[issue33661] urllib may leak sensitive HTTP headers to a third-party web site1111
Change by shuoz : -- title: urllib may leak sensitive HTTP headers to a third-party web site -> urllib may leak sensitive HTTP headers to a third-party web site ___ Python tracker <https://bugs.python.org/issue33661> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue35542] stack exhaustion in 3.6.7
shuoz added the comment: thank you for your reply. -- resolution: -> not a bug stage: -> resolved status: open -> closed type: security -> crash ___ Python tracker <https://bugs.python.org/issue35542> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue35542] stack exhaustion in 3.6.7
New submission from shuoz : stack exhaustion in 3.6.7. in python 3.6.7 set recursive depth 2 will exhaustion stack and get Segmentation fault. But this dont happen in python 2.7 ``` import sys sys.setrecursionlimit(2) def f(): f() f() ``` -- components: 2to3 (2.x to 3.x conversion tool) messages: 332183 nosy: shuoz priority: normal severity: normal status: open title: stack exhaustion in 3.6.7 type: security versions: Python 3.6 ___ Python tracker <https://bugs.python.org/issue35542> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue34922] hashlib segmentation fault
shuoz added the comment: oh brother, maybe this worth open a cve. -- ___ Python tracker <https://bugs.python.org/issue34922> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue34922] hashlib segmentation fault
shuoz added the comment: I send this to secur...@python.org. Victor Stinner response me. "import hashlib; hashlib.shake_128().hexdigest((-1)&2**64-1)" can crash python3.7 and master ``` fan@fan:~/github/new$ ./py3.7/bin/python3 Python 3.7.1rc1+ (heads/3.7:c59e75c, Oct 8 2018, 08:53:13) [GCC 5.4.0 20160609] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import hashlib; hashlib.shake_128().hexdigest((-1)&2**64-1) ASAN:SIGSEGV = ==29245==ERROR: AddressSanitizer: SEGV on unknown address 0x7f3a50713000 (pc 0x7f3a537994c1 bp 0x7ffd978e27f0 sp 0x7ffd978e1f78 T0) #0 0x7f3a537994c0 (/lib/x86_64-linux-gnu/libc.so.6+0x1564c0) #1 0x7f3a543df5d0 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c5d0) #2 0x7f3a4f5a8603 in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:53 #3 0x7f3a4f5a8603 in _PySHA3_KeccakP1600_ExtractLanes /home/fan/github/new/cpython3.7/Modules/_sha3/kcp/KeccakP-1600-opt64.c:342 #4 0x7f3a4f5a877b in _PySHA3_KeccakP1600_ExtractBytes /home/fan/github/new/cpython3.7/Modules/_sha3/kcp/KeccakP-1600-opt64.c:375 #5 0x7f3a4f5a8965 in _PySHA3_KeccakWidth1600_SpongeSqueeze /home/fan/github/new/cpython3.7/Modules/_sha3/kcp/KeccakSponge.inc:287 #6 0x7f3a4f5a92a2 in _SHAKE_digest /home/fan/github/new/cpython3.7/Modules/_sha3/sha3module.c:615 #7 0x465348 in _PyMethodDef_RawFastCallKeywords Objects/call.c:644 #8 0x74c83c in _PyMethodDescr_FastCallKeywords Objects/descrobject.c:288 #9 0x441c3b in