New submission from ggbang <[email protected]>:
python version:
Python 3.9.0a2 (default, Dec 25 2019, 20:42:47)
[GCC 7.5.0] on linux
crash log:
``` bash
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
code:x86:64 ────
0x5555555afb88 <_PyEval_EvalFrameDefault+4056> mov rdx, QWORD PTR
[rsi+rdx*8+0x18]
0x5555555afb8d <_PyEval_EvalFrameDefault+4061> add QWORD PTR [rdx], 0x1
0x5555555afb91 <_PyEval_EvalFrameDefault+4065> test eax, eax
→ 0x5555555afb93 <_PyEval_EvalFrameDefault+4067> mov QWORD PTR [rcx], rdx
0x5555555afb96 <_PyEval_EvalFrameDefault+4070> jne 0x5555555af226
<_PyEval_EvalFrameDefault+1654>
0x5555555afb9c <_PyEval_EvalFrameDefault+4076> mov rdx, r12
0x5555555afb9f <_PyEval_EvalFrameDefault+4079> sub rdx, QWORD PTR
[rsp+0x8]
0x5555555afba4 <_PyEval_EvalFrameDefault+4084> add r12, 0x2
0x5555555afba8 <_PyEval_EvalFrameDefault+4088> mov DWORD PTR [rbx+0x68],
edx
─────────────────────────────────────────────────────────────────────────────────────────────────────────────
source:Python/ceval.c+1352 ────
1347
1348 case TARGET(LOAD_CONST): {
1349 PREDICTED(LOAD_CONST);
1350 PyObject *value = GETITEM(consts, oparg);
1351 Py_INCREF(value);
→ 1352 PUSH(value);
1353 FAST_DISPATCH();
1354 }
1355
1356 case TARGET(STORE_FAST): {
1357 PREDICTED(STORE_FAST);
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
threads ────
[#0] Id 1, Name: "python", stopped, reason: SIGSEGV
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
trace ────
[#0] 0x5555555afb93 → _PyEval_EvalFrameDefault(f=<optimized out>,
throwflag=<optimized out>)
[#1] 0x55555568ad59 → _PyEval_EvalFrame(tstate=0x555555b237b0, throwflag=0x0,
f=0x7ffff7eee440)
[#2] 0x55555568ad59 → _PyEval_EvalCode(tstate=0x555555b237b0,
_co=0x7ffff7ebdd40, globals=0x7ffff7f12480, locals=0x7ffff7f12480, args=0x0,
argcount=0x0, kwnames=0x0, kwargs=0x0, kwcount=0x0, kwstep=0x2, defs=0x0,
defcount=0x0, kwdefs=0x0, closure=0x0, name=0x0, qualname=0x0)
[#3] 0x55555568b0c6 → _PyEval_EvalCodeWithName(qualname=0x0, name=0x0,
closure=0x0, kwdefs=0x0, defcount=0x0, defs=0x0, kwstep=0x2, kwcount=0x0,
kwargs=0x0, kwnames=0x0, argcount=0x0, args=0x0, locals=0x7ffff7f12480,
globals=0x7ffff7f12480, _co=0x7ffff7ebdd40)
[#4] 0x55555568b0c6 → PyEval_EvalCodeEx(closure=0x0, kwdefs=0x0, defcount=0x0,
defs=0x0, kwcount=0x0, kws=0x0, argcount=0x0, args=0x0, locals=0x7ffff7f12480,
globals=0x7ffff7f12480, _co=0x7ffff7ebdd40)
[#5] 0x55555568b0c6 → PyEval_EvalCode(co=0x7ffff7ebdd40,
globals=0x7ffff7f12480, locals=0x7ffff7f12480)
[#6] 0x5555556d6f1e → run_eval_code_obj(locals=0x7ffff7f12480,
globals=0x7ffff7f12480, co=0x7ffff7ebdd40)
[#7] 0x5555556d6f1e → run_pyc_file(filename=<optimized out>,
flags=0x7fffffffdc68, locals=0x7ffff7f12480, globals=0x7ffff7f12480,
fp=0x555555b85360)
[#8] 0x5555556d6f1e → PyRun_SimpleFileExFlags(flags=<optimized out>,
closeit=<optimized out>, filename=<optimized out>, fp=<optimized out>)
[#9] 0x5555556d6f1e → PyRun_SimpleFileEx(f=<optimized out>, p=<optimized out>,
c=<optimized out>)
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
_PyEval_EvalFrameDefault (f=<optimized out>, throwflag=<optimized out>) at
Python/ceval.c:1352
1352 PUSH(value);
gef➤ exploitable
Description: Access violation on destination operand
Short description: DestAv (8/22)
Hash: f01ce56ffe2792b45d9959e69a1ae15d.6dcf66201de3c2adc2e25e04dbdb55e8
Exploitability Classification: EXPLOITABLE
Explanation: The target crashed on an access violation at an address matching
the destination operand of the instruction. This likely indicates a write
access violation, which means the attacker may control the write address and/or
value.
Other tags: AccessViolation (21/22)
```
----------
components: Interpreter Core
files: c1
messages: 359199
nosy: ggbang
priority: normal
severity: normal
status: open
title: Out-of-bound write in ceval.c:_PyEval_EvalFrameDefault
type: security
versions: Python 3.9
Added file: https://bugs.python.org/file48822/c1
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue39193>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
