Message287321
OS Version : Ubuntu 16.04 LTS
Python download link : https://www.python.org/ftp/python/3.6.0/Python-3.6.0.tar.xz
Python version : 3.6.0
Normal build cmd :
./configure
make
Asan build cmd:
export CC="/usr/bin/clang -fsanitize=address
export CXX="/usr/bin/clang++ -fsanitize=address
./confiugre
make
GDB with exploitable:
To enable execution of this file add
add-auto-load-safe-path /home/test/check/PythonGDB/python-gdb.py
line to your configuration file "/home/test/.gdbinit".
To completely disable this security protection add
set auto-load safe-path /
line to your configuration file "/home/test/.gdbinit".
For more information about this security protection see the
"Auto-loading safe path" section in the GDB manual. E.g., run from the shell:
info "(gdb)Auto-loading safe path"
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[Inferior 1 (process 19362) exited with code 01]
ASAN:
=================================================================
==18038==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000e734 at pc 0x7fbe64d4ef87 bp 0x7ffdd65d7190 sp 0x7ffdd65d7188
READ of size 4 at 0x60200000e734 thread T0
#0 0x7fbe64d4ef86 in i_get /home/test/check/PythonASAN/Modules/_ctypes/cfield.c:675
#1 0x7fbe64d4ef86 in ?? ??:0
#2 0x7fbe64d40dca in Pointer_subscript /home/test/check/PythonASAN/Modules/_ctypes/_ctypes.c:5026 (discriminator 1)
#3 0x7fbe64d40dca in ?? ??:0
#4 0x79987c in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:1458 (discriminator 1)
#5 0x79987c in ?? ??:0
#6 0x7ab4cb in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
#7 0x7ab4cb in _PyFunction_FastCall /home/test/check/PythonASAN/Python/ceval.c:4870
#8 0x7ab4cb in fast_function /home/test/check/PythonASAN/Python/ceval.c:4905
#9 0x7ab4cb in ?? ??:0
#10 0x7a76f2 in call_function /home/test/check/PythonASAN/Python/ceval.c:4809
#11 0x7a76f2 in ?? ??:0
#12 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
#13 0x7995cc in ?? ??:0
#14 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
#15 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
#16 0x7a9847 in ?? ??:0
#17 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
#18 0x7ac2ea in ?? ??:0
#19 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
#20 0x574668 in ?? ??:0
#21 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
#22 0x5749fa in ?? ??:0
#23 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
#24 0x573e9b in ?? ??:0
#25 0x793369 in do_call_core /home/test/check/PythonASAN/Python/ceval.c:5057
#26 0x793369 in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3357
#27 0x793369 in ?? ??:0
#28 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
#29 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
#30 0x7a9847 in ?? ??:0
#31 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
#32 0x7ac2ea in ?? ??:0
#33 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
#34 0x574668 in ?? ??:0
#35 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
#36 0x5749fa in ?? ??:0
#37 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
#38 0x573e9b in ?? ??:0
#39 0x66efe4 in slot_tp_call /home/test/check/PythonASAN/Objects/typeobject.c:6167
#40 0x66efe4 in ?? ??:0
#41 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316
#42 0x5745f0 in ?? ??:0
#43 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812
#44 0x7a7429 in ?? ??:0
#45 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
#46 0x7995cc in ?? ??:0
#47 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
#48 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
#49 0x7a9847 in ?? ??:0
#50 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
#51 0x7ac2ea in ?? ??:0
#52 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
#53 0x574668 in ?? ??:0
#54 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
#55 0x5749fa in ?? ??:0
#56 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
#57 0x573e9b in ?? ??:0
#58 0x793369 in do_call_core /home/test/check/PythonASAN/Python/ceval.c:5057
#59 0x793369 in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3357
#60 0x793369 in ?? ??:0
#61 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
#62 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
#63 0x7a9847 in ?? ??:0
#64 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
#65 0x7ac2ea in ?? ??:0
#66 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
#67 0x574668 in ?? ??:0
#68 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
#69 0x5749fa in ?? ??:0
#70 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
#71 0x573e9b in ?? ??:0
#72 0x66efe4 in slot_tp_call /home/test/check/PythonASAN/Objects/typeobject.c:6167
#73 0x66efe4 in ?? ??:0
#74 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316
#75 0x5745f0 in ?? ??:0
#76 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812
#77 0x7a7429 in ?? ??:0
#78 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
#79 0x7995cc in ?? ??:0
#80 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
#81 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
#82 0x7a9847 in ?? ??:0
#83 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
#84 0x7ac2ea in ?? ??:0
#85 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
#86 0x574668 in ?? ??:0
#87 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
#88 0x5749fa in ?? ??:0
