on-35dm-i386-linux-gnu.so`encoder_listencode_list(s=0xb6f90394, acc=0xbfc42c28, seq=0xb6f2361c, indent_level=1) + 655 at _json.c:1800#     frame #2: 0xb6e4366d _json.cpython-35dm-i386-linux-gnu.so`encoder_listencode_obj(s=0xb6f90394, acc=0xbfc42c28, obj=0xb6f2361c, indent_level=1) + 733 at _json.c:1554#     frame #3: 0xb6e3fc4f _json.cpython-35dm-i386-linux-gnu.so`encoder_call(self=0xb6f90394, args=0xb7049304, kwds=0x00000000) + 319 at _json.c:1386#     frame #4: 0x080c5758 python`PyObject_Call(func=0xb6f90394, arg=0xb7049304, kw=0x00000000) + 264 at abstract.c:2149# # This is a type confusion bug. encoder->markers can be initialized to an# arbitrary object (string in this POC). PyDict_Contains trusts the caller that# "op" is a dictionary without checking. Some callers can't be trusted :)

I don't understand the issue. Can you elaborate?What is your code? What is the current result? What is the expected result? What is your platform? What is your Python version? etc.

Sorry, I uploaded a test case.

In encoder_init (the __init__ for _json.Encoder) s->marker is set to an argument of __init__, without any kind of type check, it can therefore be an arbitrary object.encoder_listencode_obj (and other functions) then use s->markers with the concrete API for dicts (such as PyDict_Contains). PyDict_Contains does not perform a type check, but casts its first argument to a PyDictObject and access fields. That causes problems when the marker isn't actually a dict.I don't know the module good enough to be 100% sure about a fix, but I think it would be best to add a type check to encoder_init. BTW. As far as I know _json.make_encoder is a private API and shouldn't be used directly, when you use the public API the argument will always be a dict.

There is similar issue with key_separator and item_separator in 3.x. They are used with _PyAccu_Accumulate that performs a type check only in assert().Here is a patch.

Patch LGTM.

New changesetb3d0bf112f70 by Serhiy Storchaka in branch '3.4':Issue#24683: Fixed crashes in _json functions called with arguments ofhttps://hg.python.org/cpython/rev/b3d0bf112f70New changesetef4d09399b99 by Serhiy Storchaka in branch '3.5':Issue#24683: Fixed crashes in _json functions called with arguments ofhttps://hg.python.org/cpython/rev/ef4d09399b99New changeset7de4abf4eed2 by Serhiy Storchaka in branch 'default':Issue#24683: Fixed crashes in _json functions called with arguments ofhttps://hg.python.org/cpython/rev/7de4abf4eed2

New changeset0a1266ef1b5d by Serhiy Storchaka in branch '2.7':Issue#24683: Fixed a crash in _json.make_encoder() called with non-dict 1st argument.https://hg.python.org/cpython/rev/0a1266ef1b5d

Thank you for your report paul. Thanks for review Raymond.

resolution: not a bug^ because of private API?

> resolution: not a bugSince Serhiy pushed changes, the issue is fixed and it is a real bug.Thanks for the report paul.

This was my fault. I want to set resolution to "fixed" but missed. Victor has corrected this.

Proof of EIP control.

GDB dump of running ./python eip.py_______________________________________________________________________________     eax:37A317DD ebx:B7A54268  ecx:BFFFE22C  edx:11223344     eflags:00010217     esi:B7A61060 edi:B7AA6714  esp:BFFFE20C  ebp:B7A317DC     eip:11223344     cs:0073  ds:007B  es:007B  fs:0000  gs:0033  ss:007B    o d I t s z A P C[007B:BFFFE20C]---------------------------------------------------------[stack]BFFFE23C : 10 FA A1 B7  60 10 A6 B7 - 68 42 A5 B7  00 60 A2 B7 ....`...hB...`..BFFFE22C : 60 17 A6 B7  10 68 2B 08 - 00 60 A2 B7  DC 17 A3 B7 `....h+..`......BFFFE21C : 2C E2 FF BF  DC 17 A3 B7 - 3C E2 FF BF  00 00 00 00 ,.......<.......BFFFE20C : AE 07 0D 08  60 10 A6 B7 - 68 42 A5 B7  DD 17 A3 37 ....`...hB.....7[0073:11223344]---------------------------------------------------------[ code]=> 0x11223344:  Error while running hook_stop:Cannot access memory at address 0x112233440x11223344 in ?? ()

I can't reproduce your example paul.$ ./python eip.py Traceback (most recent call last):  File "eip.py", line 21, in <module>    e = j.make_encoder(markers, None, enc, 4, "ks", "is", False, True, True)TypeError: make_encoder() argument 1 must be dict or None, not array.array

Can you try on 2.7 branch?

The same result on 2.7 branch:$ ./python ../cpython/eip.py Traceback (most recent call last):  File "../cpython/eip.py", line 21, in <module>    e = j.make_encoder(markers, None, enc, 4, "ks", "is", False, True, True)TypeError: make_encoder() argument 1 must be dict or None, not str

Sorry, I wasn't clear enough. This POC is a proof that the original bug can be used for EIP control. I just checked and it works as advertised on 2.7 revision:https://hg.python.org/cpython/rev/2d39777f3477 - it's a parent ofhttps://hg.python.org/cpython/rev/0a1266ef1b5d containing the patch for this issue. I added this file, because I submitted a bug on hackerone claiming EIP control.