Christian Heimes <[email protected]> added the comment:
datetime_new assumes that args is a tuple. load_newobj_ex() doesn't check that
args is a tuple and kwargs is a dictionary. The demo exploit passes ``True`` as
args, which triggers a segfault in PyTuple_GET_SIZE in datetime_new.
#0 datetime_new (type=0x7fffea5d2740 <PyDateTime_DateTimeType>, args=True,
kw=b'\x07\xb2\x01\x01\x00\x00\x00\x00\x00\x00') at
/usr/src/debug/python3-3.8.3-2.fc32.x86_64/Modules/_datetimemodule.c:4737
#1 0x00007fffea637b1e in load_newobj_ex (self=0x7fffea7a7820) at
/usr/src/debug/python3-3.8.3-2.fc32.x86_64/Modules/_pickle.c:6008
#2 0x00007fffea632e7a in load (self=0x7fffea7a7820) at
/usr/src/debug/python3-3.8.3-2.fc32.x86_64/Modules/_pickle.c:6943
#3 0x00007fffea63795e in _pickle_load_impl (module=<optimized out>,
buffers=0x0, errors=0x7fffea639149 "strict", encoding=0x7fffea6391fa "ASCII",
fix_imports=1, file=<_io.BytesIO at remote 0x7fffea888180>)
at /usr/src/debug/python3-3.8.3-2.fc32.x86_64/Modules/_pickle.c:1688
#4 _pickle_load (module=<optimized out>, args=<optimized out>,
nargs=<optimized out>, kwnames=<optimized out>) at
/usr/src/debug/python3-3.8.3-2.fc32.x86_64/Modules/clinic/_pickle.c.h:731
#5 0x00007ffff7bd1ced in cfunction_vectorcall_FASTCALL_KEYWORDS
(func=<built-in method load of module object at remote 0x7fffea680270>,
args=<optimized out>, nargsf=<optimized out>, kwnames=0x0)
at /usr/src/debug/python3-3.8.3-2.fc32.x86_64/Objects/methodobject.c:437
----------
nosy: +christian.heimes
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue41288>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