call_function Python/ceval.c:4579 #10 0x441c3b in _PyEval_EvalFrameDefault Python/ceval.c:3110 #11 0x5a3b1f in _PyEval_EvalCodeWithName Python/ceval.c:3930 #12 0x5a40c2 in PyEval_EvalCodeEx Python/ceval.c:3959 #13 0x5a40c2 in PyEval_EvalCode Python/ceval.c:524 #14 0x605047 in run_mod Python/pythonrun.c:1035 #15 0x6097c4 in PyRun_InteractiveOneObjectEx Python/pythonrun.c:256 #16 0x609d65 in PyRun_InteractiveLoopFlags Python/pythonrun.c:120 #17 0x60ad2b in PyRun_AnyFileExFlags Python/pythonrun.c:78 #18 0x44d7c5 in pymain_run_file Modules/main.c:427 #19 0x44d7c5 in pymain_run_filename Modules/main.c:1537 #20 0x44d7c5 in pymain_run_python Modules/main.c:2626 #21 0x44d7c5 in pymain_main Modules/main.c:2787 #22 0x44e33b in _Py_UnixMain Modules/main.c:2822 #23 0x7f3a5366382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #24 0x442db8 in _start (/home/fan/github/new/py3.7/bin/python3.7+0x442db8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ??:0 ?? ==29245==ABORTING ``` ``` (venv) fan@fan:~/github/new$ python Python 3.8.0a0 (heads/master:f6c8007, Sep 25 2018, 12:42:29) [GCC 5.4.0 20160609] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import hashlib; hashlib.shake_128().hexdigest((-1)&2**64-1) ASAN:SIGSEGV = ==29347==ERROR: AddressSanitizer: SEGV on unknown address 0x7f6df36db000 (pc 0x7f6df1a0a210 bp 0x7ffdc8f57a80 sp 0x7ffdc8f57208 T0) #0 0x7f6df1a0a20f (/lib/x86_64-linux-gnu/libc.so.6+0x15720f) #1 0x7f6df264f5d0 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c5d0) #2 0x7f6ded528643 in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:53 #3 0x7f6ded528643 in _PySHA3_KeccakP1600_ExtractLanes /home/fan/github/new/cpython_a/Modules/_sha3/kcp/KeccakP-1600-opt64.c:342 #4 0x7f6ded5287bb in _PySHA3_KeccakP1600_ExtractBytes /home/fan/github/new/cpython_a/Modules/_sha3/kcp/KeccakP-1600-opt64.c:375 #5 0x7f6ded5289a5 in _PySHA3_KeccakWidth1600_SpongeSqueeze /home/fan/github/new/cpython_a/Modules/_sha3/kcp/KeccakSponge.inc:287 #6 0x7f6ded529312 in _SHAKE_digest /home/fan/github/new/cpython_a/Modules/_sha3/sha3module.c:609 #7 0x7f6ded529312 in _sha3_shake_128_hexdigest_impl /home/fan/github/new/cpython_a/Modules/_sha3/sha3module.c:658 #8 0x7f6ded529312 in _sha3_shake_128_hexdigest /home/fan/github/new/cpython_a/Modules/_sha3/clinic/sha3module.c.h:116 #9 0x46b389 in _PyMethodDef_RawFastCallKeywords Objects/call.c:644 #10 0x81403c in _PyMethodDescr_FastCallKeywords Objects/descrobject.c:288 #11 0x4416b1 in call_function Python/ceval.c:4600 #12 0x4416b1 in _PyEval_EvalFrameDefault Python/ceval.c:3186 #13 0x5ecfbb in PyEval_EvalFrameEx Python/ceval.c:536 #14 0x5ecfbb in _PyEval_EvalCodeWithName Python/ceval.c:3951 #15 0x5ed4d2 in PyEval_EvalCodeEx Python/ceval.c:3980 #16 0x5ed4d2 in PyEval_EvalCode Python/ceval.c:513 #17 0x68addd in run_mod Python/pythonrun.c:1031 #18 0x68addd in PyRun_InteractiveOneObjectEx Python/pythonrun.c:256 #19 0x68b3f5 in PyRun_InteractiveLoopFlags Python/pythonrun.c:120 #20 0x68b71b in PyRun_AnyFileExFlags Pyth
