
...
}
...
}
We initialize the "key" variable via PyList_GET_ITEM(keys, index) which simply
takes keys->ob_item[index]. There is no increase in reference count.
If match_getslice fails, we then call Py_DECREF(key). This is simply wrong. It
will result in the key object getting freed prematurely, leading to
use-after-free scenarios.
Here's a script which reproduces this:
--- begin script ---
import _sre
import time
p = _sre.compile(
"A", # pattern
0, # flags
[1], # code
1, # groups
{0xdeadbeef: 0}, # groupindex
0 # indexgroup
)
m = p.match("AAAA")
for _ in range(5):
# each call to m.groupdict decreases the refcount of 0xdeadbeef once
try:
m.groupdict()
except IndexError:
pass
--- end script ---
Running the script crashes python on my machine:
(gdb) r ./poc7.py
Starting program: /home/xx/Python-3.5.2/python ./poc7.py
Program received signal SIGSEGV, Segmentation fault.
0x0000000000567d71 in match_getindex (self=self@entry=0x7ffff7e2da18, index=index@entry=0x7ffff6d582c0)
at ./Modules/_sre.c:2055
2055 if (PyLong_Check(index))
(gdb) bt
#0 0x0000000000567d71 in match_getindex (self=self@entry=0x7ffff7e2da18, index=index@entry=0x7ffff6d582c0)
at ./Modules/_sre.c:2055
#1 0x0000000000568946 in match_getslice (self=self@entry=0x7ffff7e2da18, index=index@entry=0x7ffff6d582c0,
def=def@entry=0x8831c0 <_Py_NoneStruct>) at ./Modules/_sre.c:2076
#2 0x0000000000568a99 in _sre_SRE_Match_groupdict_impl (self=self@entry=0x7ffff7e2da18,
default_value=0x8831c0 <_Py_NoneStruct>) at ./Modules/_sre.c:2198
#3 0x0000000000568bc5 in _sre_SRE_Match_groupdict (self=0x7ffff7e2da18, args=<optimized out>,
kwargs=<optimized out>) at ./Modules/clinic/_sre.c.h:518
|
|||
| msg272833 - (view) | Author: Roundup Robot (python-dev)  |
Date: 2016-08-16 05:05 | |
New changeset 4ca84a3e37d7 by Benjamin Peterson in branch '2.7': do not decref value borrowed from list (closes #27774) https://hg.python.org/cpython/rev/4ca84a3e37d7 New changeset cbf2a05648b3 by Benjamin Peterson in branch '3.3': do not decref value borrowed from list (closes #27774) https://hg.python.org/cpython/rev/cbf2a05648b3 New changeset 2e404ac88e0e by Benjamin Peterson in branch '3.4': merge 3.3 (#27774) https://hg.python.org/cpython/rev/2e404ac88e0e New changeset 424cb9482974 by Benjamin Peterson in branch '3.5': merge 3.4 (#27774) https://hg.python.org/cpython/rev/424cb9482974 New changeset 64b0e0a29874 by Benjamin Peterson in branch 'default': merge 3.5 (#27774) https://hg.python.org/cpython/rev/64b0e0a29874 |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:58:34 | admin | set | github: 71961 |
| 2016-08-16 05:05:31 | python-dev | set | status: open -> closed nosy: + python-dev messages: + msg272833 resolution: fixed stage: resolved |
| 2016-08-16 05:00:44 | benjamin.peterson | create | |