[issue39193] Out-of-bound write in ceval.c:_PyEval_EvalFrameDefault

ggbang Thu, 02 Jan 2020 06:56:31 -0800

New submission from ggbang <dg_...@hotmail.com>:

python version:
Python 3.9.0a2 (default, Dec 25 2019, 20:42:47) 
[GCC 7.5.0] on linux


crash log:
``` bash
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 code:x86:64 ────
   0x5555555afb88 <_PyEval_EvalFrameDefault+4056> mov    rdx, QWORD PTR 
[rsi+rdx*8+0x18]
   0x5555555afb8d <_PyEval_EvalFrameDefault+4061> add    QWORD PTR [rdx], 0x1
   0x5555555afb91 <_PyEval_EvalFrameDefault+4065> test   eax, eax
 → 0x5555555afb93 <_PyEval_EvalFrameDefault+4067> mov    QWORD PTR [rcx], rdx
   0x5555555afb96 <_PyEval_EvalFrameDefault+4070> jne    0x5555555af226 
<_PyEval_EvalFrameDefault+1654>
   0x5555555afb9c <_PyEval_EvalFrameDefault+4076> mov    rdx, r12
   0x5555555afb9f <_PyEval_EvalFrameDefault+4079> sub    rdx, QWORD PTR 
[rsp+0x8]
   0x5555555afba4 <_PyEval_EvalFrameDefault+4084> add    r12, 0x2
   0x5555555afba8 <_PyEval_EvalFrameDefault+4088> mov    DWORD PTR [rbx+0x68], 
edx
─────────────────────────────────────────────────────────────────────────────────────────────────────────────
 source:Python/ceval.c+1352 ────
   1347  
   1348          case TARGET(LOAD_CONST): {
   1349              PREDICTED(LOAD_CONST);
   1350              PyObject *value = GETITEM(consts, oparg);
   1351              Py_INCREF(value);
 → 1352              PUSH(value);
   1353              FAST_DISPATCH();
   1354          }
   1355  
   1356          case TARGET(STORE_FAST): {
   1357              PREDICTED(STORE_FAST);
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 threads ────
[#0] Id 1, Name: "python", stopped, reason: SIGSEGV
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 trace ────
[#0] 0x5555555afb93 → _PyEval_EvalFrameDefault(f=<optimized out>, 
throwflag=<optimized out>)
[#1] 0x55555568ad59 → _PyEval_EvalFrame(tstate=0x555555b237b0, throwflag=0x0, 
f=0x7ffff7eee440)
[#2] 0x55555568ad59 → _PyEval_EvalCode(tstate=0x555555b237b0, 
_co=0x7ffff7ebdd40, globals=0x7ffff7f12480, locals=0x7ffff7f12480, args=0x0, 
argcount=0x0, kwnames=0x0, kwargs=0x0, kwcount=0x0, kwstep=0x2, defs=0x0, 
defcount=0x0, kwdefs=0x0, closure=0x0, name=0x0, qualname=0x0)
[#3] 0x55555568b0c6 → _PyEval_EvalCodeWithName(qualname=0x0, name=0x0, 
closure=0x0, kwdefs=0x0, defcount=0x0, defs=0x0, kwstep=0x2, kwcount=0x0, 
kwargs=0x0, kwnames=0x0, argcount=0x0, args=0x0, locals=0x7ffff7f12480, 
globals=0x7ffff7f12480, _co=0x7ffff7ebdd40)
[#4] 0x55555568b0c6 → PyEval_EvalCodeEx(closure=0x0, kwdefs=0x0, defcount=0x0, 
defs=0x0, kwcount=0x0, kws=0x0, argcount=0x0, args=0x0, locals=0x7ffff7f12480, 
globals=0x7ffff7f12480, _co=0x7ffff7ebdd40)
[#5] 0x55555568b0c6 → PyEval_EvalCode(co=0x7ffff7ebdd40, 
globals=0x7ffff7f12480, locals=0x7ffff7f12480)
[#6] 0x5555556d6f1e → run_eval_code_obj(locals=0x7ffff7f12480, 
globals=0x7ffff7f12480, co=0x7ffff7ebdd40)
[#7] 0x5555556d6f1e → run_pyc_file(filename=<optimized out>, 
flags=0x7fffffffdc68, locals=0x7ffff7f12480, globals=0x7ffff7f12480, 
fp=0x555555b85360)
[#8] 0x5555556d6f1e → PyRun_SimpleFileExFlags(flags=<optimized out>, 
closeit=<optimized out>, filename=<optimized out>, fp=<optimized out>)
[#9] 0x5555556d6f1e → PyRun_SimpleFileEx(f=<optimized out>, p=<optimized out>, 
c=<optimized out>)
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
_PyEval_EvalFrameDefault (f=<optimized out>, throwflag=<optimized out>) at 
Python/ceval.c:1352
1352                PUSH(value);
gef➤  exploitable
Description: Access violation on destination operand
Short description: DestAv (8/22)
Hash: f01ce56ffe2792b45d9959e69a1ae15d.6dcf66201de3c2adc2e25e04dbdb55e8
Exploitability Classification: EXPLOITABLE
Explanation: The target crashed on an access violation at an address matching 
the destination operand of the instruction. This likely indicates a write 
access violation, which means the attacker may control the write address and/or 
value.
Other tags: AccessViolation (21/22)
```

----------
components: Interpreter Core
files: c1
messages: 359199
nosy: ggbang
priority: normal
severity: normal
status: open
title: Out-of-bound write in ceval.c:_PyEval_EvalFrameDefault
type: security
versions: Python 3.9
Added file: https://bugs.python.org/file48822/c1

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue39193>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39193] Out-of-bound write in ceval.c:_PyEval_EvalFrameDefault

Reply via email to