classification
Title: aarch64 python3 buffer overflow with stack protector on rpi3 (alpine linux)
Type: crash Stage: resolved
Components: Interpreter Core Versions: Python 3.6
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: Natanael Copa, vstinner
Priority: normal Keywords:

Created on 2019-02-25 16:58 by Natanael Copa, last changed 2019-10-23 00:22 by vstinner. This issue is now closed.

Files
File name Uploaded Description Edit
strace.out Natanael Copa, 2019-02-25 16:58 strace output
valgrind.out Natanael Copa, 2019-02-25 17:15 valgrind report
Messages (5)
msg336540 - (view) Author: Natanael Copa (Natanael Copa) Date: 2019-02-25 16:58
Alpine Linux's python 3.6.8 native build on aarch64 gets killed by stack protector when run on Raspberry Pi 3.

It does not happen when same binary runs on packet.net's aarch64 machine.

I was able to get a backtrace by copying the core.

Core was generated by `python3'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000007f86e85d9c in a_crash () at ./src/internal/atomic.h:250
250     ./src/internal/atomic.h: No such file or directory.
(gdb) bt
#0  0x0000007f86e85d9c in a_crash () at ./src/internal/atomic.h:250
#1  __stack_chk_fail () at src/env/__stack_chk_fail.c:17
#2  0x0000007f86cbc068 in _PyObject_CallMethodId_SizeT (o=o@entry=0x7f86bb1a98, name=name@entry=0x7f86e1cb88 <PyId_writable.lto_priv.58>, 
    format=format@entry=0x0) at Objects/abstract.c:2677
#3  0x0000007f86d2fbb0 in _io_TextIOWrapper___init___impl (write_through=0, line_buffering=1, newline=<optimized out>, errors=0x7f86d6d810 "strict", 
    encoding=<optimized out>, buffer=0x7f86bb1a98, self=<optimized out>) at ./Modules/_io/textio.c:1017
#4  _io_TextIOWrapper___init__ (self=0x7f86b5e630, args=<optimized out>, kwargs=<optimized out>) at ./Modules/_io/clinic/textio.c.h:173
#5  0x0000007f86cabf94 in type_call (type=<optimized out>, args=0x7f86b2c0a0, kwds=0x0) at Objects/typeobject.c:915
#6  0x0000007f86c5f25c in PyObject_Call (func=0x7f86e083b0 <PyTextIOWrapper_Type>, args=<optimized out>, kwargs=kwargs@entry=0x0)
    at Objects/abstract.c:2261
#7  0x0000007f86c5f30c in call_function_tail (callable=callable@entry=0x7f86e083b0 <PyTextIOWrapper_Type>, args=<optimized out>, args@entry=0x7f86b2c0a0)
    at Objects/abstract.c:2512
#8  0x0000007f86c96d5c in callmethod (func=func@entry=0x7f86e083b0 <PyTextIOWrapper_Type>, format=format@entry=0x7f86d7d4de "OsssO", va=..., 
    is_size_t=is_size_t@entry=0) at Objects/abstract.c:2596
#9  0x0000007f86cbc8c8 in _PyObject_CallMethodId (o=o@entry=0x7f86adf098, name=name@entry=0x7f86e1e0c0 <PyId_TextIOWrapper.12349>, 
    format=format@entry=0x7f86d7d4de "OsssO") at Objects/abstract.c:2640
#10 0x0000007f86cd8dec in create_stdio (io=<optimized out>, fd=<optimized out>, write_mode=<optimized out>, name=<optimized out>, 
    encoding=<optimized out>, errors=<optimized out>, io=<optimized out>, fd=<optimized out>, write_mode=<optimized out>, name=<optimized out>, 
    encoding=<optimized out>, errors=<optimized out>) at Python/pylifecycle.c:1154
#11 0x0000007f86cd91b4 in initstdio () at Python/pylifecycle.c:1277
#12 0x0000007f86d419cc in _Py_InitializeEx_Private (install_sigs=<optimized out>, install_importlib=<optimized out>, install_sigs=<optimized out>, 
    install_importlib=<optimized out>) at Python/pylifecycle.c:449
#13 0x0000007f86d41a70 in Py_InitializeEx (install_sigs=install_sigs@entry=1) at Python/pylifecycle.c:470
#14 0x0000007f86d41a78 in Py_Initialize () at Python/pylifecycle.c:476
#15 0x0000007f86d42c74 in Py_Main (argc=1, argv=0x7f86f10f60) at Modules/main.c:700
#16 0x000000558291db34 in main (argc=1, argv=0x7feb5b3e48) at ./Programs/python.c:69




Downstream reports:
https://bugs.alpinelinux.org/issues/9981
https://github.com/gliderlabs/docker-alpine/issues/486
msg336542 - (view) Author: Natanael Copa (Natanael Copa) Date: 2019-02-25 17:08
Interestingly, it does not crash when I run python in valgrind.
msg336543 - (view) Author: Natanael Copa (Natanael Copa) Date: 2019-02-25 17:15
Valgrind claims there are some use of uninitialized values.
msg336545 - (view) Author: Natanael Copa (Natanael Copa) Date: 2019-02-25 17:49
It seems like python 3.7.2 works. Any idea which commit(s) may have fixed it?
msg355196 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2019-10-23 00:22
> It seems like python 3.7.2 works.

So yeah, use Python 3.7 or newer. Python 3.8 has been released ;-)

> Any idea which commit(s) may have fixed it?

I have no idea.
History
Date User Action Args
2019-10-23 00:22:49vstinnersetstatus: open -> closed

nosy: + vstinner
messages: + msg355196

resolution: fixed
stage: resolved
2019-02-25 18:23:10Natanael Copasettype: crash
2019-02-25 17:49:57Natanael Copasetmessages: + msg336545
2019-02-25 17:15:40Natanael Copasetfiles: + valgrind.out

messages: + msg336543
2019-02-25 17:08:23Natanael Copasetmessages: + msg336542
2019-02-25 16:58:04Natanael Copacreate