New submission from LCatro:
PyFunction_New() not validate code object ,so we can make a string object to
fake code object
This is Python ByteCode :
LOAD_CONST 'CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC\x41\x41\x41\x41'
MAKE_FUNCTION 0
in source code ,we can see that string object trace to variant v
TARGET(MAKE_FUNCTION)
{
v = POP(); /* code object */ <= now it is a string object
x = PyFunction_New(v, f->f_globals); <= using in there
and than ,we making a string object will taking into PyFunction_New()
PyFunction_New(PyObject *code, PyObject *globals)
{
PyFunctionObject *op = PyObject_GC_New(PyFunctionObject,
&PyFunction_Type);
static PyObject *__name__ = 0;
if (op != NULL) { <= there just check new alloc object point but not
checking the argument code's python type (actually it is TYPE_CODE) ..
PyObject *doc;
PyObject *consts;
PyObject *module;
op->func_weakreflist = NULL;
Py_INCREF(code);
op->func_code = code;
Py_INCREF(globals);
op->func_globals = globals;
op->func_name = ((PyCodeObject *)code)->co_name;
Py_INCREF(op->func_name); <= it will make an arbitrary address inc by
one ..
Opcode MAKE_CLOSURE similar too ..
TARGET(MAKE_CLOSURE)
{
v = POP(); /* code object */
x = PyFunction_New(v, f->f_globals);
poc and crash detail in update file
----------
components: Interpreter Core
files: inc_by_one.rar
messages: 289710
nosy: imso666
priority: normal
severity: normal
status: open
title: PyFunction_New() not validate code object
type: security
versions: Python 2.7
Added file: http://bugs.python.org/file46728/inc_by_one.rar
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue29825>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
