classification
Title: AddressSanitizer: SEGV on unknown address 0x0000000028cb
Type: behavior Stage: resolved
Components: Extension Modules Versions: Python 3.6
process
Status: closed Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: beginvuln
Priority: low Keywords:

Created on 2017-02-08 14:57 by beginvuln, last changed 2017-02-08 15:00 by matrixise. This issue is now closed.

Files
File name Uploaded Description Edit
strlen_76 beginvuln, 2017-02-08 14:57 PoC
Messages (1)
msg287340 - (view) Author: BeginVuln (beginvuln) Date: 2017-02-08 14:57
OS Version : Ubuntu 16.04 LTS
Python download link : https://www.python.org/ftp/python/3.6.0/Python-3.6.0.tar.xz

Python version : 3.6.0

Normal build cmd : 
./configure 
make

Asan build cmd:
export CC="/usr/bin/clang -fsanitize=address
export CXX="/usr/bin/clang++ -fsanitize=address
./confiugre
make

GDB with exploitable:

To enable execution of this file add
	add-auto-load-safe-path /home/test/check/PythonGDB/python-gdb.py
line to your configuration file "/home/test/.gdbinit".
To completely disable this security protection add
	set auto-load safe-path /
line to your configuration file "/home/test/.gdbinit".
For more information about this security protection see the
"Auto-loading safe path" section in the GDB manual.  E.g., run from the shell:
	info "(gdb)Auto-loading safe path"
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
Description: Access violation near NULL on source operand
Short description: SourceAvNearNull (16/22)
Hash: 887855ab5f56908afba8d62b6a25a6db.02c83d5748e9f8196679750a04737f93
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Explanation: The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation, which may mean the application crashed on a simple NULL dereference to data structure that has no immediate effect on control of the processor.
Other tags: AccessViolation (21/22)


ASAN:

