This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author christian.heimes
Recipients Iman Sharafaldin, christian.heimes
Date 2020-07-12.21:38:55
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1594589935.56.0.910727162849.issue41288@roundup.psfhosted.org>
In-reply-to
Content
datetime_new assumes that args is a tuple. load_newobj_ex() doesn't check that args is a tuple and kwargs is a dictionary. The demo exploit passes ``True`` as args, which triggers a segfault in PyTuple_GET_SIZE in datetime_new.

#0  datetime_new (type=0x7fffea5d2740 <PyDateTime_DateTimeType>, args=True, kw=b'\x07\xb2\x01\x01\x00\x00\x00\x00\x00\x00') at /usr/src/debug/python3-3.8.3-2.fc32.x86_64/Modules/_datetimemodule.c:4737
#1  0x00007fffea637b1e in load_newobj_ex (self=0x7fffea7a7820) at /usr/src/debug/python3-3.8.3-2.fc32.x86_64/Modules/_pickle.c:6008
#2  0x00007fffea632e7a in load (self=0x7fffea7a7820) at /usr/src/debug/python3-3.8.3-2.fc32.x86_64/Modules/_pickle.c:6943
#3  0x00007fffea63795e in _pickle_load_impl (module=<optimized out>, buffers=0x0, errors=0x7fffea639149 "strict", encoding=0x7fffea6391fa "ASCII", fix_imports=1, file=<_io.BytesIO at remote 0x7fffea888180>)
    at /usr/src/debug/python3-3.8.3-2.fc32.x86_64/Modules/_pickle.c:1688
#4  _pickle_load (module=<optimized out>, args=<optimized out>, nargs=<optimized out>, kwnames=<optimized out>) at /usr/src/debug/python3-3.8.3-2.fc32.x86_64/Modules/clinic/_pickle.c.h:731
#5  0x00007ffff7bd1ced in cfunction_vectorcall_FASTCALL_KEYWORDS (func=<built-in method load of module object at remote 0x7fffea680270>, args=<optimized out>, nargsf=<optimized out>, kwnames=0x0)
    at /usr/src/debug/python3-3.8.3-2.fc32.x86_64/Objects/methodobject.c:437
History
Date User Action Args
2020-07-12 21:38:55christian.heimessetrecipients: + christian.heimes, Iman Sharafaldin
2020-07-12 21:38:55christian.heimessetmessageid: <1594589935.56.0.910727162849.issue41288@roundup.psfhosted.org>
2020-07-12 21:38:55christian.heimeslinkissue41288 messages
2020-07-12 21:38:55christian.heimescreate