Message 371964 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	stestagg
Recipients	stestagg
Date	2020-06-20.21:36:10
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1592688971.14.0.300854552931.issue41060@roundup.psfhosted.org>
In-reply-to

Content
Hi Fuzzing found the following: $ ./python/bin/python3 Python 3.10.0a0 (heads/master:eb0d5c38de, Jun 20 2020, 21:35:36) [Clang 10.0.0 ] on linux Type "help", "copyright", "credits" or "license" for more information. >>> with a as b fish: “./python/bin/python3” terminated by signal SIGSEGV (Address boundary error) with stacktrace: * thread #1, name = 'run', stop reason = signal SIGSEGV: invalid address (fault address: 0x20) * frame #0: 0x0000555555a08feb run`with_item_rule at parser.c:15382:20 frame #1: 0x0000555555a08e96 run`with_item_rule(p=0x00007ffff78b9e40) at parser.c:4330 frame #2: 0x00005555559d22e9 run`compound_stmt_rule at parser.c:17930:21 frame #3: 0x00005555559d227c run`compound_stmt_rule at parser.c:4139 frame #4: 0x00005555559d1a64 run`compound_stmt_rule(p=<unavailable>) at parser.c:1931 frame #5: 0x00005555559d016c run`statements_rule at parser.c:1230:18 frame #6: 0x00005555559d00fb run`statements_rule at parser.c:16156 frame #7: 0x00005555559cff4d run`statements_rule(p=<unavailable>) at parser.c:1189 frame #8: 0x00005555559cb2bc run`_PyPegen_parse at parser.c:722:18 frame #9: 0x00005555559cb28d run`_PyPegen_parse(p=0x00007ffff78b9e40) at parser.c:24688 frame #10: 0x00005555559c5349 run`_PyPegen_run_parser(p=0x00007ffff78b9e40) at pegen.c:1083:17 frame #11: 0x00005555559c6458 run`_PyPegen_run_parser_from_string(str=<unavailable>, start_rule=<unavailable>, filename_ob=0x00007ffff788db30, flags=<unavailable>, arena=<unavailable>) at pegen.c:1201:14 frame #12: 0x00005555555eea84 run`PyPegen_ASTFromStringObject(str="with'lZ''</'as sdbm.N", filename=0x00007ffff788db30, mode=257, flags=0x0000000000000000, arena=0x00007ffff78e4910) at peg_api.c:27:21 frame #13: 0x00005555555a8413 run`PyRun_StringFlags(str="with'lZ''</'as sdbm.N", start=<unavailable>, globals=0x00007ffff788d940, locals=0x00007ffff788d940, flags=0x0000000000000000) at pythonrun.c:1029:11 frame #14: 0x00005555555a8202 run`PyRun_SimpleStringFlags(command="with'lZ''</'as sdbm.N", flags=0x0000000000000000) at pythonrun.c:429:9 frame #15: 0x0000555555595936 run`main(argc=<unavailable>, argv=<unavailable>) at run.c:19:3 frame #16: 0x00007ffff7c35002 libc.so.6`__libc_start_main + 242 frame #17: 0x000055555559568e run`_start + 46 This appears to be similar to: https://bugs.python.org/issue40903, where GET_INVALID_TARGET is being called with an Attribute Node, which returns None, and this result is passed, unchecked into `PyPegen_get_expr_name`

Hi

Fuzzing found the following:

$ ./python/bin/python3
Python 3.10.0a0 (heads/master:eb0d5c38de, Jun 20 2020, 21:35:36) 
[Clang 10.0.0 ] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> with a as b
fish: “./python/bin/python3” terminated by signal SIGSEGV (Address boundary error)

with stacktrace:
* thread #1, name = 'run', stop reason = signal SIGSEGV: invalid address (fault address: 0x20)
  * frame #0: 0x0000555555a08feb run`with_item_rule at parser.c:15382:20
    frame #1: 0x0000555555a08e96 run`with_item_rule(p=0x00007ffff78b9e40) at parser.c:4330
    frame #2: 0x00005555559d22e9 run`compound_stmt_rule at parser.c:17930:21
    frame #3: 0x00005555559d227c run`compound_stmt_rule at parser.c:4139
    frame #4: 0x00005555559d1a64 run`compound_stmt_rule(p=<unavailable>) at parser.c:1931
    frame #5: 0x00005555559d016c run`statements_rule at parser.c:1230:18
    frame #6: 0x00005555559d00fb run`statements_rule at parser.c:16156
    frame #7: 0x00005555559cff4d run`statements_rule(p=<unavailable>) at parser.c:1189
    frame #8: 0x00005555559cb2bc run`_PyPegen_parse at parser.c:722:18
    frame #9: 0x00005555559cb28d run`_PyPegen_parse(p=0x00007ffff78b9e40) at parser.c:24688
    frame #10: 0x00005555559c5349 run`_PyPegen_run_parser(p=0x00007ffff78b9e40) at pegen.c:1083:17
    frame #11: 0x00005555559c6458 run`_PyPegen_run_parser_from_string(str=<unavailable>, start_rule=<unavailable>, filename_ob=0x00007ffff788db30, flags=<unavailable>, arena=<unavailable>) at pegen.c:1201:14
    frame #12: 0x00005555555eea84 run`PyPegen_ASTFromStringObject(str="with'lZ''</'as sdbm.N", filename=0x00007ffff788db30, mode=257, flags=0x0000000000000000, arena=0x00007ffff78e4910) at peg_api.c:27:21
    frame #13: 0x00005555555a8413 run`PyRun_StringFlags(str="with'lZ''</'as sdbm.N", start=<unavailable>, globals=0x00007ffff788d940, locals=0x00007ffff788d940, flags=0x0000000000000000) at pythonrun.c:1029:11
    frame #14: 0x00005555555a8202 run`PyRun_SimpleStringFlags(command="with'lZ''</'as sdbm.N", flags=0x0000000000000000) at pythonrun.c:429:9
    frame #15: 0x0000555555595936 run`main(argc=<unavailable>, argv=<unavailable>) at run.c:19:3
    frame #16: 0x00007ffff7c35002 libc.so.6`__libc_start_main + 242
    frame #17: 0x000055555559568e run`_start + 46

This appears to be similar to: https://bugs.python.org/issue40903, where GET_INVALID_TARGET is being called with an Attribute Node, which returns None, and this result is passed, unchecked into `PyPegen_get_expr_name`

History
Date	User	Action	Args
2020-06-20 21:36:11	stestagg	set	recipients: + stestagg
2020-06-20 21:36:11	stestagg	set	messageid: <1592688971.14.0.300854552931.issue41060@roundup.psfhosted.org>
2020-06-20 21:36:11	stestagg	link	issue41060 messages
2020-06-20 21:36:10	stestagg	create