Message 326668 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	shuoz
Recipients	shuoz
Date	2018-09-29.06:38:05
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1538203086.61.0.545547206417.issue34840@psf.upfronthosting.co.za>
In-reply-to

Content
python _ctypes.dlclose(arg). Never check the arg so we get a Segmentation fault (core dumped) poc.py ``` import _ctypes _ctypes.dlclose(3) # 3-4294967296 ``` python poc.py gdb info ``` ----------------------------------registers-----------------------------------] RAX: 0x7ffff7ffcca0 --> 0x40d0d00000000 RBX: 0x0 RCX: 0x7ffff6a49fd0 (<dlclose_doit>: mov rax,QWORD PTR [rip+0x201fe1] # 0x7ffff6c4bfb8) RDX: 0x2e10a0bf96213a9d RSI: 0x0 RDI: 0x3 RBP: 0x7ffff6a49fd0 (<dlclose_doit>: mov rax,QWORD PTR [rip+0x201fe1] # 0x7ffff6c4bfb8) RSP: 0x7fffffffd280 --> 0x0 RIP: 0x7ffff7dee161 (<_dl_close+1>: test BYTE PTR [rdi+0x3d4],0x8) R8 : 0x3 R9 : 0x7ffff6a49fd0 (<dlclose_doit>: mov rax,QWORD PTR [rip+0x201fe1] # 0x7ffff6c4bfb8) R10: 0xc55dc0 --> 0x31 ('1') R11: 0x7ffff7eec3d8 --> 0x9 ('\t') R12: 0x3 R13: 0x7ffff7e952b0 --> 0x1 R14: 0x7ffff2d12140 (<py_dl_close>: push r14) R15: 0x7ffff7e17228 --> 0x16 EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x7ffff7dee152: nop DWORD PTR [rax+0x0] 0x7ffff7dee156: nop WORD PTR cs:[rax+rax*1+0x0] 0x7ffff7dee160 <_dl_close>: push rbx => 0x7ffff7dee161 <_dl_close+1>: test BYTE PTR [rdi+0x3d4],0x8 0x7ffff7dee168 <_dl_close+8>: mov rbx,rdi 0x7ffff7dee16b <_dl_close+11>: jne 0x7ffff7dee210 <_dl_close+176> 0x7ffff7dee171 <_dl_close+17>: mov edx,DWORD PTR [rdi+0x310] 0x7ffff7dee177 <_dl_close+23>: test edx,edx [------------------------------------stack-------------------------------------] 0000\| 0x7fffffffd280 --> 0x0 0008\| 0x7fffffffd288 --> 0x7ffff7de7564 (<_dl_catch_error+116>: mov rax,QWORD PTR [rsp+0x8]) 0016\| 0x7fffffffd290 --> 0x0 0024\| 0x7fffffffd298 --> 0x7ffff7fd8720 --> 0x7fffffffd2e0 --> 0x7ffff737f690 --> 0x0 0032\| 0x7fffffffd2a0 --> 0x0 0040\| 0x7fffffffd2a8 --> 0x7ffff737f690 --> 0x0 0048\| 0x7fffffffd2b0 --> 0x7ffff737f698 --> 0x0 0056\| 0x7fffffffd2b8 --> 0x7ffff737f688 --> 0x0 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV _dl_close (_map=0x3) at dl-close.c:809 809 dl-close.c: No such file or directory. gdb-peda$ bt ```

python _ctypes.dlclose(arg). 
Never check the arg  so we get a Segmentation fault (core dumped)

poc.py
```
import _ctypes
_ctypes.dlclose(3)  # 3-4294967296
```
python poc.py


gdb info

```
----------------------------------registers-----------------------------------]
RAX: 0x7ffff7ffcca0 --> 0x40d0d00000000 
RBX: 0x0 
RCX: 0x7ffff6a49fd0 (<dlclose_doit>:	mov    rax,QWORD PTR [rip+0x201fe1]        # 0x7ffff6c4bfb8)
RDX: 0x2e10a0bf96213a9d 
RSI: 0x0 
RDI: 0x3 
RBP: 0x7ffff6a49fd0 (<dlclose_doit>:	mov    rax,QWORD PTR [rip+0x201fe1]        # 0x7ffff6c4bfb8)
RSP: 0x7fffffffd280 --> 0x0 
RIP: 0x7ffff7dee161 (<_dl_close+1>:	test   BYTE PTR [rdi+0x3d4],0x8)
R8 : 0x3 
R9 : 0x7ffff6a49fd0 (<dlclose_doit>:	mov    rax,QWORD PTR [rip+0x201fe1]        # 0x7ffff6c4bfb8)
R10: 0xc55dc0 --> 0x31 ('1')
R11: 0x7ffff7eec3d8 --> 0x9 ('\t')
R12: 0x3 
R13: 0x7ffff7e952b0 --> 0x1 
R14: 0x7ffff2d12140 (<py_dl_close>:	push   r14)
R15: 0x7ffff7e17228 --> 0x16
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7dee152:	nop    DWORD PTR [rax+0x0]
   0x7ffff7dee156:	nop    WORD PTR cs:[rax+rax*1+0x0]
   0x7ffff7dee160 <_dl_close>:	push   rbx
=> 0x7ffff7dee161 <_dl_close+1>:	test   BYTE PTR [rdi+0x3d4],0x8
   0x7ffff7dee168 <_dl_close+8>:	mov    rbx,rdi
   0x7ffff7dee16b <_dl_close+11>:	jne    0x7ffff7dee210 <_dl_close+176>
   0x7ffff7dee171 <_dl_close+17>:	mov    edx,DWORD PTR [rdi+0x310]
   0x7ffff7dee177 <_dl_close+23>:	test   edx,edx
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd280 --> 0x0 
0008| 0x7fffffffd288 --> 0x7ffff7de7564 (<_dl_catch_error+116>:	mov    rax,QWORD PTR [rsp+0x8])
0016| 0x7fffffffd290 --> 0x0 
0024| 0x7fffffffd298 --> 0x7ffff7fd8720 --> 0x7fffffffd2e0 --> 0x7ffff737f690 --> 0x0 
0032| 0x7fffffffd2a0 --> 0x0 
0040| 0x7fffffffd2a8 --> 0x7ffff737f690 --> 0x0 
0048| 0x7fffffffd2b0 --> 0x7ffff737f698 --> 0x0 
0056| 0x7fffffffd2b8 --> 0x7ffff737f688 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
_dl_close (_map=0x3) at dl-close.c:809
809	dl-close.c: No such file or directory.
gdb-peda$ bt
```

History
Date	User	Action	Args
2018-09-29 06:38:06	shuoz	set	recipients: + shuoz
2018-09-29 06:38:06	shuoz	set	messageid: <1538203086.61.0.545547206417.issue34840@psf.upfronthosting.co.za>
2018-09-29 06:38:06	shuoz	link	issue34840 messages
2018-09-29 06:38:05	shuoz	create