[New-bugs-announce] [issue29500] AddressSanitizer: heap-buffer-overflow on address 0x61600004a982
BeginVuln
report at bugs.python.org
Wed Feb 8 09:57:10 EST 2017
New submission from BeginVuln:
OS Version : Ubuntu 16.04 LTS
Python download link : https://www.python.org/ftp/python/3.6.0/Python-3.6.0.tar.xz
Python version : 3.6.0
Normal build cmd :
./configure
make
Asan build cmd:
export CC="/usr/bin/clang -fsanitize=address
export CXX="/usr/bin/clang++ -fsanitize=address
./confiugre
make
GDB with exploitable:
To enable execution of this file add
add-auto-load-safe-path /home/test/check/PythonGDB/python-gdb.py
line to your configuration file "/home/test/.gdbinit".
To completely disable this security protection add
set auto-load safe-path /
line to your configuration file "/home/test/.gdbinit".
For more information about this security protection see the
"Auto-loading safe path" section in the GDB manual. E.g., run from the shell:
info "(gdb)Auto-loading safe path"
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[Inferior 1 (process 19456) exited normally]
ASAN:
=================================================================
==18010==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61600004a982 at pc 0x000000830a11 bp 0x7fff6131b9b0 sp 0x7fff6131b9a8
READ of size 2 at 0x61600004a982 thread T0
#0 0x830a10 in find_op /home/test/check/PythonASAN/Python/peephole.c:101 (discriminator 1)
#1 0x830a10 in PyCode_Optimize /home/test/check/PythonASAN/Python/peephole.c:712 (discriminator 1)
#2 0x830a10 in ?? ??:0
#3 0x7ccf6c in makecode /home/test/check/PythonASAN/Python/compile.c:5249
#4 0x7ccf6c in assemble /home/test/check/PythonASAN/Python/compile.c:5367
#5 0x7ccf6c in ?? ??:0
#6 0x7d0a09 in compiler_function /home/test/check/PythonASAN/Python/compile.c:1886
#7 0x7d0a09 in ?? ??:0
#8 0x7b0923 in compiler_body /home/test/check/PythonASAN/Python/compile.c:1463
#9 0x7b0923 in ?? ??:0
#10 0x7ae107 in compiler_mod /home/test/check/PythonASAN/Python/compile.c:1483
#11 0x7ae107 in PyAST_CompileObject /home/test/check/PythonASAN/Python/compile.c:341
#12 0x7ae107 in ?? ??:0
#13 0x5142d8 in run_mod /home/test/check/PythonASAN/Python/pythonrun.c:977
#14 0x5142d8 in PyRun_FileExFlags /home/test/check/PythonASAN/Python/pythonrun.c:933
#15 0x5142d8 in ?? ??:0
#16 0x512afa in PyRun_SimpleFileExFlags /home/test/check/PythonASAN/Python/pythonrun.c:396
#17 0x512afa in ?? ??:0
#18 0x53eefd in run_file /home/test/check/PythonASAN/Modules/main.c:320
#19 0x53eefd in Py_Main /home/test/check/PythonASAN/Modules/main.c:780
#20 0x53eefd in ?? ??:0
#21 0x503d16 in main /home/test/check/PythonASAN/./Programs/python.c:69
#22 0x503d16 in ?? ??:0
#23 0x7f5554ba782f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
#24 0x7f5554ba782f in ?? ??:0
#25 0x432548 in _start ??:?
#26 0x432548 in ?? ??:0
0x61600004a982 is located 0 bytes to the right of 514-byte region [0x61600004a780,0x61600004a982)
allocated by thread T0 here:
#0 0x4d2678 in malloc ??:?
#1 0x4d2678 in ?? ??:0
#2 0x508c35 in PyMem_RawMalloc /home/test/check/PythonASAN/Objects/obmalloc.c:386
#3 0x508c35 in _PyObject_Alloc /home/test/check/PythonASAN/Objects/obmalloc.c:1427
#4 0x508c35 in ?? ??:0
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/test/check/PythonASAN/python+0x830a10)
Shadow bytes around the buggy address:
0x0c2c800014e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c800014f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c80001500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c80001510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c80001520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2c80001530:[02]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c80001540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c80001550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c80001560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c80001570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c80001580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==18010==ABORTING
----------
components: Interpreter Core
files: peephole_101
messages: 287339
nosy: beginvuln
priority: normal
severity: normal
status: open
title: AddressSanitizer: heap-buffer-overflow on address 0x61600004a982
type: security
versions: Python 3.6
Added file: http://bugs.python.org/file46595/peephole_101
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue29500>
_______________________________________
More information about the New-bugs-announce
mailing list