Issue 29496: AddressSanitizer: SEGV on unknown address 0x01ffe96de071

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/73682

classification

Title:	AddressSanitizer: SEGV on unknown address 0x01ffe96de071
Type:	behavior	Stage:	resolved
Components:	Extension Modules	Versions:	Python 3.6

process

Status:	closed	Resolution:
Dependencies:		Superseder:
Assigned To:		Nosy List:	beginvuln
Priority:	low	Keywords:

Created on 2017-02-08 14:53 by beginvuln, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Files
File name	Uploaded	Description	Edit
longobj_408	beginvuln, 2017-02-08 14:53	PoC

Messages (1)
msg287335 - (view)	Author: BeginVuln (beginvuln)	Date: 2017-02-08 14:53
OS Version : Ubuntu 16.04 LTS Python download link : https://www.python.org/ftp/python/3.6.0/Python-3.6.0.tar.xz Python version : 3.6.0 Normal build cmd : ./configure make Asan build cmd: export CC="/usr/bin/clang -fsanitize=address export CXX="/usr/bin/clang++ -fsanitize=address ./confiugre make GDB with exploitable: To enable execution of this file add add-auto-load-safe-path /home/test/check/PythonGDB/python-gdb.py line to your configuration file "/home/test/.gdbinit". To completely disable this security protection add set auto-load safe-path / line to your configuration file "/home/test/.gdbinit". For more information about this security protection see the "Auto-loading safe path" section in the GDB manual. E.g., run from the shell: info "(gdb)Auto-loading safe path" [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [Inferior 1 (process 19429) exited with code 01] ASAN: ASAN:DEADLYSIGNAL ================================================================= ==18136==ERROR: AddressSanitizer: SEGV on unknown address 0x01ffe96de071 (pc 0x0000005e9305 bp 0x7ffc234b3300 sp 0x7ffc234b3240 T0) #0 0x5e9304 in PyLong_AsLongAndOverflow /home/test/check/PythonASAN/Objects/longobject.c:408 #1 0x5e9304 in ?? ??:0 #2 0x5e9658 in PyLong_AsLong /home/test/check/PythonASAN/Objects/longobject.c:474 (discriminator 1) #3 0x5e9658 in ?? ??:0 #4 0x7fda5a8bfe3f in ffi_call_unix64 ??:? #5 0x7fda5a8bfe3f in ?? ??:0 #6 0x7fda5a8bf8aa in ffi_call ??:? #7 0x7fda5a8bf8aa in ?? ??:0 #8 0x7fda5aaed311 in _call_function_pointer /home/test/check/PythonASAN/Modules/_ctypes/callproc.c:809 #9 0x7fda5aaed311 in _ctypes_callproc /home/test/check/PythonASAN/Modules/_ctypes/callproc.c:1147 #10 0x7fda5aaed311 in ?? ??:0 #11 0x7fda5aadc199 in PyCFuncPtr_call /home/test/check/PythonASAN/Modules/_ctypes/_ctypes.c:3870 #12 0x7fda5aadc199 in ?? ??:0 #13 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316 #14 0x5745f0 in ?? ??:0 #15 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812 #16 0x7a7429 in ?? ??:0 #17 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275 #18 0x7995cc in ?? ??:0 #19 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718 #20 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119 #21 0x7a9847 in ?? ??:0 #22 0x78e15d in PyEval_EvalCodeEx /home/test/check/PythonASAN/Python/ceval.c:4140 #23 0x78e15d in ?? ??:0 #24 0x784f1a in builtin___build_class__ /home/test/check/PythonASAN/Python/bltinmodule.c:170 #25 0x784f1a in ?? ??:0 #26 0x631f93 in _PyCFunction_FastCallDict /home/test/check/PythonASAN/Objects/methodobject.c:231 #27 0x631f93 in ?? ??:0 #28 0x7a7751 in call_function /home/test/check/PythonASAN/Python/ceval.c:4788 (discriminator 17) #29 0x7a7751 in ?? ??:0 #30 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275 #31 0x7995cc in ?? ??:0 #32 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718 #33 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119 #34 0x7a9847 in ?? ??:0 #35 0x78e0df in PyEval_EvalCodeEx /home/test/check/PythonASAN/Python/ceval.c:4140 #36 0x78e0df in PyEval_EvalCode /home/test/check/PythonASAN/Python/ceval.c:695 #37 0x78e0df in ?? ??:0 #38 0x5142f5 in run_mod /home/test/check/PythonASAN/Python/pythonrun.c:980 #39 0x5142f5 in PyRun_FileExFlags /home/test/check/PythonASAN/Python/pythonrun.c:933 #40 0x5142f5 in ?? ??:0 #41 0x512afa in PyRun_SimpleFileExFlags /home/test/check/PythonASAN/Python/pythonrun.c:396 #42 0x512afa in ?? ??:0 #43 0x53eefd in run_file /home/test/check/PythonASAN/Modules/main.c:320 #44 0x53eefd in Py_Main /home/test/check/PythonASAN/Modules/main.c:780 #45 0x53eefd in ?? ??:0 #46 0x503d16 in main /home/test/check/PythonASAN/./Programs/python.c:69 #47 0x503d16 in ?? ??:0 #48 0x7fda5deaf82f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291 #49 0x7fda5deaf82f in ?? ??:0 #50 0x432548 in _start ??:? #51 0x432548 in ?? ??:0 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/home/test/check/PythonASAN/python+0x5e9304) ==18136==ABORTING

msg287335 - (view)

