Python heap corruption issue #68210
Comments
|
Reported by "Hug Bounter" to security@ Hello, I would like to report a heap corruption issue in Python/Parser/tokenizer.c:922, affecting latest Python 3.4.3 (from python.org) and also 2.7 ( tested 2.7.9-r1 on Gentoo ). The latest version available - 3.5.0a3 is also affected. It doesn't seem to affect 3.3 branch (tested with 3.3.5-r1 on Gentoo). I tried to dig into the details of the bug and I have to admit the defeat - the Python Parser is quite a complex beast... There seem to be a race condition involved as well, as the malformed script does not always result in crash sometimes producing the error below: ./python ~/Fuzz/crashes/python_stuff/heap_pattern.py I acknowledge that attack scenario is somehow limited, because one has to be in a position to provide their own script for execution. Nevertheless, at the very least, a malicious user could crash python environment. Depending on the particular script, ASAN detects either as a 'heap-use-after-free' or 'heap-buffer-overflow'. HEAP-BUFFER-OVERFLOW according to asan: $ ./python ~/heap3.py================================================================= 0x62500001e0ff is located 1 bytes to the left of 8192-byte region [0x62500001e100,0x625000020100) SUMMARY: AddressSanitizer: heap-buffer-overflow Parser/tokenizer.c:1021 tok_nextc Below is an example of ASAN detecting a 'use-after-free': ./python ~/heap4_asan.py 0x62500001e101 is located 1 bytes inside of 8192-byte region [0x62500001e100,0x625000020100) previously allocated by thread T0 here: SUMMARY: AddressSanitizer: heap-use-after-free Parser/tokenizer.c:902 tok_nextc Without AddressSanitizer, this particular script does not crash, but causes one of two errors: File "/home/user/heap4_asan.py", line 5 or: File "/home/user/heap4_asan.py", line 5 In all cases, the crash always occurs in Parser/tokenizer.c at line no. 922, where *tok->curr is incremented, regardless where it currently points. Eventually, it will reach heap boundary and the *tok->cur++ will cause python to crash. Program received signal SIGSEGV, Segmentation fault. Sample GDB session can be found below: $ gdb --args ./python ~/heap1.py
GNU gdb (Gentoo 7.9 vanilla) 7.9
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./python...done.
warning: File "/home/user/Fuzz/targets/Python-3.4.3/python-gdb.py" auto-loading has been declined by your `auto-load safe-path' set to "$debugdir:$datadir/auto-load".
To enable execution of this file add
add-auto-load-safe-path /home/user/Fuzz/targets/Python-3.4.3/python-gdb.py
line to your configuration file "/home/user/.gdbinit".
To completely disable this security protection add
set auto-load safe-path /
line to your configuration file "/home/user/.gdbinit".
For more information about this security protection see the
"Auto-loading safe path" section in the GDB manual. E.g., run from the shell:
info "(gdb)Auto-loading safe path"
gdb-peda$ r
Starting program: /home/user/Fuzz/targets/Python-3.4.3/python /home/user/heap1.py
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".Program received signal SIGSEGV, Segmentation fault. Thank you for reading this. |
benjaminp
added
interpreter-core
|
New changeset 414e08c478f4 by Benjamin Peterson in branch '3.4': New changeset 03b2259c6cd3 by Benjamin Peterson in branch 'default': |
|
Where are test scripts? |
|
New changeset ccfea26e6582 by Benjamin Peterson in branch '3.4': New changeset c6438a3df7a4 by Benjamin Peterson in branch '2.7': New changeset d2f86d9c53b9 by Benjamin Peterson in branch '3.6': |
|
Hello @benjaminp, it looks like you are (or were) fuzzing this repository, and you’ve found some interesting bugs. 🥇 I would like to create a Python based test case reduction test suite that contains fuzzer generated outputs, and benchmark automatic test case reducers how they perform on Python inputs. It looks like to me you have opened this issue with the already reduced input that caused malfunction. Is it possible that you still have the output of the fuzzer, which is free of any reduction? I’m also interested in this issue : with the same motivation. Thanks in advance, |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: