New submission from Emin Ghuliev: Python VM parses "0x3b" opcode (INPLACE_MODULO) in the bytecode file. Subsequently VM parses left and right arguments of the opcode (0x3b). If left and right arguments doesn't exists in the bytecode file that causes a segmentation fault. Which triggered by the binary_iop1 function.
PyEval_EvalFrameEx() at Python/ceval.c:1749 TARGET(INPLACE_MODULO) { PyObject *right = POP(); PyObject *left = TOP(); PyObject *mod = PyNumber_InPlaceRemainder(left, right); < left = 0, right = 0; Then INPLACE_MODULO opcode is passed two arguments into PyNumber_InPlaceRemainder. However, in order to call the binary_iop: PyNumber_InPlaceRemainder at Objects/abstract.c:1102 PyNumber_InPlaceRemainder(PyObject *v, PyObject *w) { return binary_iop(v, w, NB_SLOT(nb_inplace_remainder), NB_SLOT(nb_remainder), "%="); } Subsequently the binary_iop function is passed "v" argument into the binary_iop1: binary_iop at Objects/abstract.c:1005 static PyObject * binary_iop(PyObject *v, PyObject *w, const int iop_slot, const int op_slot, const char *op_name) { PyObject *result = binary_iop1(v, w, iop_slot, op_slot); # v = 0 and call the binary_iop1 function if (result == Py_NotImplemented) { Py_DECREF(result); return binop_type_error(v, w, op_name); } return result; } binary_iop1 at Objects/abstract.c:988 static PyObject * binary_iop1(PyObject *v, PyObject *w, const int iop_slot, const int op_slot) { PyNumberMethods *mv = v->ob_type->tp_as_number; // dereference object < -- > v = 0x0 if (mv != NULL) { binaryfunc slot = NB_BINOP(mv, iop_slot); if (slot) { PyObject *x = (slot)(v, w); if (x != Py_NotImplemented) { return x; } Py_DECREF(x); } } return binary_op1(v, w, op_slot); } The binary_iop1 function doesn't check "v" field and dereference it. <PyNumber_InPlaceRemainder+16> mov rsi,QWORD PTR [rdi+0x8] = 0x8 byte -> ob_type $rdi register = 0x0 Program received signal SIGSEGV, Segmentation fault. ---------- components: Interpreter Core files: repro messages: 269940 nosy: Emin Ghuliev priority: normal severity: normal status: open title: NULL Pointer deref in binary_iop1 function versions: Python 3.6 Added file: http://bugs.python.org/file43654/repro _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue27462> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com