Issue 27482: heap-buffer-overflow on address 0x6250000078ff (original) (raw)

Created on 2016-07-11 14:21 by beginvuln, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Messages (5)
msg270181 - (view)	Author: BeginVuln (beginvuln)	Date: 2016-07-11 14:21
PoC is attached. Version: 2.7.12 ================================================================= ==4461==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6250000078ff at pc 0x000000508e70 bp 0x7ffe3e88db60 sp 0x7ffe3e88db58 READ of size 1 at 0x6250000078ff thread T0 #0 0x508e6f in tok_nextc /home/mtowalski/tmp/python/Python-2.7.12/Parser/tokenizer.c:954:28 #1 0x4ff581 in tok_get /home/mtowalski/tmp/python/Python-2.7.12/Parser/tokenizer.c:1232:17 #2 0x4ff581 in PyTokenizer_Get /home/mtowalski/tmp/python/Python-2.7.12/Parser/tokenizer.c:1681:0 #3 0x4fae5d in parsetok /home/mtowalski/tmp/python/Python-2.7.12/Parser/parsetok.c:159:16 #4 0x7c9a92 in PyParser_ASTFromFile /home/mtowalski/tmp/python/Python-2.7.12/Python/pythonrun.c:1499:15 #5 0x7c9e49 in PyRun_FileExFlags /home/mtowalski/tmp/python/Python-2.7.12/Python/pythonrun.c:1354:11 #6 0x7c8a7e in PyRun_SimpleFileExFlags /home/mtowalski/tmp/python/Python-2.7.12/Python/pythonrun.c:948:13 #7 0x4f80b9 in Py_Main /home/mtowalski/tmp/python/Python-2.7.12/Modules/main.c:640:23 #8 0x7feaeb493f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287:0 #9 0x42adc5 in _start ??:? 0x6250000078ff is located 1 bytes to the left of 8192-byte region [0x625000007900,0x625000009900) allocated by thread T0 here: #0 0x4c8d3c in malloc ??:? #1 0x4fe75d in PyTokenizer_FromFile /home/mtowalski/tmp/python/Python-2.7.12/Parser/tokenizer.c:759:29 SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/mtowalski/tmp/python/Python-2.7.12/python+0x508e6f) Shadow bytes around the buggy address: 0x0c4a7fff8ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff8ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff8ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff8ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff8f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c4a7fff8f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa] 0x0c4a7fff8f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff8f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff8f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff8f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff8f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==4461==ABORTING
msg276370 - (view)	Author: Duane Griffin (duaneg) *	Date: 2016-09-14 03:13
There are a couple of places where the tokenizer code is not correctly handling \0 characters occurring at the start of the buffer. Patch attached.
msg276547 - (view)	Author: Francisco Couzo (franciscouzo) *	Date: 2016-09-15 10:49
I can confirm this bug is also present in 3.7
msg276963 - (view)	Author: Berker Peksag (berker.peksag) *	Date: 2016-09-19 09:19
I think the problem described in is now fixed in issue 24022. Adding Benjamin to nosy list for the other case.
msg277006 - (view)	Author: Benjamin Peterson (benjamin.peterson) *	Date: 2016-09-20 05:05
ASan is quiet on the POC now.