New submission from geeknik:
Python 3.7 git commit 3ca9f50 compiled with afl-clang-fast on Ubuntu 16 x64.
The following script triggers undefined-behavior followed by a null pointer
dereference and a segfault.
import weakref
class A(object):pass
def callback(x):del lst[0]
keepali0e=[]
for i in range(1):
lst=[str()]
a=A()
a.c=a
keepali0e.append(weakref.ref(a,callback))
del a
while lst:keepali0e.append(lst[:])
Objects/dictobject.c:547:12: runtime error: index 16 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:547:12 in
Objects/dictobject.c:1105:18: runtime error: index 16 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:1105:18 in
Objects/dictobject.c:2739:15: runtime error: index 16 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:2739:15 in
Objects/dictobject.c:789:27: runtime error: index 16 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:789:27 in
Objects/dictobject.c:1104:18: runtime error: index 16 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:1104:18 in
Objects/dictobject.c:994:15: runtime error: index 16 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:994:15 in
Objects/dictobject.c:683:11: runtime error: index 16 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:683:11 in
Objects/dictobject.c:1024:9: runtime error: index 64 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:1024:9 in
Objects/dictobject.c:2882:31: runtime error: index 64 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:2882:31 in
Objects/dictobject.c:2346:15: runtime error: index 128 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:2346:15 in
Objects/dictobject.c:1449:11: runtime error: index 32 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:1449:11 in
Objects/dictobject.c:744:27: runtime error: index 16 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:744:27 in
Objects/dictobject.c:1631:22: runtime error: index 16 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:1631:22 in
Objects/dictobject.c:554:31: runtime error: index 16 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:554:31 in
Objects/dictobject.c:1183:15: runtime error: index 16 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:1183:15 in
Objects/dictobject.c:835:27: runtime error: index 16 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:835:27 in
Objects/dictobject.c:2036:10: runtime error: index 128 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:2036:10 in
Objects/dictobject.c:3504:38: runtime error: index 16 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:3504:38 in
Objects/dictobject.c:3422:38: runtime error: index 64 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:3422:38 in
Objects/listobject.c:455:23: runtime error: load of null pointer of type
'PyObject *' (aka 'struct _object *')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/listobject.c:455:23 in
ASAN:DEADLYSIGNAL
=================================================================
==29900==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x0000007772df bp 0x7fffdd00ce30 sp 0x7fffdd00cde0 T0)
==29900==The signal is caused by a READ memory access.
==29900==Hint: address points to the zero page.
#0 0x7772de in list_slice /root/cpython/Objects/listobject.c:455:23
#1 0x79257b in list_subscript /root/cpython/Objects/listobject.c:2499:20
#2 0xca195c in _PyEval_EvalFrameDefault /root/cpython/Python/ceval.c:1442:29
#3 0xcc723c in _PyEval_EvalCodeWithName /root/cpython/Python/ceval.c:4173:14
#4 0xc679f3 in PyEval_EvalCodeEx /root/cpython/Python/ceval.c:4200:12
#5 0xc679f3 in PyEval_EvalCode /root/cpython/Python/ceval.c:657
#6 0x53056e in run_mod /root/cpython/Python/pythonrun.c:982:9
#7 0x531d77 in PyRun_FileExFlags /root/cpython/Python/pythonrun.c:935:11
#8 0x52d219 in PyRun_SimpleFileExFlags
/root/cpython/Python/pythonrun.c:398:13
#9 0x5a958e in run_file /root/cpython/Modules/main.c:341:11
#10 0x5a958e in Py_Main /root/cpython/Modules/main.c:901
#11 0x500382 in main /root/cpython/./Programs/python.c:102:11
#12 0x7f17562f83f0 in __libc_start_main
/build/glibc-mXZSwJ/glibc-2.24/csu/../csu/libc-start.c:291
#13 0x433e49 in _start (/root/cpython/python+0x433e49)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/cpython/Objects/listobject.c:455:23 in
list_slice
==29900==ABORTING
----------
components: Interpreter Core
messages: 300033
nosy: geeknik
priority: normal
severity: normal
status: open
title: null pointer deref and segfault in list_slice (listobject.c:455)
versions: Python 3.7
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue31165>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
