Movatterモバイル変換


[0]ホーム

URL:


homepage

Issue24103

This issue trackerhas been migrated toGitHub, and is currentlyread-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title:Use after free in xmlparser_setevents (1)
Type:crashStage:resolved
Components:Extension Modules, XMLVersions:Python 3.6, Python 3.5
process
Status:closedResolution:fixed
Dependencies:Superseder:
Assigned To: serhiy.storchakaNosy List: Arfrever, christian.heimes, pkt, python-dev, serhiy.storchaka
Priority:normalKeywords:patch

Created on2015-05-01 14:15 bypkt, last changed2022-04-11 14:58 byadmin. This issue is nowclosed.

Files
File nameUploadedDescriptionEdit
poc_xml_setevents1.pypkt,2015-05-01 14:15
xmlparser_setevents_refcnt_bugs.patchserhiy.storchaka,2015-12-18 09:13review
Messages (5)
msg242320 -(view)Author: paul (pkt)Date: 2015-05-01 14:15
# xmlparser_setevents(XMLParserObject *self, PyObject* args)# {#     ...#     /* clear out existing events */#     Py_CLEAR(target->start_event_obj);# 1   Py_CLEAR(target->end_event_obj);#     Py_CLEAR(target->start_ns_event_obj);#     Py_CLEAR(target->end_ns_event_obj);# #     ...# #     seqlen = PySequence_Size(events_seq);#     for (i = 0; i < seqlen; ++i) {# 3       PyObject *event_name_obj = PySequence_Fast_GET_ITEM(events_seq, i);#         ...# #         if (event_name == NULL) {#             ...#             return NULL;#         } else if (strcmp(event_name, "start") == 0) {#             ...#         } else if (strcmp(event_name, "end") == 0) {#             Py_INCREF(event_name_obj);# 2           Py_XDECREF(target->end_event_obj);#             target->end_event_obj = event_name_obj;#         }#         ...#       }#     ...#   }# # This one leverages nested _setevents invocations. First invocation sets # target->end_event_obj to S1 instance. On seconds invocation, # target->end_event_obj has refcnt==1, so DECREF at line 1 triggers S1.__del__().# Destructor invokes _setevents again and sets target->end_event_obj to a S3 # instance (with refcnt==1). After we return from nested call at line 1, # execution continues until it hits an "end" element. At line 2 S3.__del__() is# called and it deallocates "events_seq". This triggers a controlled OOB (we can# call it a use after free too) read at line 3. We can control a PyObject pointer.# # Program received signal SIGSEGV, Segmentation fault.# 0x4068563b in xmlparser_setevents (self=0x40669e4c, args=([], [])) at /home/p/Python-3.4.1/Modules/_elementtree.c:3560# 3560            PyObject *event_name_obj = PySequence_Fast_GET_ITEM(events_seq, i);# (gdb) print i# $1 = 1337# (gdb) print *(PyListObject*)events_seq# $2 = {ob_base = {ob_base = {_ob_next = 0x40669df4, _ob_prev = 0x4055f814, ob_refcnt = 3, ob_type = 0x830e1c0 <PyList_Type>}, #     ob_size = 0}, ob_item = 0x0, allocated = 0}#
msg246068 -(view)Author: paul (pkt)Date: 2015-07-02 10:26
ping
msg246145 -(view)Author: paul (pkt)Date: 2015-07-03 07:45
ping
msg256658 -(view)Author: Serhiy Storchaka (serhiy.storchaka)*(Python committer)Date: 2015-12-18 09:13
Proposed patch fixes both this issue andissue24104. With the special macro proposed inissue20440 it can be better.
msg256959 -(view)Author: Roundup Robot (python-dev)(Python triager)Date: 2015-12-24 09:53
New changesetdeda5b5160d2 by Serhiy Storchaka in branch '2.7':Issue#24103: Fixed possible use after free in ElementTree.iterparse().https://hg.python.org/cpython/rev/deda5b5160d2New changeseted62cf0cf256 by Serhiy Storchaka in branch '3.5':Issue#24103: Fixed possible use after free in ElementTree.XMLPullParser.https://hg.python.org/cpython/rev/ed62cf0cf256New changeset8a14af800f96 by Serhiy Storchaka in branch 'default':Issue#24103: Fixed possible use after free in ElementTree.XMLPullParser.https://hg.python.org/cpython/rev/8a14af800f96
History
DateUserActionArgs
2022-04-11 14:58:16adminsetgithub: 68291
2016-01-03 06:22:14serhiy.storchakalinkissue24104 superseder
2015-12-24 09:54:27serhiy.storchakasetstatus: open -> closed
dependencies: -Use the Py_SETREF macro
resolution: fixed
stage: patch review -> resolved
2015-12-24 09:53:58python-devsetnosy: +python-dev
messages: +msg256959
2015-12-18 09:13:46serhiy.storchakasetfiles: +xmlparser_setevents_refcnt_bugs.patch
versions: + Python 3.6, - Python 3.4
messages: +msg256658

assignee:serhiy.storchaka
keywords: +patch
stage: needs patch -> patch review
2015-12-16 13:20:14serhiy.storchakasetdependencies: +Use the Py_SETREF macro
2015-07-03 07:45:44pktsetmessages: +msg246145
2015-07-02 10:26:40pktsetmessages: +msg246068
2015-05-03 06:54:23Arfreversetnosy: +Arfrever
2015-05-02 04:53:13serhiy.storchakasetnosy: +christian.heimes,serhiy.storchaka
components: + XML
2015-05-01 14:18:13christian.heimessetstage: needs patch
components: + Extension Modules
versions: + Python 3.5
2015-05-01 14:15:15pktcreate
Supported byThe Python Software Foundation,
Powered byRoundup
Copyright © 1990-2022,Python Software Foundation
Legal Statements

[8]ページ先頭

©2009-2026 Movatter.jp