Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use after free in get_filter #68284

Closed
pkt mannequin opened this issue May 1, 2015 · 6 comments
Closed

Use after free in get_filter #68284

pkt mannequin opened this issue May 1, 2015 · 6 comments
Labels
extension-modules C modules in the Modules dir type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@pkt
Copy link
Mannequin

pkt mannequin commented May 1, 2015

BPO 24096
Nosy @rhettinger, @pitrou, @tiran, @ezio-melotti, @serhiy-storchaka
Files
  • poc_get_filter.py
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
closed_at = <Date 2015-05-03.15:30:09.914>
created_at = <Date 2015-05-01.14:03:23.697>
labels = ['extension-modules', 'type-crash']
title = 'Use after free in get_filter'
updated_at = <Date 2015-05-03.15:30:09.912>
user = 'https://bugs.python.org/pkt'

    bugs.python.org fields:

    activity = <Date 2015-05-03.15:30:09.912>
actor = 'python-dev'
assignee = 'none'
closed = True
closed_date = <Date 2015-05-03.15:30:09.914>
closer = 'python-dev'
components = ['Extension Modules']
creation = <Date 2015-05-01.14:03:23.697>
creator = 'pkt'
dependencies = []
files = ['39247']
hgrepos = []
issue_num = 24096
keywords = []
message_count = 6.0
messages = ['242311', '242312', '242314', '242323', '242325', '242486']
nosy_count = 8.0
nosy_names = ['rhettinger', 'pitrou', 'christian.heimes', 'ezio.melotti', 'Arfrever', 'python-dev', 'serhiy.storchaka', 'pkt']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'crash'
url = 'https://bugs.python.org/issue24096'
versions = ['Python 3.4', 'Python 3.5']
    @pkt
    Copy link
    Mannequin Author

    pkt mannequin commented May 1, 2015

    # Program received signal SIGSEGV, Segmentation fault.
    # 0x40036740 in encoder_listencode_dict (s=0x405b43fc, acc=0xbf86438c, dct=<D at remote 0x405b2fb4>, indent_level=0)
    # at /home/p/Python-3.4.1/Modules/json.c:1557
    \bpo-1557 PyList_SET_ITEM(items, i, item);
    # (gdb) print *(PyListObject*)items
    # $1 = {ob_base = {ob_base = {ob_next = 0x405bcab4, _ob_prev = 0x40591184, ob_refcnt = 2, ob_type = 0x830e1c0 <PyList_Type>},
    # ob_size = 0}, ob_item = 0x0, allocated = 0}
    # (gdb) print i
    # $2 = 112233
    #
    # "items" was cleared in __hash    , so we get a wild write at a controlled address.

    @pkt pkt mannequin added the type-crash A hard crash of the interpreter, possibly with a core dump label May 1, 2015
    @pkt
    Copy link
    Mannequin Author

    pkt mannequin commented May 1, 2015

    # Program received signal SIGSEGV, Segmentation fault.
    # 0x080f2c17 in PyObject_GetAttr (v=<unknown at remote 0x40573d8c>, name='match') at Objects/object.c:872
    # 872 if (tp->tp_getattro != NULL)
    # (gdb) bt
    # #0 0x080f2c17 in PyObject_GetAttr (v=<unknown at remote 0x40573d8c>, name='match') at Objects/object.c:872
    # #1 0x080f2b42 in _PyObject_GetAttrId (v=<unknown at remote 0x40573d8c>, name=0x8328354 <PyId_match.9432>) at Objects/object.c:835
    # #2 0x0809c3a6 in _PyObject_CallMethodId (o=<unknown at remote 0x40573d8c>, name=0x8328354 <PyId_match.9432>, format=0x829552c "O")
    # at Objects/abstract.c:2215
    # #3 0x0817e48b in check_matched (obj=<unknown at remote 0x40573d8c>, arg='c') at Python/_warnings.c:28
    # #4 0x0817e88b in get_filter (category=<type at remote 0x830bf80>, text='', lineno=4, module='c', item=0xbfa87c88)
    # (gdb) frame 4
    # #4 0x0817e88b in get_filter (category=<type at remote 0x830bf80>, text='', lineno=4, module='c', item=0xbfa87c88)
    # at Python/_warnings.c:152
    # 152 good_mod = check_matched(mod, module);
    # (gdb) print *mod
    # $1 = {_ob_next = 0xdbdbdbdb, _ob_prev = 0xdbdbdbdb, ob_refcnt = -606348325, ob_type = 0xdbdbdbdb}
    #
    # "mod" object is deleted in "match" method. Use after free.

