classification
Title: AddressSanitizer: SEGV on unknown address 0x000cffff800d
Type: behavior Stage: resolved
Components: Extension Modules Versions: Python 3.6
process
Status: closed Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: beginvuln
Priority: low Keywords:

Created on 2017-02-08 14:50 by beginvuln, last changed 2017-02-08 15:00 by matrixise. This issue is now closed.

Files
File name Uploaded Description Edit
gcmodule_1699 beginvuln, 2017-02-08 14:50 PoC
Messages (1)
msg287330 - (view) Author: BeginVuln (beginvuln) Date: 2017-02-08 14:50
OS Version : Ubuntu 16.04 LTS
Python download link : https://www.python.org/ftp/python/3.6.0/Python-3.6.0.tar.xz

Python version : 3.6.0

Normal build cmd : 
./configure 
make

Asan build cmd:
export CC="/usr/bin/clang -fsanitize=address
export CXX="/usr/bin/clang++ -fsanitize=address
./confiugre
make

GDB with exploitable:

To enable execution of this file add
	add-auto-load-safe-path /home/test/check/PythonGDB/python-gdb.py
line to your configuration file "/home/test/.gdbinit".
To completely disable this security protection add
	set auto-load safe-path /
line to your configuration file "/home/test/.gdbinit".
For more information about this security protection see the
"Auto-loading safe path" section in the GDB manual.  E.g., run from the shell:
	info "(gdb)Auto-loading safe path"
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x000000000043d563 in PyObject_GC_UnTrack (op=0x7ffff3810400) at Modules/gcmodule.c:1699
1699	        _PyObject_GC_UNTRACK(op);
Description: Access violation on destination operand
Short description: DestAv (8/22)
Hash: a30125899c34aa234161214a7afc7066.d78488ccad0508b81b411140385e7113
Exploitability Classification: EXPLOITABLE
Explanation: The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value.
Other tags: AccessViolation (21/22)


ASAN:

