[New-bugs-announce] [issue28198] heap-buffer-overflow in tok_nextc (Parser/tokenizer.c:954)
geeknik
report at bugs.python.org
Sun Sep 18 17:23:34 EDT 2016
New submission from geeknik:
As per the security team, I'm submitting this here as it doesn't appear exploitable.
Fuzzing Python 2.7.12 with AFL, ASAN and libdislocator.so on Debian 8.5 x64. (This might also affect Python 3.5) The attached 1-byte testcase triggers a heap-buffer-overflow: ~/python/Parser/tokenizer.c:954:28 in tok_nextc:
==9855==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6250000028ff at pc 0x00000050fd06 bp 0x7ffdbb810a30 sp 0x7ffdbb810a28
READ of size 1 at 0x6250000028ff thread T0
#0 0x50fd05 in tok_nextc /root/python/Parser/tokenizer.c:954:28
#1 0x505c49 in tok_get /root/python/Parser/tokenizer.c:1232:17
#2 0x505c49 in PyTokenizer_Get /root/python/Parser/tokenizer.c:1681
#3 0x5012b4 in parsetok /root/python/Parser/parsetok.c:159:16
#4 0x502e7f in PyParser_ParseFileFlagsEx /root/python/Parser/parsetok.c:106:12
#5 0x7fe4a9 in PyParser_ASTFromFile /root/python/Python/pythonrun.c:1499:15
#6 0x7fe887 in PyRun_FileExFlags /root/python/Python/pythonrun.c:1354:11
#7 0x7fd3fc in PyRun_SimpleFileExFlags /root/python/Python/pythonrun.c:948:13
#8 0x7fc36b in PyRun_AnyFileExFlags /root/python/Python/pythonrun.c:752:16
#9 0x4fe9c4 in Py_Main /root/python/Modules/main.c:640:23
#10 0x7fb6e24b282f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
#11 0x42a898 in _start (/root/python/python+0x42a898)
0x6250000028ff is located 1 bytes to the left of 8192-byte region [0x625000002900,0x625000004900)
allocated by thread T0 here:
#0 0x4ca9c8 in malloc (/root/python/python+0x4ca9c8)
#1 0x504ed5 in PyTokenizer_FromFile /root/python/Parser/tokenizer.c:759:29
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/python/Parser/tokenizer.c:954:28 in tok_nextc
Shadow bytes around the buggy address:
0x0c4a7fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff84d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff84e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a7fff8510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x0c4a7fff8520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==9855==ABORTING
----------
components: Interpreter Core
files: test00.gz
messages: 276917
nosy: geeknik
priority: normal
severity: normal
status: open
title: heap-buffer-overflow in tok_nextc (Parser/tokenizer.c:954)
type: crash
versions: Python 2.7, Python 3.5
Added file: http://bugs.python.org/file44743/test00.gz
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue28198>
_______________________________________
More information about the New-bugs-announce
mailing list