Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AddressSanitizer: heap-buffer-overflow on address 0x60200000e734 #73673

Closed
beginvuln mannequin opened this issue Feb 8, 2017 · 1 comment
Closed

AddressSanitizer: heap-buffer-overflow on address 0x60200000e734 #73673

beginvuln mannequin opened this issue Feb 8, 2017 · 1 comment
Labels
extension-modules C modules in the Modules dir type-bug An unexpected behavior, bug, or error

Comments

@beginvuln
Copy link
Mannequin

beginvuln mannequin commented Feb 8, 2017

BPO 29487
Files
  • cfield_675: PoC
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
closed_at = <Date 2017-02-08.14:58:04.823>
created_at = <Date 2017-02-08.14:44:48.035>
labels = ['extension-modules', 'type-bug']
title = 'AddressSanitizer: heap-buffer-overflow on address 0x60200000e734'
updated_at = <Date 2017-02-08.14:58:04.823>
user = 'https://bugs.python.org/beginvuln'

    bugs.python.org fields:

    activity = <Date 2017-02-08.14:58:04.823>
actor = 'matrixise'
assignee = 'none'
closed = True
closed_date = <Date 2017-02-08.14:58:04.823>
closer = 'matrixise'
components = ['Extension Modules']
creation = <Date 2017-02-08.14:44:48.035>
creator = 'beginvuln'
dependencies = []
files = ['46582']
hgrepos = []
issue_num = 29487
keywords = []
message_count = 1.0
messages = ['287321']
nosy_count = 1.0
nosy_names = ['beginvuln']
pr_nums = []
priority = 'low'
resolution = None
stage = 'resolved'
status = 'closed'
superseder = None
type = 'behavior'
url = 'https://bugs.python.org/issue29487'
versions = ['Python 3.6']
    @beginvuln
    Copy link
    Mannequin Author

    beginvuln mannequin commented Feb 8, 2017

    OS Version : Ubuntu 16.04 LTS
    Python download link : https://www.python.org/ftp/python/3.6.0/Python-3.6.0.tar.xz

    Python version : 3.6.0

    Normal build cmd :
    ./configure
    make

    Asan build cmd:
    export CC="/usr/bin/clang -fsanitize=address
    export CXX="/usr/bin/clang++ -fsanitize=address
    ./confiugre
    make

    GDB with exploitable:

    To enable execution of this file add
    add-auto-load-safe-path /home/test/check/PythonGDB/python-gdb.py
    line to your configuration file "/home/test/.gdbinit".
    To completely disable this security protection add
    set auto-load safe-path /
    line to your configuration file "/home/test/.gdbinit".
    For more information about this security protection see the
    "Auto-loading safe path" section in the GDB manual. E.g., run from the shell:
    info "(gdb)Auto-loading safe path"
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    [Inferior 1 (process 19362) exited with code 01]

    ASAN:

    =================================================================
    ==18038==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000e734 at pc 0x7fbe64d4ef87 bp 0x7ffdd65d7190 sp 0x7ffdd65d7188
    READ of size 4 at 0x60200000e734 thread T0
    #0 0x7fbe64d4ef86 in i_get /home/test/check/PythonASAN/Modules/_ctypes/cfield.c:675
    #1 0x7fbe64d4ef86 in ?? ??:0
    #2 0x7fbe64d40dca in Pointer_subscript /home/test/check/PythonASAN/Modules/_ctypes/_ctypes.c:5026 (discriminator 1)
    #3 0x7fbe64d40dca in ?? ??:0
    #4 0x79987c in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:1458 (discriminator 1)
    #5 0x79987c in ?? ??:0
    #6 0x7ab4cb in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #7 0x7ab4cb in _PyFunction_FastCall /home/test/check/PythonASAN/Python/ceval.c:4870
    #8 0x7ab4cb in fast_function /home/test/check/PythonASAN/Python/ceval.c:4905
    #9 0x7ab4cb in ?? ??:0
    #10 0x7a76f2 in call_function /home/test/check/PythonASAN/Python/ceval.c:4809
    #11 0x7a76f2 in ?? ??:0
    #12 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #13 0x7995cc in ?? ??:0
    #14 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #15 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #16 0x7a9847 in ?? ??:0
    #17 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #18 0x7ac2ea in ?? ??:0
    #19 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #20 0x574668 in ?? ??:0
    #21 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #22 0x5749fa in ?? ??:0
    #23 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #24 0x573e9b in ?? ??:0
    #25 0x793369 in do_call_core /home/test/check/PythonASAN/Python/ceval.c:5057
    #26 0x793369 in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3357
    #27 0x793369 in ?? ??:0
    #28 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #29 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #30 0x7a9847 in ?? ??:0
    #31 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #32 0x7ac2ea in ?? ??:0
    #33 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #34 0x574668 in ?? ??:0
    #35 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #36 0x5749fa in ?? ??:0
    #37 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #38 0x573e9b in ?? ??:0
    #39 0x66efe4 in slot_tp_call /home/test/check/PythonASAN/Objects/typeobject.c:6167
    #40 0x66efe4 in ?? ??:0
    #41 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316
    #42 0x5745f0 in ?? ??:0
    #43 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812
    #44 0x7a7429 in ?? ??:0
    #45 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #46 0x7995cc in ?? ??:0
    #47 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #48 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #49 0x7a9847 in ?? ??:0
    #50 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #51 0x7ac2ea in ?? ??:0
    #52 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #53 0x574668 in ?? ??:0
    #54 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #55 0x5749fa in ?? ??:0
    #56 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #57 0x573e9b in ?? ??:0
    #58 0x793369 in do_call_core /home/test/check/PythonASAN/Python/ceval.c:5057
    #59 0x793369 in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3357
    #60 0x793369 in ?? ??:0
    #61 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #62 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #63 0x7a9847 in ?? ??:0
    #64 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #65 0x7ac2ea in ?? ??:0
    #66 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #67 0x574668 in ?? ??:0
    #68 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #69 0x5749fa in ?? ??:0
    #70 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #71 0x573e9b in ?? ??:0
    #72 0x66efe4 in slot_tp_call /home/test/check/PythonASAN/Objects/typeobject.c:6167
    #73 0x66efe4 in ?? ??:0
    #74 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316
    #75 0x5745f0 in ?? ??:0
    #76 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812
    #77 0x7a7429 in ?? ??:0
    #78 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #79 0x7995cc in ?? ??:0
    #80 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #81 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #82 0x7a9847 in ?? ??:0
    #83 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #84 0x7ac2ea in ?? ??:0
    #85 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #86 0x574668 in ?? ??:0
    #87 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #88 0x5749fa in ?? ??:0
    #89 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #90 0x573e9b in ?? ??:0
    #91 0x793369 in do_call_core /home/test/check/PythonASAN/Python/ceval.c:5057
    #92 0x793369 in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3357
    #93 0x793369 in ?? ??:0
    #94 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #95 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #96 0x7a9847 in ?? ??:0
    #97 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #98 0x7ac2ea in ?? ??:0
    #99 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #100 0x574668 in ?? ??:0
    #101 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #102 0x5749fa in ?? ??:0
    #103 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #104 0x573e9b in ?? ??:0
    #105 0x66efe4 in slot_tp_call /home/test/check/PythonASAN/Objects/typeobject.c:6167
    #106 0x66efe4 in ?? ??:0
    #107 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316
    #108 0x5745f0 in ?? ??:0
    #109 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812
    #110 0x7a7429 in ?? ??:0
    #111 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #112 0x7995cc in ?? ??:0
    #113 0x7ab4cb in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #114 0x7ab4cb in _PyFunction_FastCall /home/test/check/PythonASAN/Python/ceval.c:4870
    #115 0x7ab4cb in fast_function /home/test/check/PythonASAN/Python/ceval.c:4905
    #116 0x7ab4cb in ?? ??:0
    #117 0x7a76f2 in call_function /home/test/check/PythonASAN/Python/ceval.c:4809
    #118 0x7a76f2 in ?? ??:0
    #119 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #120 0x7995cc in ?? ??:0
    #121 0x7ab4cb in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #122 0x7ab4cb in _PyFunction_FastCall /home/test/check/PythonASAN/Python/ceval.c:4870
    #123 0x7ab4cb in fast_function /home/test/check/PythonASAN/Python/ceval.c:4905
    #124 0x7ab4cb in ?? ??:0
    #125 0x7a76f2 in call_function /home/test/check/PythonASAN/Python/ceval.c:4809
    #126 0x7a76f2 in ?? ??:0
    #127 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #128 0x7995cc in ?? ??:0
    #129 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #130 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #131 0x7a9847 in ?? ??:0
    #132 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #133 0x7ac2ea in ?? ??:0
    #134 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #135 0x574668 in ?? ??:0
    #136 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #137 0x5749fa in ?? ??:0
    #138 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #139 0x573e9b in ?? ??:0
    #140 0x6713f8 in slot_tp_init /home/test/check/PythonASAN/Objects/typeobject.c:6380
    #141 0x6713f8 in ?? ??:0
    #142 0x666d8d in type_call /home/test/check/PythonASAN/Objects/typeobject.c:915 (discriminator 1)
    #143 0x666d8d in ?? ??:0
    #144 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316
    #145 0x5745f0 in ?? ??:0
    #146 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812
    #147 0x7a7429 in ?? ??:0
    #148 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #149 0x7995cc in ?? ??:0
    #150 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #151 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #152 0x7a9847 in ?? ??:0
    #153 0x78e0df in PyEval_EvalCodeEx /home/test/check/PythonASAN/Python/ceval.c:4140
    #154 0x78e0df in PyEval_EvalCode /home/test/check/PythonASAN/Python/ceval.c:695
    #155 0x78e0df in ?? ??:0
    #156 0x5142f5 in run_mod /home/test/check/PythonASAN/Python/pythonrun.c:980
    #157 0x5142f5 in PyRun_FileExFlags /home/test/check/PythonASAN/Python/pythonrun.c:933
    #158 0x5142f5 in ?? ??:0
    #159 0x512afa in PyRun_SimpleFileExFlags /home/test/check/PythonASAN/Python/pythonrun.c:396
    #160 0x512afa in ?? ??:0
    #161 0x53eefd in run_file /home/test/check/PythonASAN/Modules/main.c:320
    #162 0x53eefd in Py_Main /home/test/check/PythonASAN/Modules/main.c:780
    #163 0x53eefd in ?? ??:0
    #164 0x503d16 in main /home/test/check/PythonASAN/./Programs/python.c:69
    #165 0x503d16 in ?? ??:0
    #166 0x7fbe686a582f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #167 0x7fbe686a582f in ?? ??:0
    #168 0x432548 in _start ??:?
    #169 0x432548 in ?? ??:0