EsFASAN:DEADLYSIGNAL
=================================================================
==18094==ERROR: AddressSanitizer: SEGV on unknown address 0x000cffff800d (pc 0x000000543039 bp 0x0fec572c0c81 sp 0x7ffc421b9cf0 T0)
    #0 0x543038 in PyObject_GC_UnTrack /home/test/check/PythonASAN/Modules/gcmodule.c:1699 (discriminator 4)
    #1 0x543038 in ?? ??:0
    #2 0x65ca2f in subtype_dealloc /home/test/check/PythonASAN/Objects/typeobject.c:1133
    #3 0x65ca2f in ?? ??:0
    #4 0x5d10da in frame_dealloc /home/test/check/PythonASAN/Objects/frameobject.c:423 (discriminator 5)
    #5 0x5d10da in ?? ??:0
    #6 0x5304c4 in tb_dealloc /home/test/check/PythonASAN/Python/traceback.c:55 (discriminator 5)
    #7 0x5304c4 in ?? ??:0
    #8 0x530456 in tb_dealloc /home/test/check/PythonASAN/Python/traceback.c:54 (discriminator 5)
    #9 0x530456 in ?? ??:0
    #10 0x530456 in tb_dealloc /home/test/check/PythonASAN/Python/traceback.c:54 (discriminator 5)
    #11 0x530456 in ?? ??:0
    #12 0x5b3b49 in BaseException_clear /home/test/check/PythonASAN/Objects/exceptions.c:76 (discriminator 5)
    #13 0x5b3b49 in ?? ??:0
    #14 0x5b3742 in BaseException_dealloc /home/test/check/PythonASAN/Objects/exceptions.c:86
    #15 0x5b3742 in ?? ??:0
    #16 0x656df9 in tupledealloc /home/test/check/PythonASAN/Objects/tupleobject.c:243 (discriminator 5)
    #17 0x656df9 in ?? ??:0
    #18 0x656df9 in tupledealloc /home/test/check/PythonASAN/Objects/tupleobject.c:243 (discriminator 5)
    #19 0x656df9 in ?? ??:0
    #20 0x5e5c19 in list_clear /home/test/check/PythonASAN/Objects/listobject.c:562 (discriminator 5)
    #21 0x5e5c19 in listclear /home/test/check/PythonASAN/Objects/listobject.c:763 (discriminator 5)
    #22 0x5e5c19 in ?? ??:0
    #23 0x632208 in _PyCFunction_FastCallDict /home/test/check/PythonASAN/Objects/methodobject.c:192
    #24 0x632208 in ?? ??:0
    #25 0x7a7751 in call_function /home/test/check/PythonASAN/Python/ceval.c:4788 (discriminator 17)
    #26 0x7a7751 in ?? ??:0
    #27 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #28 0x7995cc in ?? ??:0
    #29 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #30 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #31 0x7a9847 in ?? ??:0
    #32 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #33 0x7ac2ea in ?? ??:0
    #34 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #35 0x574668 in ?? ??:0
    #36 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #37 0x5749fa in ?? ??:0
    #38 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #39 0x573e9b in ?? ??:0
    #40 0x793369 in do_call_core /home/test/check/PythonASAN/Python/ceval.c:5057
    #41 0x793369 in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3357
    #42 0x793369 in ?? ??:0
    #43 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #44 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #45 0x7a9847 in ?? ??:0
    #46 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #47 0x7ac2ea in ?? ??:0
    #48 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #49 0x574668 in ?? ??:0
    #50 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #51 0x5749fa in ?? ??:0
    #52 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #53 0x573e9b in ?? ??:0
    #54 0x66efe4 in slot_tp_call /home/test/check/PythonASAN/Objects/typeobject.c:6167
    #55 0x66efe4 in ?? ??:0
    #56 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316
    #57 0x5745f0 in ?? ??:0
    #58 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812
    #59 0x7a7429 in ?? ??:0
    #60 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #61 0x7995cc in ?? ??:0
    #62 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #63 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #64 0x7a9847 in ?? ??:0
    #65 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #66 0x7ac2ea in ?? ??:0
    #67 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #68 0x574668 in ?? ??:0
    #69 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #70 0x5749fa in ?? ??:0
    #71 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #72 0x573e9b in ?? ??:0
    #73 0x793369 in do_call_core /home/test/check/PythonASAN/Python/ceval.c:5057
    #74 0x793369 in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3357
    #75 0x793369 in ?? ??:0
    #76 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #77 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #78 0x7a9847 in ?? ??:0
    #79 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #80 0x7ac2ea in ?? ??:0
    #81 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #82 0x574668 in ?? ??:0
    #83 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #84 0x5749fa in ?? ??:0
    #85 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #86 0x573e9b in ?? ??:0
    #87 0x66efe4 in slot_tp_call /home/test/check/PythonASAN/Objects/typeobject.c:6167
    #88 0x66efe4 in ?? ??:0
    #89 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316
    #90 0x5745f0 in ?? ??:0
    #91 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812
    #92 0x7a7429 in ?? ??:0
