Author shuoz
Recipients shuoz
Date 2018-10-07.12:40:28
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1538916029.97.0.545547206417.issue34922@psf.upfronthosting.co.za>
In-reply-to
Content
python hashlib a signd overflow maybe cause a memory over read.

python version:
Python 3.6.7rc1+ (heads/3.6:cb0bec3, Oct  1 2018, 02:19:39)
[GCC 7.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.

```
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x7fffffffd5f0 --> 0x41b58ab3
RCX: 0x0
RDX: 0x1ffffffffffffff6
RSI: 0x7ffff35ae880 --> 0x0
RDI: 0x7fffffffd650 --> 0x7d828fe8a42b9c7f
RBP: 0xffffffffabe --> 0x0
RSP: 0x7fffffffd5c8 --> 0x7ffff2a5f793 (<_sha3_shake_128_hexdigest+627>:	test   eax,eax)
RIP: 0x7ffff2a5ec60 (<_PySHA3_KeccakWidth1600_SpongeSqueeze>:	push   r15)
R8 : 0x65fc7ba985946aff
R9 : 0xefbdaa140b587a16
R10: 0x50573373c9b2b8dc
R11: 0xfba4d93abbdabffc
R12: 0x7fffffffd770 --> 0x7fffffffd7d0 --> 0xffffffffb00 --> 0x0
R13: 0x7fffffffd650 --> 0x7d828fe8a42b9c7f
R14: 0x7ffff35ae880 --> 0x0
R15: 0xfffffffffffffff6
EFLAGS: 0xa06 (carry PARITY adjust zero sign trap INTERRUPT direction OVERFLOW)
[-------------------------------------code-------------------------------------]
   0x7ffff2a5ec50 <_PySHA3_KeccakP1600_ExtractBytes+160>:	jmp    0x7ffff2a54d10 <_PySHA3_KeccakP1600_ExtractBytesInLane@plt>
   0x7ffff2a5ec55:	nop
   0x7ffff2a5ec56:	nop    WORD PTR cs:[rax+rax*1+0x0]
=> 0x7ffff2a5ec60 <_PySHA3_KeccakWidth1600_SpongeSqueeze>:	push   r15
   0x7ffff2a5ec62 <_PySHA3_KeccakWidth1600_SpongeSqueeze+2>:	push   r14
   0x7ffff2a5ec64 <_PySHA3_KeccakWidth1600_SpongeSqueeze+4>:	push   r13
   0x7ffff2a5ec66 <_PySHA3_KeccakWidth1600_SpongeSqueeze+6>:	push   r12
   0x7ffff2a5ec68 <_PySHA3_KeccakWidth1600_SpongeSqueeze+8>:	mov    r13,rdx
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd5c8 --> 0x7ffff2a5f793 (<_sha3_shake_128_hexdigest+627>:	test   eax,eax)
0008| 0x7fffffffd5d0 --> 0x7fffffffd5f0 --> 0x41b58ab3
0016| 0x7fffffffd5d8 --> 0xffffefdb33b --> 0x0
0024| 0x7fffffffd5e0 --> 0x7ffff7ed99d8 --> 0x0
0032| 0x7fffffffd5e8 --> 0x7ffff3606910 --> 0x6190000096e5 --> 0x9000009828000000
0040| 0x7fffffffd5f0 --> 0x41b58ab3
0048| 0x7fffffffd5f8 --> 0x7ffff2a68c08 ("2 32 8 6 length 96 224 4 temp ")
0056| 0x7fffffffd600 --> 0x7ffff2a5f520 (<_sha3_shake_128_hexdigest>:	push   r15)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 2, _PySHA3_KeccakWidth1600_SpongeSqueeze (instance=0x7fffffffd650, data=0x7ffff35ae880 "", dataByteLen=0x1ffffffffffffff6) at /home/test/cpython/Modules/_sha3/kcp/KeccakSponge.inc:272
```
dataByteLen=0x1ffffffffffffff6

```
RAX: 0x7ffff3615f90 --> 0xfffffffffffffffa
RBX: 0xa8
RCX: 0x7ffff3616028 --> 0xf938000001a4
RDX: 0x18
RSI: 0x7fffffffd6e0 --> 0x6ab2a5fe4fe8efd
RDI: 0x7ffff3615fe0 --> 0x44b6a41dfdc1a3df
RBP: 0x7fffffffd510 --> 0xa8
RSP: 0x7fffffffcc78 --> 0x7ffff6e936cf (mov    rcx,QWORD PTR [rbp-0x38])
RIP: 0x7ffff6120786 (<__memmove_sse2_unaligned_erms+614>:	movntdq XMMWORD PTR [rdi+0x20],xmm2)
R8 : 0xfffffffffffffff0
R9 : 0x10007e6bac07 --> 0x0
R10: 0x7ffff3616038 --> 0x0
R11: 0x7ffff3615f90 --> 0xfffffffffffffffa
R12: 0x7ffff3615f90 --> 0xfffffffffffffffa