    0x60200000e734 is located 0 bytes to the right of 4-byte region [0x60200000e730,0x60200000e734)
    allocated by thread T0 here:
    #0 0x4d2678 in malloc ??:?
    #1 0x4d2678 in ?? ??:0
    #2 0x7fbe648cc9bc in my_wcsdup /home/test/check/PythonASAN/Modules/_ctypes/_ctypes_test.c:185 (discriminator 1)
    #3 0x7fbe648cc9bc in ?? ??:0
    #2 0x7ffdd65d6e3f (<unknown module>)

    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/test/check/PythonASAN/build/lib.linux-x86_64-3.6/_ctypes.cpython-36m-x86_64-linux-gnu.so+0x34f86)
    Shadow bytes around the buggy address:
    0x0c047fff9c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c047fff9ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c047fff9cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c047fff9cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c047fff9cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c047fff9ce0: fa fa fa fa fa fa[04]fa fa fa fd fa fa fa fd fa
    0x0c047fff9cf0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
    0x0c047fff9d00: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
    0x0c047fff9d10: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
    0x0c047fff9d20: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
    0x0c047fff9d30: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
    Addressable: 00
    Partially addressable: 01 02 03 04 05 06 07
    Heap left redzone: fa
    Heap right redzone: fb
    Freed heap region: fd
    Stack left redzone: f1
    Stack mid redzone: f2
    Stack right redzone: f3
    Stack partial redzone: f4
    Stack after return: f5
    Stack use after scope: f8
    Global redzone: f9
    Global init order: f6
    Poisoned by user: f7
    Container overflow: fc
    Array cookie: ac
    Intra object redzone: bb
    ASan internal: fe
    Left alloca redzone: ca
    Right alloca redzone: cb
    ==18038==ABORTING

    @beginvuln beginvuln mannequin added type-security A security issue interpreter-core (Objects, Python, Grammar, and Parser dirs) labels Feb 8, 2017
    @tiran tiran added type-bug An unexpected behavior, bug, or error extension-modules C modules in the Modules dir and removed type-security A security issue interpreter-core (Objects, Python, Grammar, and Parser dirs) labels Feb 8, 2017
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    extension-modules C modules in the Modules dir type-bug An unexpected behavior, bug, or error
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    2 participants
    @matrixise @tiran