Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork33.7k
Closed
Description
Crash report
What happened?
Crash report
What happened?
Build
apt-get install libreadline6-dev./configure --with-pydebug --with-address-sanitizerRoot Cause
When calling readline.append_history_file, the first argument can be set to -2147483648, and a valid file path should be provided as the second argument. There is no proper validation logic for append_history, which can cause a crash
staticPyObject*readline_append_history_file(PyObject*module,PyObject*const*args,Py_ssize_tnargs){PyObject*return_value=NULL;intnelements;PyObject*filename_obj=Py_None;if (!_PyArg_CheckPositional("append_history_file",nargs,1,2)) { gotoexit; }nelements=PyLong_AsInt(args[0]);// input from userif (nelements==-1&&PyErr_Occurred()) { gotoexit; }if (nargs<2) { gotoskip_optional; }filename_obj=args[1];skip_optional:return_value=readline_append_history_file_impl(module,nelements,filename_obj);// nelements : -2147483648exit:returnreturn_value;}
staticPyObject*readline_append_history_file_impl(PyObject*module,intnelements,PyObject*filename_obj)/*[clinic end generated code: output=5df06fc9da56e4e4 input=784b774db3a4b7c5]*/{ ...errno=err=append_history(nelements-libedit_append_replace_history_offset,filename);// nelements : -2147483648}
POC
importreadlinereadline.append_history_file(-2147483648,__file__)
ASAN
asan
AddressSanitizer:DEADLYSIGNAL===================================================================10389==ERROR: AddressSanitizer: SEGV on unknown address 0x620c0002a900 (pc 0x7fdf36f7aee0 bp 0x604000003ed0 sp 0x7ffd4d0abf50 T0)==10389==The signal is caused by a READ memory access. #0 0x7fdf36f7aee0 (/lib/x86_64-linux-gnu/libreadline.so.8+0x3dee0) python에서 안터지고 c gnu에서 터져요 그래서 이 코드가. #1 0x7fdf36fa169e in readline_append_history_file_impl Modules/readline.c:365 #2 0x7fdf36fa192b in readline_append_history_file Modules/clinic/readline.c.h:154 #3 0x564386c5b367 in cfunction_vectorcall_FASTCALL Objects/methodobject.c:425 #4 0x564386b64981 in _PyObject_VectorcallTstate Include/internal/pycore_call.h:167 #5 0x564386b64adc in PyObject_Vectorcall Objects/call.c:327 #6 0x564386ec6fea in _PyEval_EvalFrameDefault Python/generated_cases.c.h:857 #7 0x564386f0b295 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:119 #8 0x564386f0b295 in _PyEval_Vector Python/ceval.c:1823 #9 0x564386f0b4b6 in PyEval_EvalCode Python/ceval.c:621 #10 0x56438701b139 in run_eval_code_obj Python/pythonrun.c:1292 #11 0x56438701e07e in run_mod Python/pythonrun.c:1377 #12 0x56438701ee5e in pyrun_file Python/pythonrun.c:1210 #13 0x56438702133d in _PyRun_SimpleFileObject Python/pythonrun.c:459 #14 0x564387021831 in _PyRun_AnyFileObject Python/pythonrun.c:77 #15 0x5643870869dc in pymain_run_file_obj Modules/main.c:409 #16 0x564387089854 in pymain_run_file Modules/main.c:428 #17 0x56438708a465 in pymain_run_python Modules/main.c:696 #18 0x56438708a5f5 in Py_RunMain Modules/main.c:775 #19 0x56438708a7dc in pymain_main Modules/main.c:805 #20 0x56438708ab54 in Py_BytesMain Modules/main.c:829 #21 0x5643869c5b15 in main Programs/python.c:15 #22 0x7fdf3a238d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #23 0x7fdf3a238e3f in __libc_start_main_impl ../csu/libc-start.c:392 #24 0x5643869c5a44 in _start (/cpython_latest/python+0x28aa44)AddressSanitizer can not provide additional info.SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libreadline.so.8+0x3dee0)==10389==ABORTINGCPython versions tested on:
CPython main branch
Operating systems tested on:
Linux
Output from running 'python -VV' on the command line:
Python 3.14.0a0 (heads/main:bb09ba6792, Jul 27 2024, 09:44:43) [GCC 11.4.0]