Issue 34045: DoS due to null pointer dereference in marshal.dumps() (original) (raw)

Issue34045

Created on 2018-07-04 15:02 by rkrp, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Messages (3)
msg321050 - (view)	Author: Krishna Ram Prakash R (rkrp)	Date: 2018-07-04 15:02
By passing a malformed string as input to marshal.loads() an attacker can trigger a null pointer dereference resulting in DoS. This happens because when a Python object is unmarshalled by reference, it is assumed that the target object is fully constructed. We can construct a marshal string such that it can reference partially constructed Python objects. Example ------- tuple(FrozenSet(REF(0))) Tuple -> FrozenSet -> REF(0) When unmarshalling of the tuple object starts, a new PyTuple_New() object is created and its address is added to p->refs array before starting to parse and load all its children elements in a loop. A FrozenSet can be added as 0th element of this tuple. And then add the 0th element of this FrozenSet as p->refs[0]. After an element is added to FrozenSet, it tries to hash it believing that it is a completely constructed Python object. While it tries to hash the original tuple, it does not have any valid addresses in ob_item array. This results in a null pointer dereference throwing a SIGSEGV and crashing of interpreter. Running the below script results in a segmentation fault. ``` #!/usr/bin/env python3 import marshal marshal.loads(b"\xa9\x01\xbe\x01\x00\x00\x00r\x00\x00\x00\x00") ```
msg321051 - (view)	Author: Eric V. Smith (eric.smith) *	Date: 2018-07-04 15:12
I do not believe this is a problem. The marshal documentation includes this: Warning The marshal module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source.
msg321053 - (view)	Author: Serhiy Storchaka (serhiy.storchaka) *	Date: 2018-07-04 15:43
I concur with Eric.