➜
This issue trackerhas been migrated toGitHub, and is currentlyread-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.
Created on2019-10-28 05:49 byLCatro, last changed2022-04-11 14:59 byadmin. This issue is nowclosed.
| Pull Requests | |||
|---|---|---|---|
| URL | Status | Linked | Edit |
| PR 17022 | merged | ZackerySpytz,2019-10-31 20:34 | |
| PR 17758 | merged | miss-islington,2019-12-30 19:33 | |
| PR 17759 | merged | pablogsal,2019-12-30 19:35 | |
| PR 18207 | closed | corona10,2020-01-27 17:39 | |
| Messages (5) | |||
|---|---|---|---|
| msg355513 -(view) | Author: (LCatro) | Date: 2019-10-28 05:49 | |
Code 1 :static PyObject *list_index_impl(PyListObject *self, PyObject *value, Py_ssize_t start, Py_ssize_t stop)// ... for (i = start; i < stop && i < Py_SIZE(self); i++) { int cmp = PyObject_RichCompareBool(self->ob_item[i], value, Py_EQ); <= self->ob_item[i] can uaf ..PoC :class rewrite_list_eq(list) : def __eq__(self,other) : str(other) # <== that will call the object recall function tp_repr and call it .. return NotImplementedclass poc() : def __eq__(self,other) : list1.clear() return NotImplementedlist1 = [ poc() ]list1.index(list1) # list_index_impl() -> PyObject_RichCompareBool()Crash Report :(gdb) run ../py_poc/list_poc_3.pyThe program being debugged has been started already.Start it from the beginning? (y or n) yStarting program: /tangjitao/Python-3.8.0/python ../py_poc/list_poc_3.py[Thread debugging using libthread_db enabled]Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".Program received signal SIGSEGV, Segmentation fault.PyObject_Str (v=0x7ffff6e82d20) atObjects/object.c:573573 if (Py_TYPE(v)->tp_str == NULL)===== Code 2 :static PyObject *list_count(PyListObject *self, PyObject *value){ Py_ssize_t count = 0; Py_ssize_t i; for (i = 0; i < Py_SIZE(self); i++) { int cmp = PyObject_RichCompareBool(self->ob_item[i], value, Py_EQ); // <=PoC :class rewrite_list_eq(list) : def __eq__(self,other) : str(other) return NotImplementedclass poc() : def __eq__(self,other) : list1.clear() return NotImplementedlist1 = rewrite_list_eq([ poc() ])list1.count(list1) # list_count() -> PyObject_RichCompareBool()Crash Report :(gdb) run ../py_poc/list_poc_4.pyThe program being debugged has been started already.Start it from the beginning? (y or n) yStarting program: /tangjitao/Python-3.8.0/python ../py_poc/list_poc_4.py[Thread debugging using libthread_db enabled]Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".Program received signal SIGSEGV, Segmentation fault.PyObject_Str (v=0x7ffff6e82d20) atObjects/object.c:573573 if (Py_TYPE(v)->tp_str == NULL)===Code 3 :static PyObject *list_remove(PyListObject *self, PyObject *value)/*[clinic end generated code: output=f087e1951a5e30d1 input=2dc2ba5bb2fb1f82]*/{ Py_ssize_t i; for (i = 0; i < Py_SIZE(self); i++) {Py_INCREF(self->ob_item[i]); int cmp = PyObject_RichCompareBool(self->ob_item[i], value, Py_EQ);PoC :class rewrite_list_eq(list) : def __eq__(self,other) : str(other) return NotImplementedclass poc() : def __eq__(self,other) : list1.clear() return NotImplementedlist1 = rewrite_list_eq([ poc() ])list1.remove(list1) # list_count() -> PyObject_RichCompareBool()Crash Report :(gdb) run ../py_poc/list_poc_5.pyStarting program: /tangjitao/Python-3.8.0/python ../py_poc/list_poc_5.py[Thread debugging using libthread_db enabled]Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".Program received signal SIGSEGV, Segmentation fault.PyObject_Str (v=0x7ffff6e82d20) atObjects/object.c:573573 if (Py_TYPE(v)->tp_str == NULL) | |||
| msg355766 -(view) | Author: Zackery Spytz (ZackerySpytz)* | Date: 2019-10-31 20:35 | |
I have created a patch to fix these crashes. Please consider taking a look. | |||
| msg359055 -(view) | Author: Pablo Galindo Salgado (pablogsal)* | Date: 2019-12-30 19:33 | |
New changesetd9e561d23d994e3ed15f4fcbd7ee5c8fe50f190b by Pablo Galindo (Zackery Spytz) in branch 'master':bpo-38610: Fix possible crashes in several list methods (GH-17022)https://github.com/python/cpython/commit/d9e561d23d994e3ed15f4fcbd7ee5c8fe50f190b | |||
| msg359056 -(view) | Author: miss-islington (miss-islington) | Date: 2019-12-30 19:51 | |
New changesetfcaf14cd9179bb48850f8f81ce8d5cee28129745 by Miss Islington (bot) in branch '3.8':bpo-38610: Fix possible crashes in several list methods (GH-17022)https://github.com/python/cpython/commit/fcaf14cd9179bb48850f8f81ce8d5cee28129745 | |||
| msg359057 -(view) | Author: Pablo Galindo Salgado (pablogsal)* | Date: 2019-12-30 19:58 | |
New changeset296d45ec10fb55532bc3fac2311a3f91299ecf59 by Pablo Galindo in branch '3.7':[3.7]bpo-38610: Fix possible crashes in several list methods (GH-17022) (GH-17759)https://github.com/python/cpython/commit/296d45ec10fb55532bc3fac2311a3f91299ecf59 | |||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:59:22 | admin | set | github: 82791 |
| 2020-01-27 17:40:43 | corona10 | set | versions: + Python 3.6 |
| 2020-01-27 17:39:50 | corona10 | set | pull_requests: +pull_request17584 |
| 2019-12-30 19:58:43 | pablogsal | set | status: open -> closed resolution: fixed stage: patch review -> resolved |
| 2019-12-30 19:58:34 | pablogsal | set | messages: +msg359057 |
| 2019-12-30 19:51:14 | miss-islington | set | nosy: +miss-islington messages: +msg359056 |
| 2019-12-30 19:35:36 | pablogsal | set | pull_requests: +pull_request17195 |
| 2019-12-30 19:33:27 | miss-islington | set | pull_requests: +pull_request17194 |
| 2019-12-30 19:33:06 | pablogsal | set | nosy: +pablogsal messages: +msg359055 |
| 2019-10-31 20:35:48 | ZackerySpytz | set | nosy: +ZackerySpytz messages: +msg355766 versions: + Python 2.7, Python 3.7, Python 3.9 |
| 2019-10-31 20:34:16 | ZackerySpytz | set | keywords: +patch stage: patch review pull_requests: +pull_request16539 |
| 2019-10-28 05:49:18 | LCatro | create | |