➜
This issue trackerhas been migrated toGitHub, and is currentlyread-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.
Created on2015-05-01 14:03 bypkt, last changed2022-04-11 14:58 byadmin. This issue is nowclosed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| poc_get_filter.py | pkt,2015-05-01 14:04 | |||
| Messages (6) | |||
|---|---|---|---|
| msg242311 -(view) | Author: paul (pkt) | Date: 2015-05-01 14:03 | |
# Program received signal SIGSEGV, Segmentation fault.# 0x40036740 in encoder_listencode_dict (s=0x405b43fc, acc=0xbf86438c, dct=<D at remote 0x405b2fb4>, indent_level=0)# at /home/p/Python-3.4.1/Modules/_json.c:1557# 1557 PyList_SET_ITEM(items, i, item);# (gdb) print *(PyListObject*)items# $1 = {ob_base = {ob_base = {_ob_next = 0x405bcab4, _ob_prev = 0x40591184, ob_refcnt = 2, ob_type = 0x830e1c0 <PyList_Type>}, # ob_size = 0}, ob_item = 0x0, allocated = 0}# (gdb) print i# $2 = 112233# # "items" was cleared in __hash__, so we get a wild write at a controlled address. | |||
| msg242312 -(view) | Author: paul (pkt) | Date: 2015-05-01 14:04 | |
# Program received signal SIGSEGV, Segmentation fault.# 0x080f2c17 in PyObject_GetAttr (v=<unknown at remote 0x40573d8c>, name='match') atObjects/object.c:872# 872 if (tp->tp_getattro != NULL)# (gdb) bt# #0 0x080f2c17 in PyObject_GetAttr (v=<unknown at remote 0x40573d8c>, name='match') atObjects/object.c:872# #1 0x080f2b42 in _PyObject_GetAttrId (v=<unknown at remote 0x40573d8c>, name=0x8328354 <PyId_match.9432>) atObjects/object.c:835# #2 0x0809c3a6 in _PyObject_CallMethodId (o=<unknown at remote 0x40573d8c>, name=0x8328354 <PyId_match.9432>, format=0x829552c "O")# atObjects/abstract.c:2215# #3 0x0817e48b in check_matched (obj=<unknown at remote 0x40573d8c>, arg='c') atPython/_warnings.c:28# #4 0x0817e88b in get_filter (category=<type at remote 0x830bf80>, text='', lineno=4, module='c', item=0xbfa87c88)# (gdb) frame 4# #4 0x0817e88b in get_filter (category=<type at remote 0x830bf80>, text='', lineno=4, module='c', item=0xbfa87c88)# atPython/_warnings.c:152# 152 good_mod = check_matched(mod, module);# (gdb) print *mod# $1 = {_ob_next = 0xdbdbdbdb, _ob_prev = 0xdbdbdbdb, ob_refcnt = -606348325, ob_type = 0xdbdbdbdb}# # "mod" object is deleted in "match" method. Use after free.# | |||
| msg242314 -(view) | Author: Christian Heimes (christian.heimes)* | Date: 2015-05-01 14:09 | |
In 3.5 the segfault occurs at#0 0x00007ffff073e55e in encoder_listencode_dict (s=s@entry=0x7ffff09aa988,acc=acc@entry=0x7fffffffcf20,dct=dct@entry=<D at remote 0x7ffff094b958>,indent_level=indent_level@entry=0) at /home/heimes/dev/python/cpython/Modules/_json.c:1686#1 0x00007ffff073ee85 in encoder_listencode_obj (s=s@entry=0x7ffff09aa988,acc=acc@entry=0x7fffffffcf20, obj=<D at remote 0x7ffff094b958>, indent_level=0) at /home/heimes/dev/python/cpython/Modules/_json.c:1561#2 0x00007ffff073f392 in encoder_call (self=<_json.Encoder at remote 0x7ffff09aa988>, args=(<D at remote 0x7ffff094b958>, 0), kwds=0x0) at /home/heimes/dev/python/cpython/Modules/_json.c:1386#3 0x000000000044edf8 in PyObject_Call (func=func@entry=<_json.Encoder at remote 0x7ffff09aa988>,arg=arg@entry=(<D at remote 0x7ffff094b958>, 0),kw=kw@entry=0x0) atObjects/abstract.c:2147#4 0x000000000052be56 in do_call (func=func@entry=<_json.Encoder at remote 0x7ffff09aa988>,pp_stack=pp_stack@entry=0x7fffffffd098,na=na@entry=2,nk=nk@entry=0) atPython/ceval.c:4515#5 0x000000000053663c in call_function (pp_stack=pp_stack@entry=0x7fffffffd098,oparg=oparg@entry=2) atPython/ceval.c:4311 | |||
| msg242323 -(view) | Author: paul (pkt) | Date: 2015-05-01 14:22 | |
Issue for poc_enc_dict3.py is here:https://bugs.python.org/issue24105Please ignore first and third message. | |||
| msg242325 -(view) | Author: Christian Heimes (christian.heimes)* | Date: 2015-05-01 14:42 | |
Thanks Paul!May I ask how you found that many use-after-free bugs? Are you using some sort of tool for static code analysis or fuzzying? | |||
| msg242486 -(view) | Author: Roundup Robot (python-dev) | Date: 2015-05-03 15:30 | |
New changesetffc1f9d1c8b3 by Benjamin Peterson in branch '3.3':be more robust against the filters list changing under us (closes#24096)https://hg.python.org/cpython/rev/ffc1f9d1c8b3New changeset47f4c3a5d86a by Benjamin Peterson in branch '3.4':merge 3.3 (#24096)https://hg.python.org/cpython/rev/47f4c3a5d86aNew changesetbfea101f9402 by Benjamin Peterson in branch 'default':merge 3.4 (#24096)https://hg.python.org/cpython/rev/bfea101f9402 | |||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:58:16 | admin | set | github: 68284 |
| 2015-05-03 15:30:09 | python-dev | set | status: open -> closed nosy: +python-dev messages: +msg242486 resolution: fixed stage: needs patch -> resolved |
| 2015-05-03 06:47:24 | Arfrever | set | nosy: +Arfrever |
| 2015-05-02 04:48:34 | serhiy.storchaka | set | nosy: +rhettinger,pitrou,ezio.melotti,serhiy.storchaka |
| 2015-05-01 14:42:22 | christian.heimes | set | messages: +msg242325 |
| 2015-05-01 14:22:16 | pkt | set | messages: +msg242323 |
| 2015-05-01 14:20:15 | pkt | set | files: -poc_enc_dict3.py |
| 2015-05-01 14:09:49 | christian.heimes | set | messages: +msg242314 |
| 2015-05-01 14:08:58 | christian.heimes | set | nosy: +christian.heimes stage: needs patch components: + Extension Modules versions: + Python 3.5 |
| 2015-05-01 14:04:37 | pkt | set | files: +poc_get_filter.py messages: +msg242312 title: Use after free during json encoding a dict (3) -> Use after free in get_filter |
| 2015-05-01 14:03:23 | pkt | create | |