➜
This issue trackerhas been migrated toGitHub, and is currentlyread-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.
Created on2016-08-16 05:00 bybenjamin.peterson, last changed2022-04-11 14:58 byadmin. This issue is nowclosed.
| Messages (2) | |||
|---|---|---|---|
| msg272831 -(view) | Author: Benjamin Peterson (benjamin.peterson)* | Date: 2016-08-16 05:00 | |
Thomas E Hybel reports:This vulnerability exists in the function _sre_SRE_Match_groupdict_impl whichresides in the /Modules/_sre.c file.The problem is that the code calls Py_DECREF(key); without having done acorresponding Py_INCREF on the key.Here's the relevant code: static PyObject * _sre_SRE_Match_groupdict_impl(MatchObject *self, PyObject *default_value) { ... for (index = 0; index < PyList_GET_SIZE(keys); index++) { ... PyObject* key; ... key = PyList_GET_ITEM(keys, index); ... value = match_getslice(self, key, default_value); if (!value) { Py_DECREF(key); goto failed; } ... } ... }We initialize the "key" variable via PyList_GET_ITEM(keys, index) which simplytakes keys->ob_item[index]. There is no increase in reference count.If match_getslice fails, we then call Py_DECREF(key). This is simply wrong. Itwill result in the key object getting freed prematurely, leading touse-after-free scenarios.Here's a script which reproduces this:--- begin script ---import _sreimport timep = _sre.compile( "A", # pattern 0, # flags [1], # code 1, # groups {0xdeadbeef: 0}, # groupindex 0 # indexgroup) m = p.match("AAAA")for _ in range(5): # each call to m.groupdict decreases the refcount of 0xdeadbeef once try: m.groupdict() except IndexError: pass --- end script ---Running the script crashes python on my machine:(gdb) r ./poc7.pyStarting program: /home/xx/Python-3.5.2/python ./poc7.pyProgram received signal SIGSEGV, Segmentation fault.0x0000000000567d71 in match_getindex (self=self@entry=0x7ffff7e2da18,index=index@entry=0x7ffff6d582c0) at ./Modules/_sre.c:20552055 if (PyLong_Check(index))(gdb) bt#0 0x0000000000567d71 in match_getindex (self=self@entry=0x7ffff7e2da18,index=index@entry=0x7ffff6d582c0) at ./Modules/_sre.c:2055#1 0x0000000000568946 in match_getslice (self=self@entry=0x7ffff7e2da18,index=index@entry=0x7ffff6d582c0,def=def@entry=0x8831c0 <_Py_NoneStruct>) at ./Modules/_sre.c:2076#2 0x0000000000568a99 in _sre_SRE_Match_groupdict_impl (self=self@entry=0x7ffff7e2da18, default_value=0x8831c0 <_Py_NoneStruct>) at ./Modules/_sre.c:2198#3 0x0000000000568bc5 in _sre_SRE_Match_groupdict (self=0x7ffff7e2da18, args=<optimized out>, kwargs=<optimized out>) at ./Modules/clinic/_sre.c.h:518 | |||
| msg272833 -(view) | Author: Roundup Robot (python-dev) | Date: 2016-08-16 05:05 | |
New changeset4ca84a3e37d7 by Benjamin Peterson in branch '2.7':do not decref value borrowed from list (closes#27774)https://hg.python.org/cpython/rev/4ca84a3e37d7New changesetcbf2a05648b3 by Benjamin Peterson in branch '3.3':do not decref value borrowed from list (closes#27774)https://hg.python.org/cpython/rev/cbf2a05648b3New changeset2e404ac88e0e by Benjamin Peterson in branch '3.4':merge 3.3 (#27774)https://hg.python.org/cpython/rev/2e404ac88e0eNew changeset424cb9482974 by Benjamin Peterson in branch '3.5':merge 3.4 (#27774)https://hg.python.org/cpython/rev/424cb9482974New changeset64b0e0a29874 by Benjamin Peterson in branch 'default':merge 3.5 (#27774)https://hg.python.org/cpython/rev/64b0e0a29874 | |||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:58:34 | admin | set | github: 71961 |
| 2016-08-16 05:05:31 | python-dev | set | status: open -> closed nosy: +python-dev messages: +msg272833 resolution: fixed stage: resolved |
| 2016-08-16 05:00:44 | benjamin.peterson | create | |