Issue 24096: Use after free in get_filter (original) (raw)

Created on 2015-05-01 14:03 by pkt, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Files
File name Uploaded Description Edit
poc_get_filter.py pkt,2015-05-01 14:04
Messages (6)
msg242311 - (view) Author: paul (pkt) Date: 2015-05-01 14:03
# Program received signal SIGSEGV, Segmentation fault. # 0x40036740 in encoder_listencode_dict (s=0x405b43fc, acc=0xbf86438c, dct=<D at remote 0x405b2fb4>, indent_level=0) # at /home/p/Python-3.4.1/Modules/_json.c:1557 # 1557 PyList_SET_ITEM(items, i, item); # (gdb) print *(PyListObject*)items # 1=obbase=obbase=obnext=0x405bcab4,obprev=0x40591184,obrefcnt=2,obtype=0x830e1c0<PyListType>,#obsize=0,obitem=0x0,allocated=0#(gdb)printi#1 = {ob_base = {ob_base = {_ob_next = 0x405bcab4, _ob_prev = 0x40591184, ob_refcnt = 2, ob_type = 0x830e1c0 <PyList_Type>}, # ob_size = 0}, ob_item = 0x0, allocated = 0} # (gdb) print i # 1=obbase=obbase=obnext=0x405bcab4,obprev=0x40591184,obrefcnt=2,obtype=0x830e1c0<PyListType>,#obsize=0,obitem=0x0,allocated=0#(gdb)printi#2 = 112233 # # "items" was cleared in __hash__, so we get a wild write at a controlled address.
msg242312 - (view) Author: paul (pkt) Date: 2015-05-01 14:04
# Program received signal SIGSEGV, Segmentation fault. # 0x080f2c17 in PyObject_GetAttr (v=<unknown at remote 0x40573d8c>, name='match') at Objects/object.c:872 # 872 if (tp->tp_getattro != NULL) # (gdb) bt # #0 0x080f2c17 in PyObject_GetAttr (v=<unknown at remote 0x40573d8c>, name='match') at Objects/object.c:872 # #1 0x080f2b42 in _PyObject_GetAttrId (v=<unknown at remote 0x40573d8c>, name=0x8328354 <PyId_match.9432>) at Objects/object.c:835 # #2 0x0809c3a6 in _PyObject_CallMethodId (o=<unknown at remote 0x40573d8c>, name=0x8328354 <PyId_match.9432>, format=0x829552c "O") # at Objects/abstract.c:2215 # #3 0x0817e48b in check_matched (obj=<unknown at remote 0x40573d8c>, arg='c') at Python/_warnings.c:28 # #4 0x0817e88b in get_filter (category=<type at remote 0x830bf80>, text='', lineno=4, module='c', item=0xbfa87c88) # (gdb) frame 4 # #4 0x0817e88b in get_filter (category=<type at remote 0x830bf80>, text='', lineno=4, module='c', item=0xbfa87c88) # at Python/_warnings.c:152 # 152 good_mod = check_matched(mod, module); # (gdb) print *mod # $1 = {_ob_next = 0xdbdbdbdb, _ob_prev = 0xdbdbdbdb, ob_refcnt = -606348325, ob_type = 0xdbdbdbdb} # # "mod" object is deleted in "match" method. Use after free. #
msg242314 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2015-05-01 14:09
In 3.5 the segfault occurs at #0 0x00007ffff073e55e in encoder_listencode_dict (s=s@entry=0x7ffff09aa988, acc=acc@entry=0x7fffffffcf20, dct=dct@entry=<D at remote 0x7ffff094b958>, indent_level=indent_level@entry=0) at /home/heimes/dev/python/cpython/Modules/_json.c:1686 #1 0x00007ffff073ee85 in encoder_listencode_obj (s=s@entry=0x7ffff09aa988, acc=acc@entry=0x7fffffffcf20, obj=<D at remote 0x7ffff094b958>, indent_level=0) at /home/heimes/dev/python/cpython/Modules/_json.c:1561 #2 0x00007ffff073f392 in encoder_call (self=<_json.Encoder at remote 0x7ffff09aa988>, args=(<D at remote 0x7ffff094b958>, 0), kwds=0x0) at /home/heimes/dev/python/cpython/Modules/_json.c:1386 #3 0x000000000044edf8 in PyObject_Call (func=func@entry=<_json.Encoder at remote 0x7ffff09aa988>, arg=arg@entry=(<D at remote 0x7ffff094b958>, 0), kw=kw@entry=0x0) at Objects/abstract.c:2147 #4 0x000000000052be56 in do_call (func=func@entry=<_json.Encoder at remote 0x7ffff09aa988>, pp_stack=pp_stack@entry=0x7fffffffd098, na=na@entry=2, nk=nk@entry=0) at Python/ceval.c:4515 #5 0x000000000053663c in call_function (pp_stack=pp_stack@entry=0x7fffffffd098, oparg=oparg@entry=2) at Python/ceval.c:4311
msg242323 - (view) Author: paul (pkt) Date: 2015-05-01 14:22
Issue for poc_enc_dict3.py is here: https://bugs.python.org/issue24105 Please ignore first and third message.
msg242325 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2015-05-01 14:42
Thanks Paul! May I ask how you found that many use-after-free bugs? Are you using some sort of tool for static code analysis or fuzzying?
msg242486 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2015-05-03 15:30
New changeset ffc1f9d1c8b3 by Benjamin Peterson in branch '3.3': be more robust against the filters list changing under us (closes #24096) https://hg.python.org/cpython/rev/ffc1f9d1c8b3 New changeset 47f4c3a5d86a by Benjamin Peterson in branch '3.4': merge 3.3 (#24096) https://hg.python.org/cpython/rev/47f4c3a5d86a New changeset bfea101f9402 by Benjamin Peterson in branch 'default': merge 3.4 (#24096) https://hg.python.org/cpython/rev/bfea101f9402
History
Date User Action Args
2022-04-11 14:58:16 admin set github: 68284
2015-05-03 15:30:09 python-dev set status: open -> closednosy: + python-devmessages: + resolution: fixedstage: needs patch -> resolved
2015-05-03 06:47:24 Arfrever set nosy: + Arfrever
2015-05-02 04:48:34 serhiy.storchaka set nosy: + rhettinger, pitrou, ezio.melotti, serhiy.storchaka
2015-05-01 14:42:22 christian.heimes set messages: +
2015-05-01 14:22:16 pkt set messages: +
2015-05-01 14:20:15 pkt set files: - poc_enc_dict3.py
2015-05-01 14:09:49 christian.heimes set messages: +
2015-05-01 14:08:58 christian.heimes set nosy: + christian.heimesstage: needs patchcomponents: + Extension Modulesversions: + Python 3.5
2015-05-01 14:04:37 pkt set files: + poc_get_filter.pymessages: + title: Use after free during json encoding a dict (3) -> Use after free in get_filter
2015-05-01 14:03:23 pkt create