R13: 0x7fffffffd650 --> 0xa35bf3e9cd13e78e
R14: 0x7ffff3615f90 --> 0xfffffffffffffffa
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff6120779 <__memmove_sse2_unaligned_erms+601>:	sub    rdx,0x40
   0x7ffff612077d <__memmove_sse2_unaligned_erms+605>:	movntdq XMMWORD PTR [rdi],xmm0
   0x7ffff6120781 <__memmove_sse2_unaligned_erms+609>:	movntdq XMMWORD PTR [rdi+0x10],xmm1
=> 0x7ffff6120786 <__memmove_sse2_unaligned_erms+614>:	movntdq XMMWORD PTR [rdi+0x20],xmm2
   0x7ffff612078b <__memmove_sse2_unaligned_erms+619>:	movntdq XMMWORD PTR [rdi+0x30],xmm3
   0x7ffff6120790 <__memmove_sse2_unaligned_erms+624>:	add    rdi,0x40
   0x7ffff6120794 <__memmove_sse2_unaligned_erms+628>:	cmp    rdx,0x40
   0x7ffff6120798 <__memmove_sse2_unaligned_erms+632>:	ja     0x7ffff6120758 <__memmove_sse2_unaligned_erms+568>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcc78 --> 0x7ffff6e936cf (mov    rcx,QWORD PTR [rbp-0x38])
0008| 0x7fffffffcc80 --> 0x7fffffffccf0 --> 0x41b58ab3
0016| 0x7fffffffcc88 --> 0x7fffffffcd90 --> 0x6
0024| 0x7fffffffcc90 --> 0xffffffff99e --> 0x0
0032| 0x7fffffffcc98 --> 0x7fffffffcd50 --> 0x0
0040| 0x7fffffffcca0 --> 0x0
0048| 0x7fffffffcca8 --> 0x7ffff3616038 --> 0x0
0056| 0x7fffffffccb0 --> 0x7ffff358a068 --> 0x1
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
__memmove_sse2_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:492
492	../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
gdb-peda$ bt
#0  __memmove_sse2_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:492
#1  0x00007ffff6e936cf in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.4
#2  0x00007ffff2a5eab4 in memcpy (__len=0xa8, __src=<optimized out>, __dest=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
#3  _PySHA3_KeccakP1600_ExtractLanes (state=<optimized out>, data=<optimized out>, laneCount=0x15) at /home/test/cpython/Modules/_sha3/kcp/KeccakP-1600-opt64.c:342
#4  0x00007ffff2a5ec2c in _PySHA3_KeccakP1600_ExtractBytes (state=0x7fffffffd650, data=0x7ffff3615f90 "\372\377\377\377\377\377\377\377\002", offset=<optimized out>, length=0xa8)
    at /home/test/cpython/Modules/_sha3/kcp/KeccakP-1600-opt64.c:375
#5  0x00007ffff2a5ee1d in _PySHA3_KeccakWidth1600_SpongeSqueeze (instance=0x7fffffffd650, data=<optimized out>, dataByteLen=0x1ffffffffffffff6)
    at /home/test/cpython/Modules/_sha3/kcp/KeccakSponge.inc:287
#6  0x00007ffff2a5f793 in _SHAKE_digest (hex=0x1, digestlen=0xfffffffffffffff6, self=0x7ffff7ed98e8) at /home/test/cpython/Modules/_sha3/sha3module.c:620
#7  _sha3_shake_128_hexdigest_impl (length=0xfffffffffffffff6, self=0x7ffff7ed98e8) at /home/test/cpython/Modules/_sha3/sha3module.c:669
#8  _sha3_shake_128_hexdigest (self=0x7ffff7ed98e8, args=<optimized out>, nargs=<optimized out>, kwnames=<optimized out>) at /home/test/cpython/Modules/_sha3/clinic/sha3module.c.h:149
#9  0x000055555583eab6 in _PyCFunction_FastCallDict (kwargs=0x0, nargs=0x1, args=0x616000021518, func_obj=0x7ffff2e86f30) at Objects/methodobject.c:250
#10 _PyCFunction_FastCallKeywords (func=func@entry=0x7ffff2e86f30, stack=0x616000021518, nargs=nargs@entry=0x1, kwnames=kwnames@entry=0x0) at Objects/methodobject.c:294
