Issue 27482: heap-buffer-overflow on address 0x6250000078ff

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/71669

classification

Title:	heap-buffer-overflow on address 0x6250000078ff
Type:	crash	Stage:	patch review
Components:	Interpreter Core	Versions:	Python 3.7, Python 2.7

process

Dependencies:	Superseder:
Status:	closed	Resolution:	fixed
Assigned To:	serhiy.storchaka	Nosy List:	beginvuln, benjamin.peterson, berker.peksag, duaneg, franciscouzo, serhiy.storchaka
Priority:	normal	Keywords:	patch

Created on 2016年07月11日 14:21 by beginvuln, last changed 2022年04月11日 14:58 by admin. This issue is now closed.

Files
File name	Uploaded	Description	Edit
python-heap-buffer-overflow-e6f-581-e5d.py	beginvuln, 2016年07月11日 14:21
0001-Issue-27482-handle-nul-characters-while-reading-inpu.patch	duaneg, 2016年09月14日 03:13

Messages (5)
msg270181 - (view)	Author: BeginVuln (beginvuln)	Date: 2016年07月11日 14:21
PoC is attached. Version: 2.7.12 =わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ=わ =わ=わ4461==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6250000078ff at pc 0x000000508e70 bp 0x7ffe3e88db60 sp 0x7ffe3e88db58 READ of size 1 at 0x6250000078ff thread T0 #0 0x508e6f in tok_nextc /home/mtowalski/tmp/python/Python-2.7.12/Parser/tokenizer.c:954:28 #1 0x4ff581 in tok_get /home/mtowalski/tmp/python/Python-2.7.12/Parser/tokenizer.c:1232:17 #2 0x4ff581 in PyTokenizer_Get /home/mtowalski/tmp/python/Python-2.7.12/Parser/tokenizer.c:1681:0 #3 0x4fae5d in parsetok /home/mtowalski/tmp/python/Python-2.7.12/Parser/parsetok.c:159:16 #4 0x7c9a92 in PyParser_ASTFromFile /home/mtowalski/tmp/python/Python-2.7.12/Python/pythonrun.c:1499:15 #5 0x7c9e49 in PyRun_FileExFlags /home/mtowalski/tmp/python/Python-2.7.12/Python/pythonrun.c:1354:11 #6 0x7c8a7e in PyRun_SimpleFileExFlags /home/mtowalski/tmp/python/Python-2.7.12/Python/pythonrun.c:948:13 #7 0x4f80b9 in Py_Main /home/mtowalski/tmp/python/Python-2.7.12/Modules/main.c:640:23 #8 0x7feaeb493f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287:0 #9 0x42adc5 in _start ??:? 0x6250000078ff is located 1 bytes to the left of 8192-byte region [0x625000007900,0x625000009900) allocated by thread T0 here: #0 0x4c8d3c in malloc ??:? #1 0x4fe75d in PyTokenizer_FromFile /home/mtowalski/tmp/python/Python-2.7.12/Parser/tokenizer.c:759:29 SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/mtowalski/tmp/python/Python-2.7.12/python+0x508e6f) Shadow bytes around the buggy address: 0x0c4a7fff8ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff8ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff8ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff8ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff8f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c4a7fff8f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa] 0x0c4a7fff8f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff8f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff8f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff8f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff8f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==4461==ABORTING
msg276370 - (view)	Author: Duane Griffin (duaneg) *	Date: 2016年09月14日 03:13
There are a couple of places where the tokenizer code is not correctly handling 0円 characters occurring at the start of the buffer. Patch attached.
msg276547 - (view)	Author: Francisco Couzo (franciscouzo) *	Date: 2016年09月15日 10:49
I can confirm this bug is also present in 3.7
msg276963 - (view)	Author: Berker Peksag (berker.peksag) * (Python committer)	Date: 2016年09月19日 09:19
I think the problem described in msg270181 is now fixed in issue 24022. Adding Benjamin to nosy list for the other case.
msg277006 - (view)	Author: Benjamin Peterson (benjamin.peterson) * (Python committer)	Date: 2016年09月20日 05:05
ASan is quiet on the POC now.

History
Date	User	Action	Args
2022年04月11日 14:58:33	admin	set	github: 71669
2016年09月20日 05:05:24	benjamin.peterson	set	status: open -> closed resolution: fixed messages: + msg277006
2016年09月19日 09:19:35	berker.peksag	set	nosy: + berker.peksag, benjamin.peterson messages: + msg276963
2016年09月15日 10:49:42	franciscouzo	set	nosy: + franciscouzo messages: + msg276547 versions: + Python 3.7
2016年09月14日 05:45:32	serhiy.storchaka	set	assignee: serhiy.storchaka nosy: + serhiy.storchaka stage: patch review
2016年09月14日 03:13:10	duaneg	set	files: + 0001-Issue-27482-handle-nul-characters-while-reading-inpu.patch nosy: + duaneg messages: + msg276370 keywords: + patch
2016年07月11日 14:21:45	beginvuln	create

homepage