sEASAN:DEADLYSIGNAL
=================================================================
==18621==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000028cb (pc 0x7f1572e57d16 bp 0x7ffeaf5703d0 sp 0x7ffeaf56fb68 T0)
    #0 0x7f1572e57d15 in strlen /build/glibc-GKVZIf/glibc-2.23/string/../sysdeps/x86_64/strlen.S:76
    #1 0x7f1572e57d15 in ?? ??:0
    #2 0x44ffac in __interceptor_strlen.part.45 asan_interceptors.cc.o:?
    #3 0x44ffac in ?? ??:0
    #4 0x7f156c4cdf5c in string_at /home/test/check/PythonASAN/Modules/_ctypes/_ctypes.c:5226
    #5 0x7f156c4cdf5c in ?? ??:0
    #6 0x7f156c2ade3f in ffi_call_unix64 ??:?
    #7 0x7f156c2ade3f in ?? ??:0
    #8 0x7f156c2ad8aa in ffi_call ??:?
    #9 0x7f156c2ad8aa in ?? ??:0
    #10 0x7f156c4db311 in _call_function_pointer /home/test/check/PythonASAN/Modules/_ctypes/callproc.c:809
    #11 0x7f156c4db311 in _ctypes_callproc /home/test/check/PythonASAN/Modules/_ctypes/callproc.c:1147
    #12 0x7f156c4db311 in ?? ??:0
    #13 0x7f156c4ca199 in PyCFuncPtr_call /home/test/check/PythonASAN/Modules/_ctypes/_ctypes.c:3870
    #14 0x7f156c4ca199 in ?? ??:0
    #15 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316
    #16 0x5745f0 in ?? ??:0
    #17 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812
    #18 0x7a7429 in ?? ??:0
    #19 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #20 0x7995cc in ?? ??:0
    #21 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #22 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #23 0x7a9847 in ?? ??:0
    #24 0x7ab648 in fast_function /home/test/check/PythonASAN/Python/ceval.c:4929 (discriminator 1)
    #25 0x7ab648 in ?? ??:0
    #26 0x7a76f2 in call_function /home/test/check/PythonASAN/Python/ceval.c:4809
    #27 0x7a76f2 in ?? ??:0
    #28 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #29 0x7995cc in ?? ??:0
    #30 0x7ab4cb in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #31 0x7ab4cb in _PyFunction_FastCall /home/test/check/PythonASAN/Python/ceval.c:4870
    #32 0x7ab4cb in fast_function /home/test/check/PythonASAN/Python/ceval.c:4905
    #33 0x7ab4cb in ?? ??:0
    #34 0x7a76f2 in call_function /home/test/check/PythonASAN/Python/ceval.c:4809
    #35 0x7a76f2 in ?? ??:0
    #36 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #37 0x7995cc in ?? ??:0
    #38 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #39 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #40 0x7a9847 in ?? ??:0
    #41 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #42 0x7ac2ea in ?? ??:0
    #43 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #44 0x574668 in ?? ??:0
    #45 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #46 0x5749fa in ?? ??:0
    #47 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #48 0x573e9b in ?? ??:0
    #49 0x793369 in do_call_core /home/test/check/PythonASAN/Python/ceval.c:5057
    #50 0x793369 in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3357
    #51 0x793369 in ?? ??:0
    #52 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #53 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #54 0x7a9847 in ?? ??:0
    #55 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #56 0x7ac2ea in ?? ??:0
    #57 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #58 0x574668 in ?? ??:0
    #59 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #60 0x5749fa in ?? ??:0
    #61 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #62 0x573e9b in ?? ??:0
    #63 0x66efe4 in slot_tp_call /home/test/check/PythonASAN/Objects/typeobject.c:6167
    #64 0x66efe4 in ?? ??:0
    #65 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316
    #66 0x5745f0 in ?? ??:0
    #67 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812
    #68 0x7a7429 in ?? ??:0
    #69 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #70 0x7995cc in ?? ??:0
    #71 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #72 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #73 0x7a9847 in ?? ??:0
    #74 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #75 0x7ac2ea in ?? ??:0
    #76 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #77 0x574668 in ?? ??:0
    #78 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #79 0x5749fa in ?? ??:0
    #80 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #81 0x573e9b in ?? ??:0
    #82 0x793369 in do_call_core /home/test/check/PythonASAN/Python/ceval.c:5057
    #83 0x793369 in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3357
    #84 0x793369 in ?? ??:0
    #85 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #86 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #87 0x7a9847 in ?? ??:0
    #88 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #89 0x7ac2ea in ?? ??:0
    #90 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #91 0x574668 in ?? ??:0
    #92 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #93 0x5749fa in ?? ??:0
    #94 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #95 0x573e9b in ?? ??:0
    #96 0x66efe4 in slot_tp_call /home/test/check/PythonASAN/Objects/typeobject.c:6167
    #97 0x66efe4 in ?? ??:0
    #98 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316
    #99 0x5745f0 in ?? ??:0