#89 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
#90 0x573e9b in ?? ??:0
#91 0x793369 in do_call_core /home/test/check/PythonASAN/Python/ceval.c:5057
#92 0x793369 in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3357
#93 0x793369 in ?? ??:0
#94 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
#95 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
#96 0x7a9847 in ?? ??:0
#97 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
#98 0x7ac2ea in ?? ??:0
#99 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
#100 0x574668 in ?? ??:0
#101 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
#102 0x5749fa in ?? ??:0
#103 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
#104 0x573e9b in ?? ??:0
#105 0x66efe4 in slot_tp_call /home/test/check/PythonASAN/Objects/typeobject.c:6167
#106 0x66efe4 in ?? ??:0
#107 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316
#108 0x5745f0 in ?? ??:0
#109 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812
#110 0x7a7429 in ?? ??:0
#111 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
#112 0x7995cc in ?? ??:0
#113 0x7ab4cb in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
#114 0x7ab4cb in _PyFunction_FastCall /home/test/check/PythonASAN/Python/ceval.c:4870
#115 0x7ab4cb in fast_function /home/test/check/PythonASAN/Python/ceval.c:4905
#116 0x7ab4cb in ?? ??:0
#117 0x7a76f2 in call_function /home/test/check/PythonASAN/Python/ceval.c:4809
#118 0x7a76f2 in ?? ??:0
#119 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
#120 0x7995cc in ?? ??:0
#121 0x7ab4cb in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
#122 0x7ab4cb in _PyFunction_FastCall /home/test/check/PythonASAN/Python/ceval.c:4870
#123 0x7ab4cb in fast_function /home/test/check/PythonASAN/Python/ceval.c:4905
#124 0x7ab4cb in ?? ??:0
#125 0x7a76f2 in call_function /home/test/check/PythonASAN/Python/ceval.c:4809
#126 0x7a76f2 in ?? ??:0
#127 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
#128 0x7995cc in ?? ??:0
#129 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
#130 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
#131 0x7a9847 in ?? ??:0
#132 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
#133 0x7ac2ea in ?? ??:0
#134 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
#135 0x574668 in ?? ??:0
#136 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
#137 0x5749fa in ?? ??:0
#138 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
#139 0x573e9b in ?? ??:0
#140 0x6713f8 in slot_tp_init /home/test/check/PythonASAN/Objects/typeobject.c:6380
#141 0x6713f8 in ?? ??:0
#142 0x666d8d in type_call /home/test/check/PythonASAN/Objects/typeobject.c:915 (discriminator 1)
#143 0x666d8d in ?? ??:0
#144 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316
#145 0x5745f0 in ?? ??:0
#146 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812
#147 0x7a7429 in ?? ??:0
#148 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
#149 0x7995cc in ?? ??:0
#150 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
#151 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
#152 0x7a9847 in ?? ??:0
#153 0x78e0df in PyEval_EvalCodeEx /home/test/check/PythonASAN/Python/ceval.c:4140
#154 0x78e0df in PyEval_EvalCode /home/test/check/PythonASAN/Python/ceval.c:695
#155 0x78e0df in ?? ??:0
#156 0x5142f5 in run_mod /home/test/check/PythonASAN/Python/pythonrun.c:980
#157 0x5142f5 in PyRun_FileExFlags /home/test/check/PythonASAN/Python/pythonrun.c:933
#158 0x5142f5 in ?? ??:0
#159 0x512afa in PyRun_SimpleFileExFlags /home/test/check/PythonASAN/Python/pythonrun.c:396
#160 0x512afa in ?? ??:0
#161 0x53eefd in run_file /home/test/check/PythonASAN/Modules/main.c:320
#162 0x53eefd in Py_Main /home/test/check/PythonASAN/Modules/main.c:780
#163 0x53eefd in ?? ??:0
#164 0x503d16 in main /home/test/check/PythonASAN/./Programs/python.c:69
#165 0x503d16 in ?? ??:0
#166 0x7fbe686a582f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
#167 0x7fbe686a582f in ?? ??:0
#168 0x432548 in _start ??:?
#169 0x432548 in ?? ??:0
0x60200000e734 is located 0 bytes to the right of 4-byte region [0x60200000e730,0x60200000e734)
allocated by thread T0 here:
#0 0x4d2678 in malloc ??:?
#1 0x4d2678 in ?? ??:0
#2 0x7fbe648cc9bc in my_wcsdup /home/test/check/PythonASAN/Modules/_ctypes/_ctypes_test.c:185 (discriminator 1)
#3 0x7fbe648cc9bc in ?? ??:0
#2 0x7ffdd65d6e3f (<unknown module>)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/test/check/PythonASAN/build/lib.linux-x86_64-3.6/_ctypes.cpython-36m-x86_64-linux-gnu.so+0x34f86)
Shadow bytes around the buggy address:
0x0c047fff9c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9ce0: fa fa fa fa fa fa[04]fa fa fa fd fa fa fa fd fa
0x0c047fff9cf0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9d00: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9d10: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9d20: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9d30: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==18038==ABORTING |
|
Date |
User |
Action |
Args |
2017-02-08 14:44:49 | beginvuln | set | recipients:
+ beginvuln |
2017-02-08 14:44:48 | beginvuln | set | messageid: <1486565088.06.0.199584603629.issue29487@psf.upfronthosting.co.za> |
2017-02-08 14:44:48 | beginvuln | link | issue29487 messages |
2017-02-08 14:44:47 | beginvuln | create | |
|