Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use-after-free in list object function #82791

Closed
LCatro mannequin opened this issue Oct 28, 2019 · 5 comments
Closed

use-after-free in list object function #82791

LCatro mannequin opened this issue Oct 28, 2019 · 5 comments
Labels
3.7 (EOL) end of life 3.8 only security fixes 3.9 only security fixes interpreter-core (Objects, Python, Grammar, and Parser dirs) type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@LCatro
Copy link
Mannequin

LCatro mannequin commented Oct 28, 2019

BPO 38610
Nosy @serhiy-storchaka, @ZackerySpytz, @pablogsal, @miss-islington
PRs
  • bpo-38610: Fix possible crashes in several list methods #17022
  • [3.8] bpo-38610: Fix possible crashes in several list methods (GH-17022) #17758
  • [3.7] bpo-38610: Fix possible crashes in several list methods (GH-17022) #17759
  • [3.6] bpo-38610: Fix possible crashes in several list methods (GH-17022) #18207
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
closed_at = <Date 2019-12-30.19:58:43.028>
created_at = <Date 2019-10-28.05:49:18.237>
labels = ['interpreter-core', '3.7', '3.8', '3.9', 'type-crash']
title = 'use-after-free in list object function'
updated_at = <Date 2020-01-27.17:40:43.267>
user = 'https://bugs.python.org/LCatro'

    bugs.python.org fields:

    activity = <Date 2020-01-27.17:40:43.267>
actor = 'corona10'
assignee = 'none'
closed = True
closed_date = <Date 2019-12-30.19:58:43.028>
closer = 'pablogsal'
components = ['Interpreter Core']
creation = <Date 2019-10-28.05:49:18.237>
creator = 'LCatro'
dependencies = []
files = []
hgrepos = []
issue_num = 38610
keywords = ['patch']
message_count = 5.0
messages = ['355513', '355766', '359055', '359056', '359057']
nosy_count = 5.0
nosy_names = ['serhiy.storchaka', 'LCatro', 'ZackerySpytz', 'pablogsal', 'miss-islington']
pr_nums = ['17022', '17758', '17759', '18207']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'crash'
url = 'https://bugs.python.org/issue38610'
versions = ['Python 2.7', 'Python 3.6', 'Python 3.7', 'Python 3.8', 'Python 3.9']
    @LCatro
    Copy link
    Mannequin Author

    LCatro mannequin commented Oct 28, 2019

    Code 1 :

    static PyObject *
list_index_impl(PyListObject *self, PyObject *value, Py_ssize_t start,
                Py_ssize_t stop)
// ...
    for (i = start; i < stop && i < Py_SIZE(self); i++) {
        int cmp = PyObject_RichCompareBool(self->ob_item[i], value, Py_EQ);  <=  self->ob_item[i] can uaf ..

    PoC :

    class rewrite_list_eq(list) :
    def __eq__(self,other) :
        str(other)   #  <== that will call the object recall function tp_repr and call it ..
        return NotImplemented

class poc() :
    def __eq__(self,other) :
        list1.clear()
        return NotImplemented

list1 = [ poc() ]
list1.index(list1)   #  list_index_impl() -> PyObject_RichCompareBool()

    Crash Report :

    (gdb) run ../py_poc/list_poc_3.py
    The program being debugged has been started already.
    Start it from the beginning? (y or n) y
    Starting program: /tangjitao/Python-3.8.0/python ../py_poc/list_poc_3.py
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

    Program received signal SIGSEGV, Segmentation fault.
    PyObject_Str (v=0x7ffff6e82d20) at Objects/object.c:573
    573 if (Py_TYPE(v)->tp_str == NULL)

    =====

    Code 2 :

    static PyObject *
list_count(PyListObject *self, PyObject *value)
{
    Py_ssize_t count = 0;
    Py_ssize_t i;

    for (i = 0; i < Py_SIZE(self); i++) {
        int cmp = PyObject_RichCompareBool(self->ob_item[i], value, Py_EQ);  //  <=

    PoC :

    class rewrite_list_eq(list) :
    def __eq__(self,other) :
        str(other)
        return NotImplemented

class poc() :
    def __eq__(self,other) :
        list1.clear()
        return NotImplemented

list1 = rewrite_list_eq([ poc() ])
list1.count(list1)   #  list_count() -> PyObject_RichCompareBool()

    Crash Report :

    (gdb) run ../py_poc/list_poc_4.py
    The program being debugged has been started already.
    Start it from the beginning? (y or n) y
    Starting program: /tangjitao/Python-3.8.0/python ../py_poc/list_poc_4.py
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

    Program received signal SIGSEGV, Segmentation fault.
    PyObject_Str (v=0x7ffff6e82d20) at Objects/object.c:573
    573 if (Py_TYPE(v)->tp_str == NULL)

    ===

    Code 3 :

    static PyObject *
list_remove(PyListObject *self, PyObject *value)
/*[clinic end generated code: output=f087e1951a5e30d1 input=2dc2ba5bb2fb1f82]*/
{
    Py_ssize_t i;

    for (i = 0; i < Py_SIZE(self); i++) {
		Py_INCREF(self->ob_item[i]);
        int cmp = PyObject_RichCompareBool(self->ob_item[i], value, Py_EQ);

    PoC :

    class rewrite_list_eq(list) :
    def __eq__(self,other) :
        str(other)
        return NotImplemented

class poc() :
    def __eq__(self,other) :
        list1.clear()
        return NotImplemented

list1 = rewrite_list_eq([ poc() ])
list1.remove(list1)   #  list_count() -> PyObject_RichCompareBool()

    Crash Report :

    (gdb) run ../py_poc/list_poc_5.py
    Starting program: /tangjitao/Python-3.8.0/python ../py_poc/list_poc_5.py
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

    Program received signal SIGSEGV, Segmentation fault.
    PyObject_Str (v=0x7ffff6e82d20) at Objects/object.c:573
    573 if (Py_TYPE(v)->tp_str == NULL)

    @LCatro LCatro mannequin added 3.8 only security fixes interpreter-core (Objects, Python, Grammar, and Parser dirs) type-crash A hard crash of the interpreter, possibly with a core dump labels Oct 28, 2019
    @ZackerySpytz
    Copy link
    Mannequin

    ZackerySpytz mannequin commented Oct 31, 2019

    I have created a patch to fix these crashes. Please consider taking a look.

    @ZackerySpytz ZackerySpytz mannequin added 3.7 (EOL) end of life 3.9 only security fixes labels Oct 31, 2019
    @pablogsal
    Copy link
    Member

    New changeset d9e561d by Pablo Galindo (Zackery Spytz) in branch 'master':
    bpo-38610: Fix possible crashes in several list methods (GH-17022)
    d9e561d

    @miss-islington
    Copy link
    Contributor

    New changeset fcaf14c by Miss Islington (bot) in branch '3.8':
    bpo-38610: Fix possible crashes in several list methods (GH-17022)
    fcaf14c

    @pablogsal
    Copy link
    Member

    New changeset 296d45e by Pablo Galindo in branch '3.7':
    [3.7] bpo-38610: Fix possible crashes in several list methods (GH-17022) (GH-17759)
    296d45e

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    3.7 (EOL) end of life 3.8 only security fixes 3.9 only security fixes interpreter-core (Objects, Python, Grammar, and Parser dirs) type-crash A hard crash of the interpreter, possibly with a core dump
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    2 participants
    @pablogsal @miss-islington