classification
Title: AddressSanitizer: heap-buffer-overflow on address 0x61600004a982
Type: behavior Stage: resolved
Components: Extension Modules Versions: Python 3.6
process
Status: closed Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: beginvuln
Priority: low Keywords:

Created on 2017-02-08 14:57 by beginvuln, last changed 2017-02-08 15:42 by matrixise. This issue is now closed.

Files
File name Uploaded Description Edit
peephole_101 beginvuln, 2017-02-08 14:57 PoC
Messages (1)
msg287339 - (view) Author: BeginVuln (beginvuln) Date: 2017-02-08 14:57
OS Version : Ubuntu 16.04 LTS
Python download link : https://www.python.org/ftp/python/3.6.0/Python-3.6.0.tar.xz

Python version : 3.6.0

Normal build cmd : 
./configure 
make

Asan build cmd:
export CC="/usr/bin/clang -fsanitize=address
export CXX="/usr/bin/clang++ -fsanitize=address
./confiugre
make

GDB with exploitable:

To enable execution of this file add
	add-auto-load-safe-path /home/test/check/PythonGDB/python-gdb.py
line to your configuration file "/home/test/.gdbinit".
To completely disable this security protection add
	set auto-load safe-path /
line to your configuration file "/home/test/.gdbinit".
For more information about this security protection see the
"Auto-loading safe path" section in the GDB manual.  E.g., run from the shell:
	info "(gdb)Auto-loading safe path"
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[Inferior 1 (process 19456) exited normally]


ASAN:

=================================================================
==18010==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61600004a982 at pc 0x000000830a11 bp 0x7fff6131b9b0 sp 0x7fff6131b9a8
READ of size 2 at 0x61600004a982 thread T0
    #0 0x830a10 in find_op /home/test/check/PythonASAN/Python/peephole.c:101 (discriminator 1)
    #1 0x830a10 in PyCode_Optimize /home/test/check/PythonASAN/Python/peephole.c:712 (discriminator 1)
    #2 0x830a10 in ?? ??:0
    #3 0x7ccf6c in makecode /home/test/check/PythonASAN/Python/compile.c:5249
    #4 0x7ccf6c in assemble /home/test/check/PythonASAN/Python/compile.c:5367
    #5 0x7ccf6c in ?? ??:0
    #6 0x7d0a09 in compiler_function /home/test/check/PythonASAN/Python/compile.c:1886
    #7 0x7d0a09 in ?? ??:0
    #8 0x7b0923 in compiler_body /home/test/check/PythonASAN/Python/compile.c:1463
    #9 0x7b0923 in ?? ??:0
    #10 0x7ae107 in compiler_mod /home/test/check/PythonASAN/Python/compile.c:1483
    #11 0x7ae107 in PyAST_CompileObject /home/test/check/PythonASAN/Python/compile.c:341
    #12 0x7ae107 in ?? ??:0
    #13 0x5142d8 in run_mod /home/test/check/PythonASAN/Python/pythonrun.c:977
    #14 0x5142d8 in PyRun_FileExFlags /home/test/check/PythonASAN/Python/pythonrun.c:933
    #15 0x5142d8 in ?? ??:0
    #16 0x512afa in PyRun_SimpleFileExFlags /home/test/check/PythonASAN/Python/pythonrun.c:396
    #17 0x512afa in ?? ??:0
    #18 0x53eefd in run_file /home/test/check/PythonASAN/Modules/main.c:320
    #19 0x53eefd in Py_Main /home/test/check/PythonASAN/Modules/main.c:780
    #20 0x53eefd in ?? ??:0
    #21 0x503d16 in main /home/test/check/PythonASAN/./Programs/python.c:69
    #22 0x503d16 in ?? ??:0
    #23 0x7f5554ba782f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #24 0x7f5554ba782f in ?? ??:0
    #25 0x432548 in _start ??:?
    #26 0x432548 in ?? ??:0

0x61600004a982 is located 0 bytes to the right of 514-byte region [0x61600004a780,0x61600004a982)
allocated by thread T0 here:
    #0 0x4d2678 in malloc ??:?
    #1 0x4d2678 in ?? ??:0
    #2 0x508c35 in PyMem_RawMalloc /home/test/check/PythonASAN/Objects/obmalloc.c:386
    #3 0x508c35 in _PyObject_Alloc /home/test/check/PythonASAN/Objects/obmalloc.c:1427
    #4 0x508c35 in ?? ??:0

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/test/check/PythonASAN/python+0x830a10)
Shadow bytes around the buggy address:
  0x0c2c800014e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c800014f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c80001500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c80001510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c80001520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2c80001530:[02]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c80001540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c80001550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c80001560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c80001570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c80001580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==18010==ABORTING
History
Date User Action Args
2017-02-08 15:42:32matrixisesetstatus: open -> closed
2017-02-08 15:41:51matrixisesetstatus: closed -> open
2017-02-08 14:59:02matrixisesetstatus: open -> closed
stage: resolved
2017-02-08 14:57:46christian.heimessetpriority: normal -> low
type: security -> behavior
components: + Extension Modules, - Interpreter Core
2017-02-08 14:57:10beginvulncreate