This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: Lack of proper checking in PyObject_SetAttr leads to segmentation fault
Type: security Stage: resolved
Components: Interpreter Core Versions: Python 3.6
process
Status: closed Resolution: not a bug
Dependencies: Superseder:
Assigned To: Nosy List: Iman Sharafaldin, Jeffrey.Kintscher, petr.viktorin
Priority: normal Keywords:

Created on 2020-06-30 12:04 by Iman Sharafaldin, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Files
File name Uploaded Description Edit
PoC.pyc Iman Sharafaldin, 2020-06-30 12:04 Crash file
Messages (4)
msg372683 - (view) Author: Iman Sharafaldin (Iman Sharafaldin) Date: 2020-06-30 12:04
I was testing the latest release of Python 3.6 (June 27, 2020) (https://www.python.org/ftp/python/3.6.11/Python-3.6.11.tgz) and I found that there is lack of enough checks on line number 956 in Objects/object.c file which can cause a segmentation fault. It could lead to security related issues. I've attached the PoC.pyc.


Program received signal SIGSEGV, Segmentation fault.
PyObject_SetAttr (v=v@entry=0x6d7373616c637463, name=0x7ffff7f75730, value=value@entry=0x0) at Objects/object.c:956
956	    PyTypeObject *tp = Py_TYPE(v);
msg372792 - (view) Author: Petr Viktorin (petr.viktorin) * (Python committer) Date: 2020-07-01 20:48
What kind of security-related issues do you mean? A .pyc file is code; it can do anything. Never run untrusted code, be it .py or .pyc.

See also: Lib/test/crashers/bogus_code_obj.py
msg374978 - (view) Author: Jeffrey Kintscher (Jeffrey.Kintscher) * Date: 2020-08-07 05:53
Can you attach the Python source code for the PoC?
msg375184 - (view) Author: Petr Viktorin (petr.viktorin) * (Python committer) Date: 2020-08-11 16:18
Closing; please re-open if you have more info.
History
Date User Action Args
2022-04-11 14:59:33adminsetgithub: 85340
2020-08-11 16:18:38petr.viktorinsetstatus: open -> closed
resolution: not a bug
messages: + msg375184

stage: resolved
2020-08-07 05:53:57Jeffrey.Kintschersetmessages: + msg374978
2020-08-07 05:52:49Jeffrey.Kintschersetnosy: + Jeffrey.Kintscher
2020-07-01 20:48:14petr.viktorinsetnosy: + petr.viktorin
messages: + msg372792
2020-06-30 12:04:44Iman Sharafaldincreate