classification
Title: AddressSanitizer: SEGV on unknown address 0x0000a0013639
Type: behavior Stage: resolved
Components: Extension Modules Versions: Python 3.6
process
Status: closed Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: beginvuln, christian.heimes
Priority: low Keywords:

Created on 2017-02-08 14:49 by beginvuln, last changed 2017-02-08 14:59 by matrixise. This issue is now closed.

Files
File name Uploaded Description Edit
dicobj_1925 beginvuln, 2017-02-08 14:49 PoC
Messages (2)
msg287329 - (view) Author: BeginVuln (beginvuln) Date: 2017-02-08 14:49
OS Version : Ubuntu 16.04 LTS
Python download link : https://www.python.org/ftp/python/3.6.0/Python-3.6.0.tar.xz

Python version : 3.6.0

Normal build cmd : 
./configure 
make

Asan build cmd:
export CC="/usr/bin/clang -fsanitize=address
export CXX="/usr/bin/clang++ -fsanitize=address
./confiugre
make

GDB with exploitable:

To enable execution of this file add
	add-auto-load-safe-path /home/test/check/PythonGDB/python-gdb.py
line to your configuration file "/home/test/.gdbinit".
To completely disable this security protection add
	set auto-load safe-path /
line to your configuration file "/home/test/.gdbinit".
For more information about this security protection see the
"Auto-loading safe path" section in the GDB manual.  E.g., run from the shell:
	info "(gdb)Auto-loading safe path"
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x000000000049b304 in dict_dealloc (mp=0x7ffff5b44510) at Objects/dictobject.c:1925
1925	                Py_XDECREF(values[i]);
Description: Access violation during branch instruction
Short description: BranchAv (4/22)
Hash: 88d6a4b120e0fabdcb9b56178f8ef166.2c4f31b17f90f974f2ff23d3286fcbbd
Exploitability Classification: EXPLOITABLE
Explanation: The target crashed on a branch instruction, which may indicate that the control flow is tainted.
Other tags: DestAv (8/22), AccessViolation (21/22)


ASAN:

