Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

potential use of unitialized memory in operator.methodcaller #71970

Closed
benjaminp opened this issue Aug 17, 2016 · 2 comments
Closed

potential use of unitialized memory in operator.methodcaller #71970

benjaminp opened this issue Aug 17, 2016 · 2 comments
Labels
stdlib Python modules in the Lib dir type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@benjaminp
Copy link
Contributor

BPO 27783
Nosy @benjaminp

Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2016-08-17.06:38:01.756>
created_at = <Date 2016-08-17.06:32:24.362>
labels = ['library', 'type-crash']
title = 'potential use of unitialized memory in operator.methodcaller'
updated_at = <Date 2016-08-17.06:38:01.744>
user = 'https://github.com/benjaminp'

bugs.python.org fields:

activity = <Date 2016-08-17.06:38:01.744>
actor = 'python-dev'
assignee = 'none'
closed = True
closed_date = <Date 2016-08-17.06:38:01.756>
closer = 'python-dev'
components = ['Library (Lib)']
creation = <Date 2016-08-17.06:32:24.362>
creator = 'benjamin.peterson'
dependencies = []
files = []
hgrepos = []
issue_num = 27783
keywords = []
message_count = 2.0
messages = ['272904', '272905']
nosy_count = 2.0
nosy_names = ['benjamin.peterson', 'python-dev']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'crash'
url = 'https://bugs.python.org/issue27783'
versions = ['Python 2.7', 'Python 3.2', 'Python 3.3', 'Python 3.4', 'Python 3.5', 'Python 3.6']
@benjaminp
Copy link
Contributor Author

Thomas E Hybel reports:

This vulnerability exists in /Modules/_operator.c in the function
methodcaller_new.

Here is the problematic code:

    mc = PyObject_GC_New(methodcallerobject, &methodcaller_type);
    if (mc == NULL)
        return NULL;
   
    newargs = PyTuple_GetSlice(args, 1, PyTuple_GET_SIZE(args));
    if (newargs == NULL) {
        Py_DECREF(mc);
        return NULL;
    }

We first allocate an "mc" object. Then we call PyTuple_GetSlice. If that fails,
e.g. because we're out of memory, then we call Py_DECREF(mc). But mc's variables
have not been initialized yet. methodcaller_dealloc will therefore free several
arbitrary pointers.

This could be fixed by setting mc's member variables to NULL right after
allocating it.

Proof-of-concept script:

--- begin script ---

import operator

args = ("AAAA",)*0x10000000
ag = operator.methodcaller(*args)

--- end script ---

(Note that this PoC only works if the machine runs out of memory at the right
time; you may have to experiment with the size of "args." This was tested on a
32-bit box, therefore it had a small address space.)

Here's the crash and backtrace:

(gdb) r ../poc10.py
Starting program: /home/ubuntu32/python3/Python-3.5.2/python ../poc10.py

Program received signal SIGSEGV, Segmentation fault.
0x081d4255 in methodcaller_dealloc (mc=mc@entry=0xb7c31b94) at ./Modules/_operator.c:976
976 Py_XDECREF(mc->name);
(gdb) p mc->name
$3 = (PyObject *) 0xcbcbcbcb
(gdb) bt
#0 0x081d4255 in methodcaller_dealloc (mc=mc@entry=0xb7c31b94) at ./Modules/_operator.c:976
#1 0x080e4bff in _Py_Dealloc (op=op@entry=0xb7c31b94) at Objects/object.c:1786
#2 0x081d361a in methodcaller_new (type=0x82f0200 <methodcaller_type>, args=0x37c2d024, kwds=0x0) at ./Modules/_operator.c:956
...

@benjaminp benjaminp added stdlib Python modules in the Lib dir type-crash A hard crash of the interpreter, possibly with a core dump labels Aug 17, 2016
@python-dev
Copy link
Mannequin

python-dev mannequin commented Aug 17, 2016

New changeset 11a9bca71528 by Benjamin Peterson in branch '2.7':
rearrange methodcaller_new so that the main error case does not cause uninitialized memory usage (closes bpo-27783)
https://hg.python.org/cpython/rev/11a9bca71528

New changeset 8e3b9bf917a7 by Benjamin Peterson in branch '3.3':
rearrange methodcaller_new so that the main error case does not cause uninitialized memory usage (closes bpo-27783)
https://hg.python.org/cpython/rev/8e3b9bf917a7

New changeset 675e20c38fda by Benjamin Peterson in branch '3.4':
merge 3.3 (bpo-27783)
https://hg.python.org/cpython/rev/675e20c38fda

New changeset d1b93ce7dad8 by Benjamin Peterson in branch '3.5':
merge 3.4 (bpo-27783)
https://hg.python.org/cpython/rev/d1b93ce7dad8

New changeset 0f0a040d45b2 by Benjamin Peterson in branch 'default':
merge 3.5 (bpo-27783)
https://hg.python.org/cpython/rev/0f0a040d45b2

@python-dev python-dev mannequin closed this as completed Aug 17, 2016
@ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stdlib Python modules in the Lib dir type-crash A hard crash of the interpreter, possibly with a core dump
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@benjaminp