[New-bugs-announce] [issue32725] Instance of _multiprocessing.PipeConnection-subtype crash on deletion
Clement Rouault
report at bugs.python.org
Tue Jan 30 05:13:55 EST 2018
New submission from Clement Rouault <python at hakril.net>:
While playing with '_multiprocessing.PipeConnection' I found out that instancing an object with a subtype of '_multiprocessing.PipeConnection' will crash the interpreter when the object is deleted.
My guess is that some connection methods does not check/handle the fact that the object is a subtype and not a 'pure' PipeConnection.
I don't know if the exploitability aspect of this crash is important but it allows to rewrite an arbitrary address easily with some heap-pointer (leading to CPython trying to execute the heap).
I attached a simple program that crash CPython using this bug.
----------
components: Library (Lib)
files: poc.py
messages: 311260
nosy: hakril
priority: normal
severity: normal
status: open
title: Instance of _multiprocessing.PipeConnection-subtype crash on deletion
type: crash
versions: Python 2.7
Added file: https://bugs.python.org/file47417/poc.py
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue32725>
_______________________________________
More information about the New-bugs-announce
mailing list