#11 0x0000555555995945 in call_function (pp_stack=pp_stack@entry=0x7fffffffdc30, oparg=oparg@entry=0x1, kwnames=kwnames@entry=0x0) at Python/ceval.c:4837
#12 0x000055555599feaa in _PyEval_EvalFrameDefault (f=<optimized out>, throwflag=<optimized out>) at Python/ceval.c:3335
#13 0x0000555555994939 in PyEval_EvalFrameEx (throwflag=0x0, f=0x616000021398) at Python/ceval.c:754
#14 _PyEval_EvalCodeWithName (_co=_co@entry=0x7ffff36088a0, globals=globals@entry=0x0, locals=locals@entry=0x7ffff355a9d8, args=args@entry=0x0, argcount=argcount@entry=0x0, kwnames=kwnames@entry=0x0,
    kwargs=0x0, kwcount=0x0, kwstep=0x2, defs=0x0, defcount=0x0, kwdefs=0x0, closure=0x0, name=0x0, qualname=0x0) at Python/ceval.c:4166
#15 0x0000555555997b73 in PyEval_EvalCodeEx (closure=0x0, kwdefs=0x0, defcount=0x0, defs=0x0, kwcount=0x0, kws=0x0, argcount=0x0, args=0x0, locals=locals@entry=0x7ffff355a9d8, globals=globals@entry=0x0,
    _co=_co@entry=0x7ffff36088a0) at Python/ceval.c:4187
#16 PyEval_EvalCode (co=co@entry=0x7ffff36088a0, globals=globals@entry=0x7ffff7e5a318, locals=locals@entry=0x7ffff7e5a318) at Python/ceval.c:731
#17 0x00005555556b5b3b in run_mod (arena=0x7ffff7e75150, flags=<optimized out>, locals=0x7ffff7e5a318, globals=0x7ffff7e5a318, filename=0x7ffff358d270, mod=0x62500001e300) at Python/pythonrun.c:1025
#18 PyRun_FileExFlags (fp=<optimized out>, filename_str=<optimized out>, start=<optimized out>, globals=<optimized out>, locals=<optimized out>, closeit=<optimized out>, flags=<optimized out>)
    at Python/pythonrun.c:978
#19 0x00005555556b5fdc in PyRun_SimpleFileExFlags (fp=<optimized out>,
    filename=0x7ffff35c2680 "\314\070\064\302\227\a\254\bJf\331u\230N\273\022\355@\200\352\024`z[\267&\257+\022Q\324\017\310\nSyF2+\001{\327\354\355\245\275\002\064d-\235x\\\327O\230٧\036ތF\222\326\336\060\027q\220\037\217\b\364#=\366\224,\362\355\224i4h\030.c\377\225\360.׀M\033\066\251\ve'M=\261\t\365\307\016\267\203Q\316\313n\251]+\351H\222\244\266{\224FG\257\022\340\071\233r\300\220\065\031\236][\266\v\027\071#\354Ɣ\310\\\243M\243\251\250\372_\362^Φ\306ڝ\222\365\062O1nY\224pĥ\243IV\364\070\356\232\\\222z\242\321\v\027|\342\027\325\325O֬\300\252a0\250"..., closeit=0x1, flags=<optimized out>)
    at Python/pythonrun.c:419
#20 0x00005555556f2704 in run_file (p_cf=0x7fffffffe2b0, filename=0x604000000010 L"crash.py", fp=0x616000034880) at Modules/main.c:340
#21 Py_Main (argc=<optimized out>, argv=<optimized out>) at Modules/main.c:810
#22 0x000055555569a293 in main (argc=argc@entry=0x2, argv=argv@entry=0x7fffffffe528) at ./Programs/python.c:69
#23 0x00007ffff6086b97 in __libc_start_main (main=0x55555569a050 <main>, argc=0x2, argv=0x7fffffffe528, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe518)
    at ../csu/libc-start.c:310
#24 0x000055555569bb2a in _start ()
```


x.py 
```
import hashlib
hashlib.shake_128().hexdigest(-10)
```
History
Date User Action Args
2018-10-07 12:40:30shuozsetrecipients: + shuoz
2018-10-07 12:40:29shuozsetmessageid: <1538916029.97.0.545547206417.issue34922@psf.upfronthosting.co.za>
2018-10-07 12:40:29shuozlinkissue34922 messages
2018-10-07 12:40:28shuozcreate