Author Park Alex
Recipients Park Alex, python-dev, rhettinger, serhiy.storchaka, stutzbach, vstinner
Date 2016-06-11.21:21:27
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1465680088.34.0.879232743929.issue27291@psf.upfronthosting.co.za>
In-reply-to
Content
all of .pyc files had been altered by fuzzer.

original py code is following:

$ cat helloworld.py
def hello(s=0x4142434445464748):
    print s
    if type(s) == str:
        print s.encode('hex')
        print repr(s)
    else:
        s = str(s)
    print len(s) << 8, len(s) ^ 8, len(s) | 8, len(s) & 8, len(s) == 8, len(s) <= 8, len(s) >= 8
    x = __import__("sys")

#    for k, v in x.__dict__.items():
#        if hasattr(v, '__subclasses__') == True:
#            cmd = "Subclasses:", (v.__class__.__base__.__subclasses__()[11].__init__.__str__())

    return 0x5152535455565758 == max(s, abs(len(s)) % 0x1234)

H = 'A'*128
hello(H.encode('base64'))
hello()

plus, python compiled with ASAN generated .pyc code.
After that, fuzzer found a few crashes.

Here are some diff information between original pyc and fuzzed pyc.
file: poc_heap-buffer-overflow.pyc
cmp -bl helloworld.pyc poc_heap-buffer-overflow.pyc | gawk '{printf "%08X %02X %02X\n", $1, strtonum(0$2), strtonum(0$4)}'
00000010 00 03
00000012 03 00
00000026 01 00
00000027 00 F7
0000006A 06 EE
0000006B 00 FF
0000006C 00 FF
0000006D 00 FF
00000129 01 FE
0000012A 00 FF
0000012B 64 00
0000012C 04 00
000001F0 6C DB
000001FD 6C 49

file: poc_heap-use-after-free.pyc 
cmp -bl helloworld.pyc poc_heap-use-after-free.pyc | gawk '{printf "%08X %02X %02X\n", $1, strtonum(0$2), strtonum(0$4)}'
0000006A 06 D0
0000006B 00 FF
0000006C 00 FF
0000006D 00 FF
00000129 01 EB
0000012A 00 FF
0000012B 64 00
0000012C 04 00
000001F0 6C DB
000001FD 6C 49
0000026F 6C 7D

Thanks,
-- Alex
History
Date User Action Args
2016-06-11 21:21:28Park Alexsetrecipients: + Park Alex, rhettinger, vstinner, stutzbach, python-dev, serhiy.storchaka
2016-06-11 21:21:28Park Alexsetmessageid: <1465680088.34.0.879232743929.issue27291@psf.upfronthosting.co.za>
2016-06-11 21:21:28Park Alexlinkissue27291 messages
2016-06-11 21:21:27Park Alexcreate