Message 29053 - Python tracker

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Recipients
Author	collinwinter
Date	2006年07月05日.17:33:57
SpamBayes Score
Marked as misclassified
Message-id
In-reply-to

Content
Similar to the bug in tuple() shown in the current (r47245) version of Lib/test/crashers/gc_inspection.py, filter() can be exploited in similar ways. Rather than the tricky generator used to exploit tuple(), the attached test case uses a subclass of tuple with a malicious __getitem__ method. The pattern being exploited is the same, however: a built-in function pre-allocates a tuple, then fills it using calls to user-defined code. gc_inspection.py.diff also expands the infrastructure in gc_inspection.py, allowing multiple test functions to run that could crash the interpreter. The second patch, fix_filter_crash.patch, is against Python/bltinmodule.c and adds _PyObject_GC_TRACK/UNTRACK macros around the call to the type's sq_item slot in filtertuple().

Content

Similar to the bug in tuple() shown in the current
(r47245) version of Lib/test/crashers/gc_inspection.py,
filter() can be exploited in similar ways.
Rather than the tricky generator used to exploit
tuple(), the attached test case uses a subclass of
tuple with a malicious __getitem__ method. The pattern
being exploited is the same, however: a built-in
function pre-allocates a tuple, then fills it using
calls to user-defined code.
gc_inspection.py.diff also expands the infrastructure
in gc_inspection.py, allowing multiple test functions
to run that could crash the interpreter.
The second patch, fix_filter_crash.patch, is against
Python/bltinmodule.c and adds
_PyObject_GC_TRACK/UNTRACK macros around the call to
the type's sq_item slot in filtertuple().

History
Date	User	Action	Args
2007年08月23日 14:41:07	admin	link	issue1517663 messages
2007年08月23日 14:41:07	admin	create

homepage