[issue34922] hashlib segmentation fault
New submission from shuoz : python hashlib a signd overflow maybe cause a memory over read. python version: Python 3.6.7rc1+ (heads/3.6:cb0bec3, Oct 1 2018, 02:19:39) [GCC 7.3.0] on linux Type "help", "copyright", "credits" or "license" for more information. ``` [--registers---] RAX: 0x0 RBX: 0x7fffd5f0 --> 0x41b58ab3 RCX: 0x0 RDX: 0x1ff6 RSI: 0x735ae880 --> 0x0 RDI: 0x7fffd650 --> 0x7d828fe8a42b9c7f RBP: 0xabe --> 0x0 RSP: 0x7fffd5c8 --> 0x72a5f793 (<_sha3_shake_128_hexdigest+627>: test eax,eax) RIP: 0x72a5ec60 (<_PySHA3_KeccakWidth1600_SpongeSqueeze>: push r15) R8 : 0x65fc7ba985946aff R9 : 0xefbdaa140b587a16 R10: 0x50573373c9b2b8dc R11: 0xfba4d93abbdabffc R12: 0x7fffd770 --> 0x7fffd7d0 --> 0xb00 --> 0x0 R13: 0x7fffd650 --> 0x7d828fe8a42b9c7f R14: 0x735ae880 --> 0x0 R15: 0xfff6 EFLAGS: 0xa06 (carry PARITY adjust zero sign trap INTERRUPT direction OVERFLOW) [-code-] 0x72a5ec50 <_PySHA3_KeccakP1600_ExtractBytes+160>: jmp 0x72a54d10 <_PySHA3_KeccakP1600_ExtractBytesInLane@plt> 0x72a5ec55: nop 0x72a5ec56: nopWORD PTR cs:[rax+rax*1+0x0] => 0x72a5ec60 <_PySHA3_KeccakWidth1600_SpongeSqueeze>: push r15 0x72a5ec62 <_PySHA3_KeccakWidth1600_SpongeSqueeze+2>:push r14 0x72a5ec64 <_PySHA3_KeccakWidth1600_SpongeSqueeze+4>:push r13 0x72a5ec66 <_PySHA3_KeccakWidth1600_SpongeSqueeze+6>:push r12 0x72a5ec68 <_PySHA3_KeccakWidth1600_SpongeSqueeze+8>:movr13,rdx [stack-] | 0x7fffd5c8 --> 0x72a5f793 (<_sha3_shake_128_hexdigest+627>: test eax,eax) 0008| 0x7fffd5d0 --> 0x7fffd5f0 --> 0x41b58ab3 0016| 0x7fffd5d8 --> 0xefdb33b --> 0x0 0024| 0x7fffd5e0 --> 0x77ed99d8 --> 0x0 0032| 0x7fffd5e8 --> 0x73606910 --> 0x619096e5 --> 0x90982800 0040| 0x7fffd5f0 --> 0x41b58ab3 0048| 0x7fffd5f8 --> 0x72a68c08 ("2 32 8 6 length 96 224 4 temp ") 0056| 0x7fffd600 --> 0x72a5f520 (<_sha3_shake_128_hexdigest>: push r15) [--] Legend: code, data, rodata, value Breakpoint 2, _PySHA3_KeccakWidth1600_SpongeSqueeze (instance=0x7fffd650, data=0x735ae880 "", dataByteLen=0x1ff6) at /home/test/cpython/Modules/_sha3/kcp/KeccakSponge.inc:272 ``` dataByteLen=0x1ff6 ``` RAX: 0x73615f90 --> 0xfffa RBX: 0xa8 RCX: 0x73616028 --> 0xf93801a4 RDX: 0x18 RSI: 0x7fffd6e0 --> 0x6ab2a5fe4fe8efd RDI: 0x73615fe0 --> 0x44b6a41dfdc1a3df RBP: 0x7fffd510 --> 0xa8 RSP: 0x7fffcc78 --> 0x76e936cf (movrcx,QWORD PTR [rbp-0x38]) RIP: 0x76120786 (<__memmove_sse2_unaligned_erms+614>: movntdq XMMWORD PTR [rdi+0x20],xmm2) R8 : 0xfff0 R9 : 0x10007e6bac07 --> 0x0 R10: 0x73616038 --> 0x0 R11: 0x73615f90 --> 0xfffa R12: 0x73615f90 --> 0xfffa R13: 0x7fffd650 --> 0xa35bf3e9cd13e78e R14: 0x73615f90 --> 0xfffa R15: 0x0 EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow) [-code-] 0x76120779 <__memmove_sse2_unaligned_erms+601>: subrdx,0x40 0x7612077d <__memmove_sse2_unaligned_erms+605>: