New submission from LCatro: PyFunction_New() not validate code object ,so we can make a string object to fake code object
This is Python ByteCode : LOAD_CONST 'CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC\x41\x41\x41\x41' MAKE_FUNCTION 0 in source code ,we can see that string object trace to variant v TARGET(MAKE_FUNCTION) { v = POP(); /* code object */ <= now it is a string object x = PyFunction_New(v, f->f_globals); <= using in there and than ,we making a string object will taking into PyFunction_New() PyFunction_New(PyObject *code, PyObject *globals) { PyFunctionObject *op = PyObject_GC_New(PyFunctionObject, &PyFunction_Type); static PyObject *__name__ = 0; if (op != NULL) { <= there just check new alloc object point but not checking the argument code's python type (actually it is TYPE_CODE) .. PyObject *doc; PyObject *consts; PyObject *module; op->func_weakreflist = NULL; Py_INCREF(code); op->func_code = code; Py_INCREF(globals); op->func_globals = globals; op->func_name = ((PyCodeObject *)code)->co_name; Py_INCREF(op->func_name); <= it will make an arbitrary address inc by one .. Opcode MAKE_CLOSURE similar too .. TARGET(MAKE_CLOSURE) { v = POP(); /* code object */ x = PyFunction_New(v, f->f_globals); poc and crash detail in update file ---------- components: Interpreter Core files: inc_by_one.rar messages: 289710 nosy: imso666 priority: normal severity: normal status: open title: PyFunction_New() not validate code object type: security versions: Python 2.7 Added file: http://bugs.python.org/file46728/inc_by_one.rar _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue29825> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com