[New-bugs-announce] [issue38610] use-after-free in list object function
LCatro
report at bugs.python.org
Mon Oct 28 01:49:18 EDT 2019
New submission from LCatro <m4i1f0rt3st at sina.cn>:
Code 1 :
static PyObject *
list_index_impl(PyListObject *self, PyObject *value, Py_ssize_t start,
Py_ssize_t stop)
// ...
for (i = start; i < stop && i < Py_SIZE(self); i++) {
int cmp = PyObject_RichCompareBool(self->ob_item[i], value, Py_EQ); <= self->ob_item[i] can uaf ..
PoC :
class rewrite_list_eq(list) :
def __eq__(self,other) :
str(other) # <== that will call the object recall function tp_repr and call it ..
return NotImplemented
class poc() :
def __eq__(self,other) :
list1.clear()
return NotImplemented
list1 = [ poc() ]
list1.index(list1) # list_index_impl() -> PyObject_RichCompareBool()
Crash Report :
(gdb) run ../py_poc/list_poc_3.py
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /tangjitao/Python-3.8.0/python ../py_poc/list_poc_3.py
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
PyObject_Str (v=0x7ffff6e82d20) at Objects/object.c:573
573 if (Py_TYPE(v)->tp_str == NULL)
=====
Code 2 :
static PyObject *
list_count(PyListObject *self, PyObject *value)
{
Py_ssize_t count = 0;
Py_ssize_t i;
for (i = 0; i < Py_SIZE(self); i++) {
int cmp = PyObject_RichCompareBool(self->ob_item[i], value, Py_EQ); // <=
PoC :
class rewrite_list_eq(list) :
def __eq__(self,other) :
str(other)
return NotImplemented
class poc() :
def __eq__(self,other) :
list1.clear()
return NotImplemented
list1 = rewrite_list_eq([ poc() ])
list1.count(list1) # list_count() -> PyObject_RichCompareBool()
Crash Report :
(gdb) run ../py_poc/list_poc_4.py
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /tangjitao/Python-3.8.0/python ../py_poc/list_poc_4.py
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
PyObject_Str (v=0x7ffff6e82d20) at Objects/object.c:573
573 if (Py_TYPE(v)->tp_str == NULL)
===
Code 3 :
static PyObject *
list_remove(PyListObject *self, PyObject *value)
/*[clinic end generated code: output=f087e1951a5e30d1 input=2dc2ba5bb2fb1f82]*/
{
Py_ssize_t i;
for (i = 0; i < Py_SIZE(self); i++) {
Py_INCREF(self->ob_item[i]);
int cmp = PyObject_RichCompareBool(self->ob_item[i], value, Py_EQ);
PoC :
class rewrite_list_eq(list) :
def __eq__(self,other) :
str(other)
return NotImplemented
class poc() :
def __eq__(self,other) :
list1.clear()
return NotImplemented
list1 = rewrite_list_eq([ poc() ])
list1.remove(list1) # list_count() -> PyObject_RichCompareBool()
Crash Report :
(gdb) run ../py_poc/list_poc_5.py
Starting program: /tangjitao/Python-3.8.0/python ../py_poc/list_poc_5.py
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
PyObject_Str (v=0x7ffff6e82d20) at Objects/object.c:573
573 if (Py_TYPE(v)->tp_str == NULL)
----------
components: Interpreter Core
messages: 355513
nosy: LCatro, serhiy.storchaka
priority: normal
severity: normal
status: open
title: use-after-free in list object function
type: crash
versions: Python 3.8
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue38610>
_______________________________________
More information about the New-bugs-announce
mailing list