This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: Out-of-bound write in ceval.c:_PyEval_EvalFrameDefault
Type: security Stage: resolved
Components: Interpreter Core Versions: Python 3.9
process
Status: closed Resolution: not a bug
Dependencies: Superseder:
Assigned To: Nosy List: benjamin.peterson, christian.heimes, ggbang, pablogsal, pitrou, vstinner
Priority: normal Keywords:

Created on 2020-01-02 14:55 by ggbang, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Files
File name Uploaded Description Edit
c1 ggbang, 2020-01-02 14:55 crash_file_pyc
crashc1.md ggbang, 2020-01-02 14:56 analysis
Messages (5)
msg359199 - (view) Author: ggbang (ggbang) Date: 2020-01-02 14:55 
python version:
Python 3.9.0a2 (default, Dec 25 2019, 20:42:47) 
[GCC 7.5.0] on linux

crash log:
``` bash
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
   0x5555555afb88 <_PyEval_EvalFrameDefault+4056> mov    rdx, QWORD PTR [rsi+rdx*8+0x18]
   0x5555555afb8d <_PyEval_EvalFrameDefault+4061> add    QWORD PTR [rdx], 0x1
   0x5555555afb91 <_PyEval_EvalFrameDefault+4065> test   eax, eax
 → 0x5555555afb93 <_PyEval_EvalFrameDefault+4067> mov    QWORD PTR [rcx], rdx
   0x5555555afb96 <_PyEval_EvalFrameDefault+4070> jne    0x5555555af226 <_PyEval_EvalFrameDefault+1654>
   0x5555555afb9c <_PyEval_EvalFrameDefault+4076> mov    rdx, r12
   0x5555555afb9f <_PyEval_EvalFrameDefault+4079> sub    rdx, QWORD PTR [rsp+0x8]
   0x5555555afba4 <_PyEval_EvalFrameDefault+4084> add    r12, 0x2
   0x5555555afba8 <_PyEval_EvalFrameDefault+4088> mov    DWORD PTR [rbx+0x68], edx
───────────────────────────────────────────────────────────────────────────────────────────────────────────── source:Python/ceval.c+1352 ────
   1347	 
   1348	         case TARGET(LOAD_CONST): {
   1349	             PREDICTED(LOAD_CONST);
   1350	             PyObject *value = GETITEM(consts, oparg);
   1351	             Py_INCREF(value);
 → 1352	             PUSH(value);
   1353	             FAST_DISPATCH();
   1354	         }
   1355	 
   1356	         case TARGET(STORE_FAST): {
   1357	             PREDICTED(STORE_FAST);
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "python", stopped, reason: SIGSEGV
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x5555555afb93 → _PyEval_EvalFrameDefault(f=<optimized out>, throwflag=<optimized out>)
[#1] 0x55555568ad59 → _PyEval_EvalFrame(tstate=0x555555b237b0, throwflag=0x0, f=0x7ffff7eee440)
[#2] 0x55555568ad59 → _PyEval_EvalCode(tstate=0x555555b237b0, _co=0x7ffff7ebdd40, globals=0x7ffff7f12480, locals=0x7ffff7f12480, args=0x0, argcount=0x0, kwnames=0x0, kwargs=0x0, kwcount=0x0, kwstep=0x2, defs=0x0, defcount=0x0, kwdefs=0x0, closure=0x0, name=0x0, qualname=0x0)
[#3] 0x55555568b0c6 → _PyEval_EvalCodeWithName(qualname=0x0, name=0x0, closure=0x0, kwdefs=0x0, defcount=0x0, defs=0x0, kwstep=0x2, kwcount=0x0, kwargs=0x0, kwnames=0x0, argcount=0x0, args=0x0, locals=0x7ffff7f12480, globals=0x7ffff7f12480, _co=0x7ffff7ebdd40)
[#4] 0x55555568b0c6 → PyEval_EvalCodeEx(closure=0x0, kwdefs=0x0, defcount=0x0, defs=0x0, kwcount=0x0, kws=0x0, argcount=0x0, args=0x0, locals=0x7ffff7f12480, globals=0x7ffff7f12480, _co=0x7ffff7ebdd40)
[#5] 0x55555568b0c6 → PyEval_EvalCode(co=0x7ffff7ebdd40, globals=0x7ffff7f12480, locals=0x7ffff7f12480)
[#6] 0x5555556d6f1e → run_eval_code_obj(locals=0x7ffff7f12480, globals=0x7ffff7f12480, co=0x7ffff7ebdd40)
[#7] 0x5555556d6f1e → run_pyc_file(filename=<optimized out>, flags=0x7fffffffdc68, locals=0x7ffff7f12480, globals=0x7ffff7f12480, fp=0x555555b85360)
[#8] 0x5555556d6f1e → PyRun_SimpleFileExFlags(flags=<optimized out>, closeit=<optimized out>, filename=<optimized out>, fp=<optimized out>)
[#9] 0x5555556d6f1e → PyRun_SimpleFileEx(f=<optimized out>, p=<optimized out>, c=<optimized out>)
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
_PyEval_EvalFrameDefault (f=<optimized out>, throwflag=<optimized out>) at Python/ceval.c:1352
1352	            PUSH(value);
gef➤  exploitable
Description: Access violation on destination operand
Short description: DestAv (8/22)
Hash: f01ce56ffe2792b45d9959e69a1ae15d.6dcf66201de3c2adc2e25e04dbdb55e8
Exploitability Classification: EXPLOITABLE
Explanation: The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value.
Other tags: AccessViolation (21/22)
```
msg359230 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2020-01-03 11:14 
It seems what you're saying is that one can crash Python by crafting deliberately incorrect bytecode.  If so, then I'm afraid it's something we won't consider fixing.
msg359232 - (view) Author: ggbang (ggbang) Date: 2020-01-03 11:53 
hello, if a crafting deliberately incorrect bytecode could control the eip of Python interpreter, it's the scope to fix? thx.
msg359237 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2020-01-03 14:57 
I don't think so. I'll let other confirm.
msg359238 - (view) Author: Pablo Galindo Salgado (pablogsal) * (Python committer) Date: 2020-01-03 15:19 
I concur with Antoine, the interpreter does not have any contract around crafting incorrect bytecode and evaluating it (and it will not since by definition the bytecode created by the interpreter is (should) be correct and any extra check in this code path will impact performance notably). 

I also have to say that I struggle to understand how to reproduce this or what is exactly the problem from your text and the files you attach.

Closing this as "not a bug". Feel free to re-open if you think we are missing something else.
History
Date User Action Args
2022-04-11 14:59:24adminsetgithub: 83374
2020-01-03 15:19:20pablogsalsetstatus: open -> closed

nosy: + pablogsal
messages: + msg359238

resolution: not a bug
stage: resolved
2020-01-03 14:57:13pitrousetnosy: + vstinner, christian.heimes
messages: + msg359237
2020-01-03 11:53:21ggbangsetmessages: + msg359232
2020-01-03 11:14:26pitrousetnosy: + benjamin.peterson
2020-01-03 11:14:01pitrousetnosy: + pitrou
messages: + msg359230
2020-01-02 14:56:42ggbangsetfiles: + crashc1.md
2020-01-02 14:55:57ggbangcreate