movntdq XMMWORD PTR [rdi],xmm0 0x76120781 <__memmove_sse2_unaligned_erms+609>: movntdq XMMWORD PTR [rdi+0x10],xmm1 => 0x76120786 <__memmove_sse2_unaligned_erms+614>: movntdq XMMWORD PTR [rdi+0x20],xmm2 0x7612078b <__memmove_sse2_unaligned_erms+619>: movntdq XMMWORD PTR [rdi+0x30],xmm3 0x76120790 <__memmove_sse2_unaligned_erms+624>: addrdi,0x40 0x76120794 <__memmove_sse2_unaligned_erms+628>: cmprdx,0x40 0x76120798 <__memmove_sse2_unaligned_erms+632>: ja 0x76120758 <__memmove_sse2_unaligned_erms+568> [stack-] | 0x7fffcc78 --> 0x76e936cf (movrcx,QWORD PTR [rbp-0x38]) 0008| 0x7fffcc80 --> 0x7fffccf0 --> 0x41b58ab3 0016| 0x7fffcc88 --> 0x7fffcd90 --> 0x6 0024| 0x7fffcc90 --> 0x99e --> 0x0 0032| 0x7fffcc98 --> 0x7fffcd50 --> 0x0 0040| 0x7fffcca0 --> 0x0 0048| 0x7fffcca8 --> 0x73616038 --> 0x0 0056| 0x7fffccb0 --> 0x7358a068 -->
[issue34840] dlopen() error with no error message from dlerror()
New submission from shuoz : python _ctypes.dlclose(arg). Never check the arg so we get a Segmentation fault (core dumped) poc.py ``` import _ctypes _ctypes.dlclose(3) # 3-4294967296 ``` python poc.py gdb info ``` --registers---] RAX: 0x77ffcca0 --> 0x40d0d RBX: 0x0 RCX: 0x76a49fd0 (:movrax,QWORD PTR [rip+0x201fe1] # 0x76c4bfb8) RDX: 0x2e10a0bf96213a9d RSI: 0x0 RDI: 0x3 RBP: 0x76a49fd0 (:movrax,QWORD PTR [rip+0x201fe1] # 0x76c4bfb8) RSP: 0x7fffd280 --> 0x0 RIP: 0x77dee161 (<_dl_close+1>: test BYTE PTR [rdi+0x3d4],0x8) R8 : 0x3 R9 : 0x76a49fd0 (:movrax,QWORD PTR [rip+0x201fe1] # 0x76c4bfb8) R10: 0xc55dc0 --> 0x31 ('1') R11: 0x77eec3d8 --> 0x9 ('\t') R12: 0x3 R13: 0x77e952b0 --> 0x1 R14: 0x72d12140 (: push r14) R15: 0x77e17228 --> 0x16 EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) [-code-] 0x77dee152: nopDWORD PTR [rax+0x0] 0x77dee156: nopWORD PTR cs:[rax+rax*1+0x0] 0x77dee160 <_dl_close>: push rbx => 0x77dee161 <_dl_close+1>:test BYTE PTR [rdi+0x3d4],0x8 0x77dee168 <_dl_close+8>:movrbx,rdi 0x77dee16b <_dl_close+11>: jne0x77dee210 <_dl_close+176> 0x77dee171 <_dl_close+17>: movedx,DWORD PTR [rdi+0x310] 0x77dee177 <_dl_close+23>: test edx,edx [stack-] | 0x7fffd280 --> 0x0 0008| 0x7fffd288 --> 0x77de7564 (<_dl_catch_error+116>: mov rax,QWORD PTR [rsp+0x8]) 0016| 0x7fffd290 --> 0x0 0024| 0x7fffd298 --> 0x77fd8720 --> 0x7fffd2e0 --> 0x7737f690 --> 0x0 0032| 0x7fffd2a0 --> 0x0 0040| 0x7fffd2a8 --> 0x7737f690 --> 0x0 0048| 0x7fffd2b0 --> 0x7737f698 --> 0x0 0056| 0x7fffd2b8 --> 0x7737f688 --> 0x0 [--] Legend: code, data, rodata, value Stopped reason: SIGSEGV _dl_close (_map=0x3) at dl-close.c:809 809 dl-close.c: No such file or directory. gdb-peda$ bt ``` -- components: ctypes messages: 326668 nosy: shuoz priority: normal severity: normal status: open title: dlopen() error with no error message from dlerror() type: crash versions: Python 3.5 ___ Python tracker <https://bugs.python.org/issue34840> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue34656] memory exhaustion in Modules/_pickle.c:1393
