Message 268276 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	Park Alex
Recipients	Park Alex, python-dev, rhettinger, serhiy.storchaka, stutzbach, vstinner
Date	2016-06-11.21:21:27
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1465680088.34.0.879232743929.issue27291@psf.upfronthosting.co.za>
In-reply-to

Content
all of .pyc files had been altered by fuzzer. original py code is following: $ cat helloworld.py def hello(s=0x4142434445464748): print s if type(s) == str: print s.encode('hex') print repr(s) else: s = str(s) print len(s) << 8, len(s) ^ 8, len(s) \| 8, len(s) & 8, len(s) == 8, len(s) <= 8, len(s) >= 8 x = __import__("sys") # for k, v in x.__dict__.items(): # if hasattr(v, '__subclasses__') == True: # cmd = "Subclasses:", (v.__class__.__base__.__subclasses__()[11].__init__.__str__()) return 0x5152535455565758 == max(s, abs(len(s)) % 0x1234) H = 'A'*128 hello(H.encode('base64')) hello() plus, python compiled with ASAN generated .pyc code. After that, fuzzer found a few crashes. Here are some diff information between original pyc and fuzzed pyc. file: poc_heap-buffer-overflow.pyc cmp -bl helloworld.pyc poc_heap-buffer-overflow.pyc \| gawk '{printf "%08X %02X %02X\n", $1, strtonum(0$2), strtonum(0$4)}' 00000010 00 03 00000012 03 00 00000026 01 00 00000027 00 F7 0000006A 06 EE 0000006B 00 FF 0000006C 00 FF 0000006D 00 FF 00000129 01 FE 0000012A 00 FF 0000012B 64 00 0000012C 04 00 000001F0 6C DB 000001FD 6C 49 file: poc_heap-use-after-free.pyc cmp -bl helloworld.pyc poc_heap-use-after-free.pyc \| gawk '{printf "%08X %02X %02X\n", $1, strtonum(0$2), strtonum(0$4)}' 0000006A 06 D0 0000006B 00 FF 0000006C 00 FF 0000006D 00 FF 00000129 01 EB 0000012A 00 FF 0000012B 64 00 0000012C 04 00 000001F0 6C DB 000001FD 6C 49 0000026F 6C 7D Thanks, -- Alex

all of .pyc files had been altered by fuzzer.

original py code is following:

$ cat helloworld.py
def hello(s=0x4142434445464748):
    print s
    if type(s) == str:
        print s.encode('hex')
        print repr(s)
    else:
        s = str(s)
    print len(s) << 8, len(s) ^ 8, len(s) | 8, len(s) & 8, len(s) == 8, len(s) <= 8, len(s) >= 8
    x = __import__("sys")

#    for k, v in x.__dict__.items():
#        if hasattr(v, '__subclasses__') == True:
#            cmd = "Subclasses:", (v.__class__.__base__.__subclasses__()[11].__init__.__str__())

    return 0x5152535455565758 == max(s, abs(len(s)) % 0x1234)

H = 'A'*128
hello(H.encode('base64'))
hello()

plus, python compiled with ASAN generated .pyc code.
After that, fuzzer found a few crashes.

Here are some diff information between original pyc and fuzzed pyc.
file: poc_heap-buffer-overflow.pyc
cmp -bl helloworld.pyc poc_heap-buffer-overflow.pyc | gawk '{printf "%08X %02X %02X\n", $1, strtonum(0$2), strtonum(0$4)}'
00000010 00 03
00000012 03 00
00000026 01 00
00000027 00 F7
0000006A 06 EE
0000006B 00 FF
0000006C 00 FF
0000006D 00 FF
00000129 01 FE
0000012A 00 FF
0000012B 64 00
0000012C 04 00
000001F0 6C DB
000001FD 6C 49

file: poc_heap-use-after-free.pyc 
cmp -bl helloworld.pyc poc_heap-use-after-free.pyc | gawk '{printf "%08X %02X %02X\n", $1, strtonum(0$2), strtonum(0$4)}'
0000006A 06 D0
0000006B 00 FF
0000006C 00 FF
0000006D 00 FF
00000129 01 EB
0000012A 00 FF
0000012B 64 00
0000012C 04 00
000001F0 6C DB
000001FD 6C 49
0000026F 6C 7D

Thanks,
-- Alex

History
Date	User	Action	Args
2016-06-11 21:21:28	Park Alex	set	recipients: + Park Alex, rhettinger, vstinner, stutzbach, python-dev, serhiy.storchaka
2016-06-11 21:21:28	Park Alex	set	messageid: <1465680088.34.0.879232743929.issue27291@psf.upfronthosting.co.za>
2016-06-11 21:21:28	Park Alex	link	issue27291 messages
2016-06-11 21:21:27	Park Alex	create