Issue 24103: Use after free in xmlparser_setevents (1)

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/68291

classification

Title:	Use after free in xmlparser_setevents (1)
Type:	crash	Stage:	resolved
Components:	Extension Modules, XML	Versions:	Python 3.6, Python 3.5

process

Dependencies:	Superseder:
Status:	closed	Resolution:	fixed
Assigned To:	serhiy.storchaka	Nosy List:	Arfrever, christian.heimes, pkt, python-dev, serhiy.storchaka
Priority:	normal	Keywords:	patch

Created on 2015年05月01日 14:15 by pkt, last changed 2022年04月11日 14:58 by admin. This issue is now closed.

Files
File name	Uploaded	Description	Edit
poc_xml_setevents1.py	pkt, 2015年05月01日 14:15
xmlparser_setevents_refcnt_bugs.patch	serhiy.storchaka, 2015年12月18日 09:13	review

Messages (5)
msg242320 - (view)	Author: paul (pkt)	Date: 2015年05月01日 14:15
# xmlparser_setevents(XMLParserObject self, PyObject args) # { # ... # /* clear out existing events / # Py_CLEAR(target->start_event_obj); # 1 Py_CLEAR(target->end_event_obj); # Py_CLEAR(target->start_ns_event_obj); # Py_CLEAR(target->end_ns_event_obj); # # ... # # seqlen = PySequence_Size(events_seq); # for (i = 0; i < seqlen; ++i) { # 3 PyObject event_name_obj = PySequence_Fast_GET_ITEM(events_seq, i); # ... # # if (event_name == NULL) { # ... # return NULL; # } else if (strcmp(event_name, "start") == 0) { # ... # } else if (strcmp(event_name, "end") == 0) { # Py_INCREF(event_name_obj); # 2 Py_XDECREF(target->end_event_obj); # target->end_event_obj = event_name_obj; # } # ... # } # ... # } # # This one leverages nested _setevents invocations. First invocation sets # target->end_event_obj to S1 instance. On seconds invocation, # target->end_event_obj has refcnt==1, so DECREF at line 1 triggers S1.__del__(). # Destructor invokes _setevents again and sets target->end_event_obj to a S3 # instance (with refcnt==1). After we return from nested call at line 1, # execution continues until it hits an "end" element. At line 2 S3.__del__() is # called and it deallocates "events_seq". This triggers a controlled OOB (we can # call it a use after free too) read at line 3. We can control a PyObject pointer. # # Program received signal SIGSEGV, Segmentation fault. # 0x4068563b in xmlparser_setevents (self=0x40669e4c, args=([], [])) at /home/p/Python-3.4.1/Modules/_elementtree.c:3560 # 3560 PyObject event_name_obj = PySequence_Fast_GET_ITEM(events_seq, i); # (gdb) print i # 1ドル = 1337 # (gdb) print (PyListObject*)events_seq # 2ドル = {ob_base = {ob_base = {_ob_next = 0x40669df4, _ob_prev = 0x4055f814, ob_refcnt = 3, ob_type = 0x830e1c0 <PyList_Type>}, # ob_size = 0}, ob_item = 0x0, allocated = 0} #
msg246068 - (view)	Author: paul (pkt)	Date: 2015年07月02日 10:26
ping
msg246145 - (view)	Author: paul (pkt)	Date: 2015年07月03日 07:45
ping
msg256658 - (view)	Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer)	Date: 2015年12月18日 09:13
Proposed patch fixes both this issue and issue24104. With the special macro proposed in issue20440 it can be better.
msg256959 - (view)	Author: Roundup Robot (python-dev) (Python triager)	Date: 2015年12月24日 09:53
New changeset deda5b5160d2 by Serhiy Storchaka in branch '2.7': Issue #24103: Fixed possible use after free in ElementTree.iterparse(). https://hg.python.org/cpython/rev/deda5b5160d2 New changeset ed62cf0cf256 by Serhiy Storchaka in branch '3.5': Issue #24103: Fixed possible use after free in ElementTree.XMLPullParser. https://hg.python.org/cpython/rev/ed62cf0cf256 New changeset 8a14af800f96 by Serhiy Storchaka in branch 'default': Issue #24103: Fixed possible use after free in ElementTree.XMLPullParser. https://hg.python.org/cpython/rev/8a14af800f96

History
Date	User	Action	Args
2022年04月11日 14:58:16	admin	set	github: 68291
2016年01月03日 06:22:14	serhiy.storchaka	link	issue24104 superseder
2015年12月24日 09:54:27	serhiy.storchaka	set	status: open -> closed dependencies: - Use the Py_SETREF macro resolution: fixed stage: patch review -> resolved
2015年12月24日 09:53:58	python-dev	set	nosy: + python-dev messages: + msg256959
2015年12月18日 09:13:46	serhiy.storchaka	set	files: + xmlparser_setevents_refcnt_bugs.patch versions: + Python 3.6, - Python 3.4 messages: + msg256658 assignee: serhiy.storchaka keywords: + patch stage: needs patch -> patch review
2015年12月16日 13:20:14	serhiy.storchaka	set	dependencies: + Use the Py_SETREF macro
2015年07月03日 07:45:44	pkt	set	messages: + msg246145
2015年07月02日 10:26:40	pkt	set	messages: + msg246068
2015年05月03日 06:54:23	Arfrever	set	nosy: + Arfrever
2015年05月02日 04:53:13	serhiy.storchaka	set	nosy: + christian.heimes, serhiy.storchaka components: + XML
2015年05月01日 14:18:13	christian.heimes	set	stage: needs patch components: + Extension Modules versions: + Python 3.5
2015年05月01日 14:15:15	pkt	create

homepage