Author: BeginVuln (beginvuln)

Date: 2017-02-08 14:53

OS Version : Ubuntu 16.04 LTS
Python download link : https://www.python.org/ftp/python/3.6.0/Python-3.6.0.tar.xz

Python version : 3.6.0

Normal build cmd : 
./configure 
make

Asan build cmd:
export CC="/usr/bin/clang -fsanitize=address
export CXX="/usr/bin/clang++ -fsanitize=address
./confiugre
make

GDB with exploitable:

To enable execution of this file add
	add-auto-load-safe-path /home/test/check/PythonGDB/python-gdb.py
line to your configuration file "/home/test/.gdbinit".
To completely disable this security protection add
	set auto-load safe-path /
line to your configuration file "/home/test/.gdbinit".
For more information about this security protection see the
"Auto-loading safe path" section in the GDB manual.  E.g., run from the shell:
	info "(gdb)Auto-loading safe path"
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[Inferior 1 (process 19429) exited with code 01]


ASAN:

ASAN:DEADLYSIGNAL
=================================================================
==18136==ERROR: AddressSanitizer: SEGV on unknown address 0x01ffe96de071 (pc 0x0000005e9305 bp 0x7ffc234b3300 sp 0x7ffc234b3240 T0)
    #0 0x5e9304 in PyLong_AsLongAndOverflow /home/test/check/PythonASAN/Objects/longobject.c:408
    #1 0x5e9304 in ?? ??:0
    #2 0x5e9658 in PyLong_AsLong /home/test/check/PythonASAN/Objects/longobject.c:474 (discriminator 1)
    #3 0x5e9658 in ?? ??:0
    #4 0x7fda5a8bfe3f in ffi_call_unix64 ??:?
    #5 0x7fda5a8bfe3f in ?? ??:0
    #6 0x7fda5a8bf8aa in ffi_call ??:?
    #7 0x7fda5a8bf8aa in ?? ??:0
    #8 0x7fda5aaed311 in _call_function_pointer /home/test/check/PythonASAN/Modules/_ctypes/callproc.c:809
    #9 0x7fda5aaed311 in _ctypes_callproc /home/test/check/PythonASAN/Modules/_ctypes/callproc.c:1147
    #10 0x7fda5aaed311 in ?? ??:0
    #11 0x7fda5aadc199 in PyCFuncPtr_call /home/test/check/PythonASAN/Modules/_ctypes/_ctypes.c:3870
    #12 0x7fda5aadc199 in ?? ??:0
    #13 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316
    #14 0x5745f0 in ?? ??:0
    #15 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812
    #16 0x7a7429 in ?? ??:0
    #17 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #18 0x7995cc in ?? ??:0
    #19 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #20 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #21 0x7a9847 in ?? ??:0
    #22 0x78e15d in PyEval_EvalCodeEx /home/test/check/PythonASAN/Python/ceval.c:4140
    #23 0x78e15d in ?? ??:0
    #24 0x784f1a in builtin___build_class__ /home/test/check/PythonASAN/Python/bltinmodule.c:170
    #25 0x784f1a in ?? ??:0
    #26 0x631f93 in _PyCFunction_FastCallDict /home/test/check/PythonASAN/Objects/methodobject.c:231
    #27 0x631f93 in ?? ??:0
    #28 0x7a7751 in call_function /home/test/check/PythonASAN/Python/ceval.c:4788 (discriminator 17)
    #29 0x7a7751 in ?? ??:0
    #30 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #31 0x7995cc in ?? ??:0
    #32 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #33 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #34 0x7a9847 in ?? ??:0
    #35 0x78e0df in PyEval_EvalCodeEx /home/test/check/PythonASAN/Python/ceval.c:4140
    #36 0x78e0df in PyEval_EvalCode /home/test/check/PythonASAN/Python/ceval.c:695
    #37 0x78e0df in ?? ??:0
    #38 0x5142f5 in run_mod /home/test/check/PythonASAN/Python/pythonrun.c:980
    #39 0x5142f5 in PyRun_FileExFlags /home/test/check/PythonASAN/Python/pythonrun.c:933
    #40 0x5142f5 in ?? ??:0
    #41 0x512afa in PyRun_SimpleFileExFlags /home/test/check/PythonASAN/Python/pythonrun.c:396
    #42 0x512afa in ?? ??:0
    #43 0x53eefd in run_file /home/test/check/PythonASAN/Modules/main.c:320
    #44 0x53eefd in Py_Main /home/test/check/PythonASAN/Modules/main.c:780
    #45 0x53eefd in ?? ??:0
    #46 0x503d16 in main /home/test/check/PythonASAN/./Programs/python.c:69
    #47 0x503d16 in ?? ??:0
    #48 0x7fda5deaf82f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #49 0x7fda5deaf82f in ?? ??:0
    #50 0x432548 in _start ??:?
    #51 0x432548 in ?? ??:0

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/test/check/PythonASAN/python+0x5e9304)
==18136==ABORTING

History
Date	User	Action	Args
2022-04-11 14:58:42	admin	set	github: 73682
2017-02-08 14:59:17	matrixise	set	status: open -> closed stage: resolved
2017-02-08 14:56:47	christian.heimes	set	priority: normal -> low type: security -> behavior components: + Extension Modules, - Interpreter Core
2017-02-08 14:53:50	beginvuln	create