[New-bugs-announce] [issue40958] ASAN/UBSAN: heap-buffer-overflow in pegen.c

Christian Heimes report at bugs.python.org
Fri Jun 12 06:42:31 EDT 2020 

New submission from Christian Heimes <lists at cheimes.de>:

ASAN/UBSAN has detected a heap-buffer-overflow in pegen.c

==1625693==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000026b71 at pc 0x00000073574d bp 0x7fff297284f0 sp 0x7fff297284e0
READ of size 1 at 0x606000026b71 thread T0
    #0 0x73574c in ascii_decode Objects/unicodeobject.c:4941
    #1 0x82bd0f in unicode_decode_utf8 Objects/unicodeobject.c:4999
    #2 0xf35859 in byte_offset_to_character_offset Parser/pegen.c:148
    #3 0xf35859 in _PyPegen_raise_error_known_location Parser/pegen.c:412
    #4 0xf36482 in _PyPegen_raise_error Parser/pegen.c:373
    #5 0xf39e1d in tokenizer_error Parser/pegen.c:321
    #6 0xf39e1d in _PyPegen_fill_token Parser/pegen.c:638
    #7 0xf3ca0f in _PyPegen_expect_token Parser/pegen.c:753
    #8 0xf4cc7a in _tmp_15_rule Parser/parser.c:16184
    #9 0xf3c799 in _PyPegen_lookahead (/home/heimes/dev/python/cpython/python+0xf3c799)
    #10 0xfafb4a in compound_stmt_rule Parser/parser.c:1860
    #11 0xfb7fc2 in statement_rule Parser/parser.c:1224
    #12 0xfb7fc2 in _loop1_11_rule Parser/parser.c:15954
    #13 0xfb7fc2 in statements_rule Parser/parser.c:1183
    #14 0xfbbce7 in file_rule Parser/parser.c:716
    #15 0xfbbce7 in _PyPegen_parse Parser/parser.c:24401
    #16 0xf3f868 in _PyPegen_run_parser Parser/pegen.c:1077
    #17 0xf4044f in _PyPegen_run_parser_from_file_pointer Parser/pegen.c:1137
    #18 0xa27f36 in PyRun_FileExFlags Python/pythonrun.c:1057
    #19 0xa2826a in PyRun_SimpleFileExFlags Python/pythonrun.c:400
    #20 0x479b1b in pymain_run_file Modules/main.c:369
    #21 0x479b1b in pymain_run_python Modules/main.c:553
    #22 0x47bd59 in Py_RunMain Modules/main.c:632
    #23 0x47bd59 in pymain_main Modules/main.c:662
    #24 0x47bd59 in Py_BytesMain Modules/main.c:686
    #25 0x7f59aa5cd041 in __libc_start_main (/lib64/libc.so.6+0x27041)
    #26 0x47643d in _start (/home/heimes/dev/python/cpython/python+0x47643d)

0x606000026b71 is located 0 bytes to the right of 49-byte region [0x606000026b40,0x606000026b71)
allocated by thread T0 here:
    #0 0x7f59ab303667 in __interceptor_malloc (/lib64/libasan.so.6+0xb0667)
    #1 0x749c7d in PyUnicode_New Objects/unicodeobject.c:1437
    #2 0x872f15 in _PyUnicode_Init Objects/unicodeobject.c:15535
    #3 0x9fe0ab in pycore_init_types Python/pylifecycle.c:599
    #4 0x9fe0ab in pycore_interp_init Python/pylifecycle.c:724
    #5 0xa07c69 in pyinit_config Python/pylifecycle.c:765
    #6 0xa07c69 in pyinit_core Python/pylifecycle.c:926
    #7 0xa09b17 in Py_InitializeFromConfig Python/pylifecycle.c:1136
    #8 0x4766c2 in pymain_init Modules/main.c:66
    #9 0x47bd12 in pymain_main Modules/main.c:653
    #10 0x47bd12 in Py_BytesMain Modules/main.c:686
    #11 0x7f59aa5cd041 in __libc_start_main (/lib64/libc.so.6+0x27041)

SUMMARY: AddressSanitizer: heap-buffer-overflow Objects/unicodeobject.c:4941 in ascii_decode
Shadow bytes around the buggy address:
  0x0c0c7fffcd10: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c7fffcd20: 00 00 00 00 00 00 00 07 fa fa fa fa 00 00 00 00
  0x0c0c7fffcd30: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 05
  0x0c0c7fffcd40: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c7fffcd50: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
=>0x0c0c7fffcd60: 00 00 00 01 fa fa fa fa 00 00 00 00 00 00[01]fa
  0x0c0c7fffcd70: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c7fffcd80: 00 00 00 00 00 00 05 fa fa fa fa fa 00 00 00 00
  0x0c0c7fffcd90: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c7fffcda0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c7fffcdb0: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1625693==ABORTING

----------
components: Interpreter Core
messages: 371351
nosy: christian.heimes, pablogsal
priority: high
severity: normal
status: open
title: ASAN/UBSAN: heap-buffer-overflow in pegen.c
type: security
versions: Python 3.10, Python 3.9

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue40958>
_______________________________________

More information about the New-bugs-announce mailing list