ASAN:DEADLYSIGNAL
=================================================================
==18235==ERROR: AddressSanitizer: SEGV on unknown address 0x0000a0013639 (pc 0x00000061637c bp 0x7efd09781be8 sp 0x7ffe3da51c50 T0)
    #0 0x61637b in dict_dealloc /home/test/check/PythonASAN/Objects/dictobject.c:1925 (discriminator 5)
    #1 0x61637b in ?? ??:0
    #2 0x65d3b9 in subtype_dealloc /home/test/check/PythonASAN/Objects/typeobject.c:1207 (discriminator 3)
    #3 0x65d3b9 in ?? ??:0
    #4 0x5d10da in frame_dealloc /home/test/check/PythonASAN/Objects/frameobject.c:423 (discriminator 5)
    #5 0x5d10da in ?? ??:0
    #6 0x7a98ca in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4130 (discriminator 3)
    #7 0x7a98ca in ?? ??:0
    #8 0x7ab648 in fast_function /home/test/check/PythonASAN/Python/ceval.c:4929 (discriminator 1)
    #9 0x7ab648 in ?? ??:0
    #10 0x7a76f2 in call_function /home/test/check/PythonASAN/Python/ceval.c:4809
    #11 0x7a76f2 in ?? ??:0
    #12 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #13 0x7995cc in ?? ??:0
    #14 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #15 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #16 0x7a9847 in ?? ??:0
    #17 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #18 0x7ac2ea in ?? ??:0
    #19 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #20 0x574668 in ?? ??:0
    #21 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #22 0x5749fa in ?? ??:0
    #23 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #24 0x573e9b in ?? ??:0
    #25 0x793369 in do_call_core /home/test/check/PythonASAN/Python/ceval.c:5057
    #26 0x793369 in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3357
    #27 0x793369 in ?? ??:0
    #28 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #29 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #30 0x7a9847 in ?? ??:0
    #31 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #32 0x7ac2ea in ?? ??:0
    #33 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #34 0x574668 in ?? ??:0
    #35 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #36 0x5749fa in ?? ??:0
    #37 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #38 0x573e9b in ?? ??:0
    #39 0x66efe4 in slot_tp_call /home/test/check/PythonASAN/Objects/typeobject.c:6167
    #40 0x66efe4 in ?? ??:0
    #41 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316
    #42 0x5745f0 in ?? ??:0
    #43 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812
    #44 0x7a7429 in ?? ??:0
    #45 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #46 0x7995cc in ?? ??:0
    #47 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #48 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #49 0x7a9847 in ?? ??:0
    #50 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #51 0x7ac2ea in ?? ??:0
    #52 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #53 0x574668 in ?? ??:0
    #54 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #55 0x5749fa in ?? ??:0
    #56 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #57 0x573e9b in ?? ??:0
    #58 0x793369 in do_call_core /home/test/check/PythonASAN/Python/ceval.c:5057
    #59 0x793369 in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3357
    #60 0x793369 in ?? ??:0
    #61 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #62 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #63 0x7a9847 in ?? ??:0
    #64 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #65 0x7ac2ea in ?? ??:0
    #66 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #67 0x574668 in ?? ??:0
    #68 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #69 0x5749fa in ?? ??:0
    #70 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #71 0x573e9b in ?? ??:0
    #72 0x66efe4 in slot_tp_call /home/test/check/PythonASAN/Objects/typeobject.c:6167
    #73 0x66efe4 in ?? ??:0
    #74 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316
    #75 0x5745f0 in ?? ??:0
    #76 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812
    #77 0x7a7429 in ?? ??:0
    #78 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #79 0x7995cc in ?? ??:0
    #80 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #81 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #82 0x7a9847 in ?? ??:0
    #83 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #84 0x7ac2ea in ?? ??:0
    #85 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #86 0x574668 in ?? ??:0
    #87 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #88 0x5749fa in ?? ??:0
    #89 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #90 0x573e9b in ?? ??:0
    #91 0x793369 in do_call_core /home/test/check/PythonASAN/Python/ceval.c:5057
    #92 0x793369 in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3357
    #93 0x793369 in ?? ??:0
    #94 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #95 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #96 0x7a9847 in ?? ??:0
    #97 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #98 0x7ac2ea in ?? ??:0
    #99 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #100 0x574668 in ?? ??:0
    #101 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #102 0x5749fa in ?? ??:0
    #103 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #104 0x573e9b in ?? ??:0
    #105 0x66efe4 in slot_tp_call /home/test/check/PythonASAN/Objects/typeobject.c:6167
    #106 0x66efe4 in ?? ??:0
    #107 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316
    #108 0x5745f0 in ?? ??:0
    #109 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812
    #110 0x7a7429 in ?? ??:0
    #111 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #112 0x7995cc in ?? ??:0
    #113 0x7ab4cb in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #114 0x7ab4cb in _PyFunction_FastCall /home/test/check/PythonASAN/Python/ceval.c:4870
    #115 0x7ab4cb in fast_function /home/test/check/PythonASAN/Python/ceval.c:4905
    #116 0x7ab4cb in ?? ??:0
    #117 0x7a76f2 in call_function /home/test/check/PythonASAN/Python/ceval.c:4809
    #118 0x7a76f2 in ?? ??:0
    #119 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #120 0x7995cc in ?? ??:0
    #121 0x7ab4cb in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #122 0x7ab4cb in _PyFunction_FastCall /home/test/check/PythonASAN/Python/ceval.c:4870
    #123 0x7ab4cb in fast_function /home/test/check/PythonASAN/Python/ceval.c:4905
    #124 0x7ab4cb in ?? ??:0
    #125 0x7a76f2 in call_function /home/test/check/PythonASAN/Python/ceval.c:4809
    #126 0x7a76f2 in ?? ??:0
    #127 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #128 0x7995cc in ?? ??:0
    #129 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #130 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #131 0x7a9847 in ?? ??:0
    #132 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #133 0x7ac2ea in ?? ??:0
    #134 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #135 0x574668 in ?? ??:0
    #136 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #137 0x5749fa in ?? ??:0
    #138 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #139 0x573e9b in ?? ??:0
    #140 0x6713f8 in slot_tp_init /home/test/check/PythonASAN/Objects/typeobject.c:6380
    #141 0x6713f8 in ?? ??:0
    #142 0x666d8d in type_call /home/test/check/PythonASAN/Objects/typeobject.c:915 (discriminator 1)
    #143 0x666d8d in ?? ??:0
    #144 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316
    #145 0x5745f0 in ?? ??:0
    #146 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812
    #147 0x7a7429 in ?? ??:0
    #148 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #149 0x7995cc in ?? ??:0
    #150 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #151 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #152 0x7a9847 in ?? ??:0
    #153 0x78e0df in PyEval_EvalCodeEx /home/test/check/PythonASAN/Python/ceval.c:4140
    #154 0x78e0df in PyEval_EvalCode /home/test/check/PythonASAN/Python/ceval.c:695
    #155 0x78e0df in ?? ??:0
    #156 0x5142f5 in run_mod /home/test/check/PythonASAN/Python/pythonrun.c:980
    #157 0x5142f5 in PyRun_FileExFlags /home/test/check/PythonASAN/Python/pythonrun.c:933
    #158 0x5142f5 in ?? ??:0
    #159 0x512afa in PyRun_SimpleFileExFlags /home/test/check/PythonASAN/Python/pythonrun.c:396
    #160 0x512afa in ?? ??:0
    #161 0x53eefd in run_file /home/test/check/PythonASAN/Modules/main.c:320
    #162 0x53eefd in Py_Main /home/test/check/PythonASAN/Modules/main.c:780
    #163 0x53eefd in ?? ??:0
    #164 0x503d16 in main /home/test/check/PythonASAN/./Programs/python.c:69
    #165 0x503d16 in ?? ??:0
    #166 0x7efd0d28782f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #167 0x7efd0d28782f in ?? ??:0
    #168 0x432548 in _start ??:?
    #169 0x432548 in ?? ??:0

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/test/check/PythonASAN/python+0x61637b)
==18235==ABORTING
msg287332 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-02-08 14:51
Please stop flooding the bug tracker with automated messages. All your 'exploits' are using ctypes. ctypes code is not memory safe and can easily trigger all sorts of bugs and crashes.
History
Date User Action Args
2017-02-08 14:59:30matrixisesetstatus: open -> closed
stage: resolved
2017-02-08 14:56:32christian.heimessetpriority: normal -> low
type: security -> behavior
components: + Extension Modules, - Interpreter Core
2017-02-08 14:51:53christian.heimessetnosy: + christian.heimes
messages: + msg287332
2017-02-08 14:49:50beginvulncreate