    @pkt pkt mannequin changed the title Use after free during json encoding a dict (3) Use after free in get_filter May 1, 2015
    @tiran tiran added the extension-modules C modules in the Modules dir label May 1, 2015
    @tiran
    Copy link
    Member

    tiran commented May 1, 2015

    In 3.5 the segfault occurs at

    #0 0x00007ffff073e55e in encoder_listencode_dict (s=s@entry=0x7ffff09aa988, acc=acc@entry=0x7fffffffcf20, dct=dct@entry=<D at remote 0x7ffff094b958>, indent_level=indent_level@entry=0)
    at /home/heimes/dev/python/cpython/Modules/_json.c:1686
    #1 0x00007ffff073ee85 in encoder_listencode_obj (s=s@entry=0x7ffff09aa988, acc=acc@entry=0x7fffffffcf20, obj=<D at remote 0x7ffff094b958>, indent_level=0) at /home/heimes/dev/python/cpython/Modules/_json.c:1561
    #2 0x00007ffff073f392 in encoder_call (self=<_json.Encoder at remote 0x7ffff09aa988>, args=(<D at remote 0x7ffff094b958>, 0), kwds=0x0) at /home/heimes/dev/python/cpython/Modules/_json.c:1386
    #3 0x000000000044edf8 in PyObject_Call (func=func@entry=<_json.Encoder at remote 0x7ffff09aa988>, arg=arg@entry=(<D at remote 0x7ffff094b958>, 0), kw=kw@entry=0x0) at Objects/abstract.c:2147
    #4 0x000000000052be56 in do_call (func=func@entry=<_json.Encoder at remote 0x7ffff09aa988>, pp_stack=pp_stack@entry=0x7fffffffd098, na=na@entry=2, nk=nk@entry=0) at Python/ceval.c:4515
    #5 0x000000000053663c in call_function (pp_stack=pp_stack@entry=0x7fffffffd098, oparg=oparg@entry=2) at Python/ceval.c:4311

    @pkt
    Copy link
    Mannequin Author

    pkt mannequin commented May 1, 2015

    Issue for poc_enc_dict3.py is here: https://bugs.python.org/issue24105

    Please ignore first and third message.

    @tiran
    Copy link
    Member

    tiran commented May 1, 2015

    Thanks Paul!

    May I ask how you found that many use-after-free bugs? Are you using some sort of tool for static code analysis or fuzzying?

    @python-dev
    Copy link
    Mannequin

    python-dev mannequin commented May 3, 2015

    New changeset ffc1f9d1c8b3 by Benjamin Peterson in branch '3.3':
    be more robust against the filters list changing under us (closes bpo-24096)
    https://hg.python.org/cpython/rev/ffc1f9d1c8b3

    New changeset 47f4c3a5d86a by Benjamin Peterson in branch '3.4':
    merge 3.3 (bpo-24096)
    https://hg.python.org/cpython/rev/47f4c3a5d86a

    New changeset bfea101f9402 by Benjamin Peterson in branch 'default':
    merge 3.4 (bpo-24096)
    https://hg.python.org/cpython/rev/bfea101f9402

    @python-dev python-dev mannequin closed this as completed May 3, 2015
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    extension-modules C modules in the Modules dir type-crash A hard crash of the interpreter, possibly with a core dump
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    1 participant
    @tiran