    #93 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #94 0x7995cc in ?? ??:0
    #95 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #96 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #97 0x7a9847 in ?? ??:0
    #98 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #99 0x7ac2ea in ?? ??:0
    #100 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #101 0x574668 in ?? ??:0
    #102 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #103 0x5749fa in ?? ??:0
    #104 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #105 0x573e9b in ?? ??:0
    #106 0x793369 in do_call_core /home/test/check/PythonASAN/Python/ceval.c:5057
    #107 0x793369 in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3357
    #108 0x793369 in ?? ??:0
    #109 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #110 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #111 0x7a9847 in ?? ??:0
    #112 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #113 0x7ac2ea in ?? ??:0
    #114 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #115 0x574668 in ?? ??:0
    #116 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #117 0x5749fa in ?? ??:0
    #118 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #119 0x573e9b in ?? ??:0
    #120 0x66efe4 in slot_tp_call /home/test/check/PythonASAN/Objects/typeobject.c:6167
    #121 0x66efe4 in ?? ??:0
    #122 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316
    #123 0x5745f0 in ?? ??:0
    #124 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812
    #125 0x7a7429 in ?? ??:0
    #126 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #127 0x7995cc in ?? ??:0
    #128 0x7ab4cb in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #129 0x7ab4cb in _PyFunction_FastCall /home/test/check/PythonASAN/Python/ceval.c:4870
    #130 0x7ab4cb in fast_function /home/test/check/PythonASAN/Python/ceval.c:4905
    #131 0x7ab4cb in ?? ??:0
    #132 0x7a76f2 in call_function /home/test/check/PythonASAN/Python/ceval.c:4809
    #133 0x7a76f2 in ?? ??:0
    #134 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #135 0x7995cc in ?? ??:0
    #136 0x7ab4cb in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #137 0x7ab4cb in _PyFunction_FastCall /home/test/check/PythonASAN/Python/ceval.c:4870
    #138 0x7ab4cb in fast_function /home/test/check/PythonASAN/Python/ceval.c:4905
    #139 0x7ab4cb in ?? ??:0
    #140 0x7a76f2 in call_function /home/test/check/PythonASAN/Python/ceval.c:4809
    #141 0x7a76f2 in ?? ??:0
    #142 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #143 0x7995cc in ?? ??:0
    #144 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #145 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #146 0x7a9847 in ?? ??:0
    #147 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #148 0x7ac2ea in ?? ??:0
    #149 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #150 0x574668 in ?? ??:0
    #151 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #152 0x5749fa in ?? ??:0
    #153 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #154 0x573e9b in ?? ??:0
    #155 0x6713f8 in slot_tp_init /home/test/check/PythonASAN/Objects/typeobject.c:6380
    #156 0x6713f8 in ?? ??:0
    #157 0x666d8d in type_call /home/test/check/PythonASAN/Objects/typeobject.c:915 (discriminator 1)
    #158 0x666d8d in ?? ??:0
    #159 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316
    #160 0x5745f0 in ?? ??:0
    #161 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812
    #162 0x7a7429 in ?? ??:0
    #163 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #164 0x7995cc in ?? ??:0
    #165 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #166 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #167 0x7a9847 in ?? ??:0
    #168 0x78e0df in PyEval_EvalCodeEx /home/test/check/PythonASAN/Python/ceval.c:4140
    #169 0x78e0df in PyEval_EvalCode /home/test/check/PythonASAN/Python/ceval.c:695
    #170 0x78e0df in ?? ??:0
    #171 0x5142f5 in run_mod /home/test/check/PythonASAN/Python/pythonrun.c:980
    #172 0x5142f5 in PyRun_FileExFlags /home/test/check/PythonASAN/Python/pythonrun.c:933
    #173 0x5142f5 in ?? ??:0
    #174 0x512afa in PyRun_SimpleFileExFlags /home/test/check/PythonASAN/Python/pythonrun.c:396
    #175 0x512afa in ?? ??:0
    #176 0x53eefd in run_file /home/test/check/PythonASAN/Modules/main.c:320
    #177 0x53eefd in Py_Main /home/test/check/PythonASAN/Modules/main.c:780
    #178 0x53eefd in ?? ??:0
    #179 0x503d16 in main /home/test/check/PythonASAN/./Programs/python.c:69
    #180 0x503d16 in ?? ??:0
    #181 0x7f62bf5d482f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #182 0x7f62bf5d482f in ?? ??:0
    #183 0x432548 in _start ??:?
    #184 0x432548 in ?? ??:0

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/test/check/PythonASAN/python+0x543038)
==18094==ABORTING
History
Date User Action Args
2017-02-08 15:00:01matrixisesetstatus: open -> closed
stage: resolved
2017-02-08 14:56:17christian.heimessetpriority: normal -> low
type: security -> behavior
components: + Extension Modules, - Interpreter Core
2017-02-08 14:50:45beginvulncreate