shuoz added the comment: [--registers---] RAX: 0x7ff9d401e010 --> 0x0 RBX: 0x77f48d00 --> 0x1 RCX: 0x7ff8ab58c800 --> 0x77ea5d80 --> 0x2 RDX: 0x73ac47d8 --> 0x1 RSI: 0x25152303 RDI: 0xfff3a803c00 --> 0x0 RBP: 0x7473078c RSP: 0x7fffcf20 --> 0x73ac47d8 --> 0x1 RIP: 0x728a8a64 (<_Unpickler_MemoPut+1668>: addr11,0x20) R8 : 0xfff3a803bff --> 0x0 R9 : 0xfff3a803c01 --> 0x0 R10: 0xefe91a3 --> 0x0 R11: 0x128a917f8 --> 0x0 R12: 0xfff156b1922 --> 0x0 R13: 0xe8e60f18 --> 0x0 R14: 0x77f48d18 --> 0x7ff8ab58c800 --> 0x77ea5d80 --> 0x2 R15: 0xfff3a803c02 --> 0x0 EFLAGS: 0x216 (carry PARITY ADJUST zero sign trap INTERRUPT direction overflow) [-code-] 0x728a8a52 <_Unpickler_MemoPut+1650>:cmpBYTE PTR [r15+0x7fff8000],0x0 0x728a8a5a <_Unpickler_MemoPut+1658>:jne0x728a8ae1 <_Unpickler_MemoPut+1793> 0x728a8a60 <_Unpickler_MemoPut+1664>:addrsi,0x4 => 0x728a8a64 <_Unpickler_MemoPut+1668>:addr11,0x20 0x728a8a68 <_Unpickler_MemoPut+1672>:cmpBYTE PTR [r10+0x7fff8000],0x0 0x728a8a70 <_Unpickler_MemoPut+1680>:movQWORD PTR [rax],0x0 0x728a8a77 <_Unpickler_MemoPut+1687>:je 0x728a896d <_Unpickler_MemoPut+1421> 0x728a8a7d <_Unpickler_MemoPut+1693>:nopDWORD PTR [rax] [stack-] | 0x7fffcf20 --> 0x73ac47d8 --> 0x1 0008| 0x7fffcf28 --> 0xefe91a3 --> 0x0 0016| 0x7fffcf30 --> 0x77f48da8 --> 0x20 (' ') 0024| 0x7fffcf38 --> 0x77f48d00 --> 0x1 0032| 0x7fffcf40 --> 0xa00 --> 0x0 0040| 0x7fffcf48 --> 0x0 0048| 0x7fffcf50 --> 0x77f48da0 --> 0x28 ('(') 0056| 0x7fffcf58 --> 0x77f48da8 --> 0x20 (' ') [--] Legend: code, data, rodata, value 0x728a8a64 1392for (i = self->memo_size; i < new_size; i++) gdb-peda$ p new_size $5 = 0xe8e60f18 gdb-peda$ p self->memo_size $6 = 0x20 gdb-peda$ p i . for (i = self->memo_size; i < new_size; i++) self->memo[i] = NULL; . -- ___ Python tracker <https://bugs.python.org/issue34656> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue34656] memory exhaustion in Modules/_pickle.c:1393
Change by shuoz : Added file: https://bugs.python.org/file47802/pk.py ___ Python tracker <https://bugs.python.org/issue34656> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue34656] memory exhaustion in Modules/_pickle.c:1393
New submission from shuoz : python version: Python 3.8.0a0 (heads/master:4ae8ece, Sep 13 2018, 09:48:16) [GCC 5.4.0 20160609] on linux I found a bug in python pickle.load func. Can cause memory exhaustion DDOS. ./python pk.py poc cat ./pk.py import pickle import sys filename = sys.argv[1] with open(filename, 'rb') as f: aa = pickle.load(f) print(aa) -- components: FreeBSD files: poc messages: 325230 nosy: koobs, shuoz priority: normal severity: normal status: open title: memory exhaustion in Modules/_pickle.c:1393 type: security versions: Python 3.8 Added file: https://bugs.python.org/file47801/poc ___ Python tracker <https://bugs.python.org/issue34656> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com