    #100 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812
    #101 0x7a7429 in ?? ??:0
    #102 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #103 0x7995cc in ?? ??:0
    #104 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #105 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #106 0x7a9847 in ?? ??:0
    #107 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #108 0x7ac2ea in ?? ??:0
    #109 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #110 0x574668 in ?? ??:0
    #111 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #112 0x5749fa in ?? ??:0
    #113 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #114 0x573e9b in ?? ??:0
    #115 0x793369 in do_call_core /home/test/check/PythonASAN/Python/ceval.c:5057
    #116 0x793369 in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3357
    #117 0x793369 in ?? ??:0
    #118 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #119 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #120 0x7a9847 in ?? ??:0
    #121 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #122 0x7ac2ea in ?? ??:0
    #123 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #124 0x574668 in ?? ??:0
    #125 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #126 0x5749fa in ?? ??:0
    #127 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #128 0x573e9b in ?? ??:0
    #129 0x66efe4 in slot_tp_call /home/test/check/PythonASAN/Objects/typeobject.c:6167
    #130 0x66efe4 in ?? ??:0
    #131 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316
    #132 0x5745f0 in ?? ??:0
    #133 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812
    #134 0x7a7429 in ?? ??:0
    #135 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #136 0x7995cc in ?? ??:0
    #137 0x7ab4cb in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #138 0x7ab4cb in _PyFunction_FastCall /home/test/check/PythonASAN/Python/ceval.c:4870
    #139 0x7ab4cb in fast_function /home/test/check/PythonASAN/Python/ceval.c:4905
    #140 0x7ab4cb in ?? ??:0
    #141 0x7a76f2 in call_function /home/test/check/PythonASAN/Python/ceval.c:4809
    #142 0x7a76f2 in ?? ??:0
    #143 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #144 0x7995cc in ?? ??:0
    #145 0x7ab4cb in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #146 0x7ab4cb in _PyFunction_FastCall /home/test/check/PythonASAN/Python/ceval.c:4870
    #147 0x7ab4cb in fast_function /home/test/check/PythonASAN/Python/ceval.c:4905
    #148 0x7ab4cb in ?? ??:0
    #149 0x7a76f2 in call_function /home/test/check/PythonASAN/Python/ceval.c:4809
    #150 0x7a76f2 in ?? ??:0
    #151 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #152 0x7995cc in ?? ??:0
    #153 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #154 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #155 0x7a9847 in ?? ??:0
    #156 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #157 0x7ac2ea in ?? ??:0
    #158 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #159 0x574668 in ?? ??:0
    #160 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #161 0x5749fa in ?? ??:0
    #162 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #163 0x573e9b in ?? ??:0
    #164 0x6713f8 in slot_tp_init /home/test/check/PythonASAN/Objects/typeobject.c:6380
    #165 0x6713f8 in ?? ??:0
    #166 0x666d8d in type_call /home/test/check/PythonASAN/Objects/typeobject.c:915 (discriminator 1)
    #167 0x666d8d in ?? ??:0
    #168 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316
    #169 0x5745f0 in ?? ??:0
    #170 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812
    #171 0x7a7429 in ?? ??:0
    #172 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #173 0x7995cc in ?? ??:0
    #174 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #175 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #176 0x7a9847 in ?? ??:0
    #177 0x78e0df in PyEval_EvalCodeEx /home/test/check/PythonASAN/Python/ceval.c:4140
    #178 0x78e0df in PyEval_EvalCode /home/test/check/PythonASAN/Python/ceval.c:695
    #179 0x78e0df in ?? ??:0
    #180 0x5142f5 in run_mod /home/test/check/PythonASAN/Python/pythonrun.c:980
    #181 0x5142f5 in PyRun_FileExFlags /home/test/check/PythonASAN/Python/pythonrun.c:933
    #182 0x5142f5 in ?? ??:0
    #183 0x512afa in PyRun_SimpleFileExFlags /home/test/check/PythonASAN/Python/pythonrun.c:396
    #184 0x512afa in ?? ??:0
    #185 0x53eefd in run_file /home/test/check/PythonASAN/Modules/main.c:320
    #186 0x53eefd in Py_Main /home/test/check/PythonASAN/Modules/main.c:780
    #187 0x53eefd in ?? ??:0
    #188 0x503d16 in main /home/test/check/PythonASAN/./Programs/python.c:69
    #189 0x503d16 in ?? ??:0
    #190 0x7f1572ded82f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #191 0x7f1572ded82f in ?? ??:0
    #192 0x432548 in _start ??:?
    #193 0x432548 in ?? ??:0

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x8ad15)
==18621==ABORTING
History
Date User Action Args
2017-02-08 15:00:34matrixisesetstatus: open -> closed
stage: resolved
2017-02-08 14:58:38christian.heimessetpriority: normal -> low
type: security -> behavior
components: + Extension Modules, - Interpreter Core
2017-02-08 14:57:54beginvulncreate